there are quite a few people running pfSense in a VM (I dont) I would suggest doing a traceroute, and looking at the logs on all systems (default gateway, pfSense) as it sounds like the route is not being forwarded/routed to the pfSense system, but the VPN is up.

Anyone?

@jimp: Did you add firewall rules to the L2TP interface after turning on L2TP? If you can connect but not transmit data, that is likely the problem (same with PPTP on 2.0) 1.2.3 doesn't work with any connection type that I tried. My Firewall rules where setup to pass all, nothing is being blocked by the rules. The Android Phone says the connection failed. (PPTP, L2TP) I tried m0n0wall 1.3.2 for the PPTP connection and that did not work either (not supper relevant but may be save someone else the time of testing that)

Thanks for your help for me! I installed a proxy server on the network 172.19.60.0/24 and provide all customers with access through it. ;) ;) ;)

Not easily with IPsec. With OpenVPN you can use CSC entries to force people onto specific IPs, and on pfSense 2.0 you can also force them to use username/password, and also check that the username matches the certificate name.

http://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

you could do a cron job for the reboot and that way the system would reboot at the specified time I think either of the below will work, set the cron job to do one of the commands at the specified time shutdown -r now reboot

It likely will not be possible in that case, unless you can do it with CIDR summarization (use a subnet mask that will cover the subnets on either end) but getting that to match up with two remote sites may not be possible. Multiple subnets between two sites, sure, but not three.

You can't do NAT with IPsec on pfSense 1.2.3. 2.0 might work, but NAT+IPsec still needs some testing there. It has been reported to work in posts under the 2.0 forum here.

It's not required. If that made your tunnel work, then something else may have been wrong. I run plenty of tunnels without that field filled in, though I generally do fill it out since it's convenient to have.

Hey jimp, I noticed something this morning - the IPSEC to the dynamic dns site had been down a few hours. Thing is the lifetime on both phases was set to 1 hour. Is this still part of the bug in 2.0? I could be wrong but I thought that if the SA was set to 1hr then PfSense would try to re-establish the connection after the lifetime expired even with the DPD bug.

in 1.2.3, IPsec is just IPsec, no l2tp. In 2.0 it should be possible to use l2tp+ipsec.

I have seen this setup before, it was with a Cisco IPSec VPN client, thought maybe it was possible with shrew. I will setup OpenVPN later today and give it a try.

You can't route IPsec, so it's really a question of IPsec Phase 2 settings. You would either need two separate tunnels, one for each subnet present on the side with the DMZ network, or they would have to be close enough in numbering that you could just specify a subnet mask that would cover them both (but not the network at the other site). Or just ditch the IPsec tunnel, put in OpenVPN site-to-site shared key, and route however you like without the headache of IPsec. :-) It's easier on 2.0 though with IPsec, you can just specify multiple networks under a single tunnel.

Hi pad, U tried to start racon in debug mode for more details? Are there any firewall events? hit me if im wrong but v 1.2.3 dont support nat-t for mobile vpn. In order to work ur vpn client needs a official ip. Limitations * NAT-T is not supported until version 2.0, which means mobile clients behind NAT are not supported. This limits pfSense's usefulness with mobile IPsec clients. OpenVPN or PPTP is a better solution.     * Some of the more advanced capabilities of ipsec-tools are not supported until 2.0, including DPD, XAuth, NAT-T, and others. cya

Try connecting to with the pc just outside the pfsense firewall. You want to test it with nothing but a switch in between them. If the vpn passes traffic you may have same issue that i have. It looks like either a Nat issue or MTU problem I can't tell which because i get no other log output. other than microsoft fragmentation problem..

You dont have to define a default gateway for the ip just as long as you have defined the network that is behind the firewall as the remote network. If the client is connecting but not passing traffic. Try setting the client on the public segment with a public ip, so that there is not other devices between the firewall and the client and then connect. If the vpn passes traffic you have a nat or mtu issue of some kind if you still cant ping etc.. make sure you have a rule ie * <–> * any any on the ipsec interface for vpn traffic.