Hi.

I was able to establish SA. the pfsensedocs tutorial is not working for me.
This one: http://www.pfsense.org/mirror.php?section=tutorials/mobile_ipsec/
I did a static2static setup with an additional tunnel on the static site and a psk record on the dynamic site (identifier == pubIP of static site). I hope I dont get problems with the dyndns adress of the dynamic site.
Has anyone a dynamic2static ipsec setup running?
I always want the dynamic site to initiate the SA to the static site.

Cheers

problem solved, first post edited. i don't know if what i was asking wasn't clear enough, it's hard to believe no one else could provide this answer. the only two downsides of pfsense are it's poor logging capabilities, bugs and lack of support. given that it's free i guess that makes up for it.

I have checked this yet again, 3 times in a row actually and behavior is consistent.

When I edit a key on tab 'pre-shared keys' and press 'save', I get the 'apply' button on same tab.
I press that 'apply' button. This should be it I guess.

I then get directed to first tab 'tunnels' when page reloads. Nothing looks weird here.

If I at this point go to 'mobile clients' there is an 'apply' button there too.
And if going back to 'pre-shared keys' the button is re-appearing there.

If I press the one at 'mobile clients' tab there's no button on any of the 4 tabs afterwards.

As soon as the one on 'mobile clients' is pressed the other one dissapears, regardless in what order the tabs have been viewed in between.

So I indeed do have to press an 'apply..' button on 2 different tabs it seems.
I don't have mobile clients nor tunnels active when doing this.

step1-new_preshared.JPG
step1-new_preshared.JPG_thumb
step-2.JPG
step-2.JPG_thumb
step-3.JPG
step-3.JPG_thumb
step-4.JPG
step-4.JPG_thumb

it just started working!!!!!!!!! i didnt change a thing, people can use my screens if they need help setting up ipsec with pfsense and a linksys BEFVP41

I got it working.  Something was wrong internally with a firewall rule.  I deleted all of my wan and ipsec rules, rebooted, and put the rules back.  Now it's happy….

@blak111:

Does your firewall allow rule on the LAN interface use the default routing table?

firewall rule -  "from any to any" for all interfaces ….

Hello Olejack,

Did you finally solve your issue ?
I'd be very interested as I have the same right now.
I've tried to lower MTU on the WAN interface configuration but it's not taken into account even after a reboot.
A ifconfig shows an MTU of 1500 even though I entered 1300.
I can't find any topic where someone succeeded in modifying the IPSEC MTU.
Im' considering to replace ipsec with openvpn maybe.

About commercial support, I've asked once for tinydns support and never had any reply …

Thanks for your help.

SOLVED

i have filled the mobil client section, now it works

thanks for help

Did you check the doc wiki?

http://doc.pfsense.org/index.php/VPN_Capability_IPsec

That should just be a matter of pushing the correct routes and having the right firewall rules.  Certainly I have done that using OpenVPN without problems.

I got it working, most clients can connect some can't due to their firewalls. I've verified IPSEC passthrough is enabled but that doesn't matter. I've tried to enable NAT-T but then nothing works. It breaks IPSEC completely on the pfsense box.

Also, the ones that do work require me to set static dns, if I enter the dns servers on the DNS tab of the shrew client it doesn't work at all. Any thoughts? When will there be a solid road warrior implementation of IPSEC? Will there be or is OpenVPN expected to replace it?

Currently, you have to manually fail over. I have disabled tunnels setup on the second WAN. When the main WAN fails, I disable the primary tunnel and enable the backup. I set this up awhile ago and remember having to set static routes to get it working, I'm not sure if this is still needed. Search a bit on ipsec failover or somesuch.

@brianmac64:

I have the same (or similar) issue.  pfSense1.2.2–-> Fortigate FG-500A cluster.  Tunnels come up fine, but when the P2 key lifetime ends, the tunnels go down.  I checked both configs and they are equal.  Any ideas?

Forgot to mention that I am running MR6 P3 on the FGs and that disabling and re-enabling IPSEC on the pfSense solves the issue.  Should I maybe schedule a CRON job that does that in conjunction with the P2 expire?

Well then I really have no idea on that one. Unfortunately, ipsec-tools does have more than its fair share of bugs.

They are nearing the release of a new version, but it won't be out in time for 1.2.3. Hopefully it will work out for 2.0, though.

I'm not sure w/ ipsec, but it is definitely possible via openvpn (ssl).
see: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect

hope this helps.

There was a bounty for this at some point, but I believe it was withdrawn.

It's not currently possible, but there were some ideas in the bounty thread. Check the expired bounties board and it should be there.

Though your error is one I had not seen before, it looks harmless.

You may want to try a new 1.2.3-RC3 image from snapshots.

NAT-T has been removed, it caused too many other regressions.