OK - finally got it working…

First - I had no "generate_policy" command
Then - I had various firewall issues on the pfSense end (it would make sense to have some indication that the IPsec connection will be pointless until explicitly openned)
Then - I had firewall issues on the other end
Then - I had routing issues on the other end (masquerading got done before IPsec got a look in)

My head hurts.

I'm going for a lie down.

That /usr/local/bin/ping_hosts.sh is run a different way.

In /etc/rc:

minicron 240 /var/run/ping_hosts.pid /usr/local/bin/ping_hosts.sh

It's probably already running if you check the output of "ps uxawww | grep minicron"

The actual cron job is redundant though, I'm not sure it's needed/relevant these days.

The problem was on Cisco side - when pfSense site-to-site is not the first connection in config file tunel does not work.

[SOLVED]:

Here was the main hangup, I needed to use nat-t to work from behind other nats and to do that I created a firewall rule under wan, to allow udp traffic through port 4500.  This allowed me to get past phase 1 and 2.  I then remembered that I was switching around the ipaddress for the remote client, putting it inside my subnet then outside and back in.  I reread the tutorial and it does clearly say to use an ip ouside your subnet, so I was just giving myself headaces by not sticking with the totorial after opening port 4500.

Long story short,

to enable nat-t, create a firewall rule under wan, for udp port 4500 and follow the tutorial! ;)

I may have resolved my issues today, time will tell but it seems to auto reconnect without issues.

My issue was the watchguard if reboot would not reconnect, yet if I reboot my PFsense box it would work.

I now set my Phase 1

Encryption algorithm: 3DES
Hash algorithm: MD5 (this was Sha1) before

I made sure the watchgaurd matches, and it seems to work now. what are your phase1 algorithms?

When I get issues with IPSec to where nothing will bring the tunnel back up, I change the PSK and it works again, I have to do this every 2-3 months. I too am migrating to OpenVPN.

Solved the problem! I have checked the option System -> Advanced -> Miscellaneous -> IPsec SA preferral -> Prefer old IPsec SAs and tunnels seem not to fall down any more.

Ok. Yes, the box was checked in my advanced configuration. I unchecked it to see if it makes a difference.

Thanks.

That gets a bit harder to do then. Again, it should be possible in 2.0 but not in 1.2.3

In 2.0 you'd just assign the OpenVPN interface as an optional interface, then add a gateway that says it's on that interface, with an IP of the other side of the OpenVPN tunnel.

Then add a rule on the LAN side that matches the IP(s) of the devices to re-route, with a destination of any, with that gateway chosen.

Hello  sir

Now I try to set up IPsec Box with Pfsense for H323 avaya IP phone too, I have already  config for IPSec Mobile client  but I found
the status of IPSec it show the yellow creoss sign not  GREEN , How I can enable this service. But I make sure I have already checked enable IPsec and IPsec Mobile client .

Thank you

Not sure what else you might want to try in that case.

Some people have had luck switching hashes or encryption algos with certain devices (e.g. if you're using SHA1 in either phase, use MD5 instead, or vice versa)

Thanks submicron UDP did solve the problem. I'm using it to access mdb file like 5mb not 3GB :) from time to time. I'm going to use this thread to ask another question - I have two pfsense boxes IPSec site-to-site and it's working ok - 192.168.1.0 and 192.168.2.0. I'm connecting OpenVPN Mobile Client(192.168.3.0) to site 1 (192.168.1.0) and it's working ok too. Can i route somehow site2 (192.168.2.0) to access OpenVPN client ?

@beaven67:

If the Netscreen is the side with the dynamic address you will need to setup the vpn similiar to a Road Warrior type of VPN.

Not with 1.2.3 and newer, just need a dynamic DNS name.

I had this problem as well. I had oppened port 500 on the remote firewall, but had not oppened port 500 on my firewall for the return encrypted connection.

Hope this helps,
-=Zapped=-