Parallel tunnels are the way to go for this in 1.2.x, some people are using them with no ill effects.

In 2.0 this will be a non-issue, as you can have multiple phase 2 entries for each phase 1 entry, so you can specify as many subnets (or single hosts) as you like.

I followed the tutorial to a T - and could not get it to work.
Gave up on that one.

So I switched PFSense to my other ISP (non-NAT address) and tried to use mobile config at the "work" end.
Configured the tunnel end at my "home", and even though the tunnel would setup (at the hone end) green icon and all,
I could not ping a known host at the work end. The work PFsense knew nothing about a tunnel in it's IPSec monitor pages. (SPD, etc) when I came into work and looked at the status and logs.

Only when I reconfigured the "work end" to not use mobile, and entered in the IPSec parameters for the "home" end did it begin to flow traffic.
(I'm using DynDNS)
EDIT- traffic only flows from work to home.
When I came home, even though the tunnel is still "up" I can't ping into work.
Very strange. There are posts about only 1 way ping here, I'll read those and look for a solution.
Also, OpenVPN wont ping either. It establishes the connection, I get pushed the IP from the pool, but I cant ping from home. It's like the other end doesn't exist.

My goal is to use PFsense as the IPSec gateway for remote users. This isn't a solution, but its something.
I've created an OpenVPN client certificate etc pased in the work end, copied the files to a USB stick and will try that later from home.

EDIT2 - I did finally get OpenVPN client to work. Not sure exactly what I did but its working now.

And - I did get a Full tunnel between my home PFsense and work's PF sense.
Upgrading to the latest build (work had early October build), home is Alix Flash about Mid Nov)
and deleting & recreating both ends helped.

My next question - is there a way to have OpenVPN configured as Name & Password (I see that Radius can be made to work in other posts here… ) thats OK, but creating and distributing the certificates is a PITA.
I'm trying to emulate Checkpoints SecureRemote... I give the users software, a name & PW and it connects.  Can OpenVPN be made to be "no certificates"? (Shrewsoft maybe?)

As we are going to connect to that public ip on a continuous basis that might be a good workaround, but a less preferred one.
It would require me to read up on all the technical stuff because i have never established tunnels before and i'm a bit short on time.
Not that i'm lazy :)

Hi,

I'm trying to do the same with my Nokia E66-1,

here's my log:

Oct 27 08:16:30 [info] racoon: INFO: respond new phase 1 negotiation: pfSense.ext.ip[500]<=>E66-1.ext.ip[64276]
Oct 27 08:16:30 [info] racoon: INFO: begin Aggressive mode.
Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: RFC 3947
Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: DPD
Oct 27 08:16:30 [info] racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: CISCO-UNITY
Oct 27 08:16:30 [info] racoon: INFO: Selected NAT-T version: RFC 3947
Oct 27 08:16:30 [info] racoon: INFO: Adding remote and local NAT-D payloads.
Oct 27 08:16:30 [info] racoon: INFO: Hashing E66-1.ext.ip[64276] with algo #2
Oct 27 08:16:30 [info] racoon: INFO: Hashing pfSense.ext.ip[500] with algo #2
Oct 27 08:16:31 [info] racoon: INFO: NAT-T: ports changed to: E66-1.ext.ip[64518]<->pfSense.ext.ip[4500]
Oct 27 08:16:31 [info] racoon: INFO: Hashing pfSense.ext.ip[4500] with algo #2
Oct 27 08:16:31 [info] racoon: INFO: NAT-D payload #0 verified
Oct 27 08:16:31 [info] racoon: INFO: Hashing E66-1.ext.ip[64518] with algo #2
Oct 27 08:16:31 [info] racoon: INFO: NAT-D payload #1 doesn't match
Oct 27 08:16:31 [info] racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Oct 27 08:16:31 [info] racoon: INFO: NAT detected: PEER
Oct 27 08:16:31 [info] racoon: INFO: ISAKMP-SA established pfSense.ext.ip[4500]-E66-1.ext.ip[64518] spi:5a013d7dc112f723:fe936afd9e58da7e
Oct 27 08:16:32 [info] racoon: INFO: respond new phase 2 negotiation: pfSense.ext.ip[4500]<=>E66-1.ext.ip[64518]
Oct 27 08:16:32 [info] racoon: INFO: no policy found, try to generate the policy : E66-1.priv.ip/32[0] pfSense.priv.net/28[0] proto=any dir=in
Oct 27 08:16:32 [info] racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Oct 27 08:16:32 [info] racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Oct 27 08:16:33 [info] racoon: INFO: IPsec-SA established: ESP E66-1.ext.ip[64518]->pfSense.ext.ip[4500] spi=35516524(0x21df06c)
Oct 27 08:16:33 [info] racoon: INFO: IPsec-SA established: ESP pfSense.ext.ip[4500]->E66-1.ext.ip[64518] spi=323000828(0x134099fc)
Oct 27 08:16:33 [info] racoon: ERROR: such policy does not already exist: "E66-1.priv.ip/32[0] pfSense.priv.net/28[0] proto=any dir=in"
Oct 27 08:16:33 [info] racoon: ERROR: such policy does not already exist: "pfSense.priv.net/28[0] E66-1.priv.ip/32[0] proto=any dir=out"
Oct 27 08:16:33 [info] racoon: ERROR: pfkey DELETE received: ESP pfSense.ext.ip[500]->E66-1.ext.ip[500] spi=157776447(0x9677a3f)

