That gets a bit harder to do then. Again, it should be possible in 2.0 but not in 1.2.3

In 2.0 you'd just assign the OpenVPN interface as an optional interface, then add a gateway that says it's on that interface, with an IP of the other side of the OpenVPN tunnel.

Then add a rule on the LAN side that matches the IP(s) of the devices to re-route, with a destination of any, with that gateway chosen.

Hello  sir

Now I try to set up IPsec Box with Pfsense for H323 avaya IP phone too, I have already  config for IPSec Mobile client  but I found
the status of IPSec it show the yellow creoss sign not  GREEN , How I can enable this service. But I make sure I have already checked enable IPsec and IPsec Mobile client .

Thank you

Not sure what else you might want to try in that case.

Some people have had luck switching hashes or encryption algos with certain devices (e.g. if you're using SHA1 in either phase, use MD5 instead, or vice versa)

Thanks submicron UDP did solve the problem. I'm using it to access mdb file like 5mb not 3GB :) from time to time. I'm going to use this thread to ask another question - I have two pfsense boxes IPSec site-to-site and it's working ok - 192.168.1.0 and 192.168.2.0. I'm connecting OpenVPN Mobile Client(192.168.3.0) to site 1 (192.168.1.0) and it's working ok too. Can i route somehow site2 (192.168.2.0) to access OpenVPN client ?

@beaven67:

If the Netscreen is the side with the dynamic address you will need to setup the vpn similiar to a Road Warrior type of VPN.

Not with 1.2.3 and newer, just need a dynamic DNS name.

I had this problem as well. I had oppened port 500 on the remote firewall, but had not oppened port 500 on my firewall for the return encrypted connection.

Hope this helps,
-=Zapped=-

Right after I posted yesterday I thought I would try using the same PSKs, so far they have both stayed up for about 18 hours, so it is looking like that fixed it. Thanks!

Unfortunately, FreeBSD (and thus pfSense) can't combine NAT and IPsec (yet?).

Gave up on trying to do this. Instead created tunnel interfaces on the ciscos and am letting MPLS failover to GRE tunnels. Working surprising well. Doing port forwarding for GRE for the IP of hte router. Wanted to keep all the router IPs behind the firewall.

Gah, thanks for the clue-bat!

In order for a VPN router like that to work, it would either need to be the gateway for all of the systems behind it, or you'd need a static route to your remote VPN client subnet on every server (or their gateway) that would point traffic at the VPN router.

So it could work, but it takes a bit more effort to get it going.

@dapriv:

You can't just add a static route to the router?

Nope.  This is a colo setup, so no, we don't have access to the router.  Just another line to stash in our default rc.conf…

@egarcia:

I'm trying to replace actual TZ170 with pfSense appliance.
Actually I have a IPSec tunnel between offices using two TZ170 firewalls.

I did something similar, and it was actually the easyest ipsec I ever setup.
(but, funny thing, and I'll post later on this) as soon as I ENABLE IPSEC on the pfsense, the access from the LAN to the BRIDGED DMZ stops, completely.

Sure you can. You'd just need a static route on the OpenVPN router that directs traffic for the IPsec subnets at the IPsec router, and a static route on the IPsec router that points traffic for the OpenVPN subnet back at the OpenVPN router.