Now,
inside the VPN I wish to give my Nokia E66-1 a single (/32) specific private IP (E66-1.priv.ip) OUT_OF the range of internal private net (pfSense.priv.net/28), the same way I do with any other client (racoon on Mac OSX, {Free|Net}BSD and M0n0Wall, StrongSwan on Linux, ShrewSoft and GreenBow on Windoze).

Reading the docs found @Nokia I didn't catch anything clear about this, so it seems to me that this type of configuration is unsupported and, eventually, not working.

Have any clue about that?

The Cisco VPN won't connect to pfSense ipsec, due to the current lack of xauth support.
If you can't find an IPsec client, you could use PPTP or OpenVPN.

I moved the IPSec to an opt connection with a internet ADSL modem connected to, so the IPSec is dirrectly on Internet without NAT anymore.

I'll move to other trouble I guess.

In my experience this is generally caused by the Interesting Traffic not matching EXACTLY on both firewalls.

I beleive you are trying to Policy NAT, which pfSense cannot do at this time (1.2.2). I am not sure in what version, but I heard that functionality will be added in the future.
Once it is, pfSense will replace my Cisco HW, but I fear it will be a very long wait.

It just looks like the tunnel hasn't tried to establish, as if no traffic has tried to enter the tunnel.

The messages you are seeing are typical of a normal IPsec startup, but there are no messages in there about a tunnel negotiating.

So either nothing has tried to pass on the tunnel, or the two systems cannot really reach one another one the WAN.

It is most likely a configuration issue with your policy settings. Please post screen shots of your config on both sides and make sure you are running 1.2.3-rc3

In case this helps anyone else, I eventually got this working on the physical setup in my original post. I replaced our old DSL modem with a Linksys WAG54G2, mainly because it features VPN passthrough. After that everything instantly worked.

Even though the field is marked MTU, it doesn't really set the MTU. Read the fine print:

If you enter a value in this field, then MSS clamping for TCP connections to the value entered above minus 40 (TCP/IP header size) will be in effect. If you leave this field blank, an MTU of 1492 bytes for PPPoE and 1500 bytes for all other connection types will be assumed.

If you really need to set the MTU you can do it from the shell. http://www.freebsd.org/cgi/man.cgi?query=ifconfig&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html
To survive a reboot, you would need to add a startup command to the xml.

You should be able to do this with the 2.0 snaps, but I haven't tried one lately.
For a stable release, you could aggregate your subnets (easier, but not always possible) or setup parallel tunnels. More info here: http://doc.pfsense.org/index.php/IPSec_with_Multiple_Subnets

My IPSEC tunnels have always connected, but sometimes wouldn't reconnect.  I switched to RC3 and a lot of this was fixed.  The only tunnel I have problems with is one over a wireless connection.

If your tunnels are establishing, but no data passing, be sure to double-check your firewall to make sure there are IPSEC rules to allow it.  I forgot to do this after replacing a pfsense router, and it caused me grief.

Yes.

Note that the majority of the work (certificate creation) is done by the administrator.  You simply supply the config file and key.  It should be trivial to ship a script to install those.

Hi.

Does anyone know howto route vpn over OPT1/WAN2?
I really need to do  it.

cheers.

stewie