Unfortunately you cannot NAT an address for IPsec in pfSense. It's a limitation of the underlying software. It's been talked about before, and a bounty was even put up at one time, but no solution has been completed. As for static routes, you can set routes to external addresses on WAN, but they must be in the same subnet as WAN. You can't set a route to an arbitrary IP, it has to be a directly connected path.

Update, got this fixed, had created a specific NONAT rule for one of the interfaces, removed this, also cleaned up the VPN settings to match the remote system exactly (Key lifetime) and all seems stable now, not really sure which fixed it, but as this was stable beforehand I think it may just be a combination. J

You may or may not get that to work on 1.2.x, depending on how well the router in front of pfSense handles IPsec passthrough. 2.0 has (or will have? not sure if it's 100% yet) NAT-T which will make the scenario you are describing work regardless.

Enabling old IPSec SA did the trick. Much appreciated. Bit odd I hadn't enabled this for the past 3 months and no issues untill recently.

@XIII: did that fix it? nothing needed to be changed, it was configured correctly. so in short, no.

I think it may have been just the domain name, have been trying varous settgins back and forth though. Will try to not use only domain name then and see if that does it. Thanx,

IPSec keeps all of that straight. You could have ten or twenty different tunnels with as many subnets terminating at the same IP address. You may be used to setting up services that use a single listening port at a remote host, and once that port is connected it can't be used for any other connections. IPSec doesn't work that way, fortunately.

dont use DES if you are concerned about security or unless forced to do so, the keys are small (56 bit) and therefore weak, as a result it is considered insecure use 3DES or any of the others

Ok, never mind. I did a new install with 2.0 beta from 19 Jan 2010. Everything worked as i expected straight away. No issues routing to either subnet.

@kristaps.kr: Hello Need to make three IPsec tunnels, one is working (A), others (B,C) is just silent, no errors in logs, nothing, no activity. Network looks like this site (A and B have both pfsense 1.2.3 : SITE A (192.168.3.0/24) –---    |                                        \      Tunnel B           |                                             | Tunnel A                               WAN ------------ CISCO (10.0.100.0/24)    |                                           /    |                                        /      Tunnel C SITE B (192.168.4.0/24) ----- Tunnel A works in any conditions, until i disable it. Tunnel B,C doesn't show any living response, always yellow, and it doesn't try to connect to cisco remote gateway. just silence. after reboot both (A,B) routers tunnel A is up, B, C is down and not any logs. tried to switch on/off IPSec the same result. For 24 for hours if B anC tunnels are left on it doesn't try to connect to cisco. when i delete tunnel A on both sites (A and C) tunnels dissapear from SAD, SPD exists, Overview is empty. logs say nothing. Tunnel A: aggressive, UserFQDN Tunnel B,C: main, MyIP could it be possible that there were upgrade from 1.2.2 to 1.2.3 for both pfsense routers? after this. one more strange thing which i found from time to time, that ipsec croses subnets wrong ways should be (for site B LAN 192.168.4.254) IPsec 192.168.4.0 to 192.168.3.0 IPsec 192.168.4.0 to 10.0.100.0 but in logs several times it was IPsec 192.168.4.0 to 192.168.4.0 IPsec 192.168.3.0 to 10.0.100.0 i understand that sounds "great" but seems that i am 5 minutes befor reinstall. thnx my solution when i made second tunnel to 10.0.100.0 it doesn't want to came up in tunnel settings local subnet was "LAN network" when i changed it to Network and pushed to use the same network with same subnet 192.168.4.0/24 tunnel started to work. now both tunnels work hope that this will help to someone thnx kristaps

@x2dz: So if anyone knows a way to proxy/rebroadcast the DLNA packets /I will again ask whether the IGMP Proxy package ??? is technically connected to this issue/ over a pfSense<->pfSense IPsec site to site VPN please share your thoughts. Any help would be greatly appreciated. have somebody sucessfully implement the solution to access DLNA Server/Client over a VPN Tunnel? ive installed IGMP Proxy on my embedded Pfsense 1.2.3 an will try to access the server (LAN) from PS3 (opt1). now i had a long time bridged the both interfaces, but want to route the subnets. in the igmp proxy package, i am not able to choose the ipsec interface… probably not possible with this version? im thankfull for help

Hi I would first double check that you have the correct PASS  rules on the Firewall | Rules | IPSEC Tab at each end of the tunnel. Enable logging on the tunnel and check the logs for any errors. Please paste your tunnel configuration and/or logs.

Just Setup 2 tunnels/connections as this 2 would be the only one by them self. By the way. my ipsecs crashs all the time. I do not know why but its not very stable at this point. Maybe this is not the right solution :-)

Good to hear it's working. There is an errata page here: http://www.reedmedia.net/books/pfsense/errata.html Check there first, and if it's not a known error, they can be sent to me (jimp (a) pfsense.org) or Chris (cmb (a) pfsense.org) and we'll see what can be done about them.

Thank you Jimp for your answer, I tried but it still doesn't work. I waist long days on this, to try or find something on forum, tuto, howto… But I still don't know why my packets doesn't go through the VPN. So I'll post all my configuration to see if you could understand and explain me what happen. So, first, My IPSEC tunnel : [image: IPsec%20Tunnels.jpg] [image: IPsec%20SPD.jpg] [image: IPsec%20SAD.jpg] I think i read something about SAD, it's not normal if there is nothing in… right? My NAT config : [image: NAT%20Port%20Forward.jpg] [image: NAT%201%201.jpg] And Outbound is on "Automatic outbound NAT rules generation (IPSEC passthrough)" My RULES : [image: Rules%20LAN.jpg] [image: Rules%20WAN.jpg] [image: Rules%20IPSEC.jpg] And my logs IPSEC : [image: Logs%20IPsec.jpg] So if you find what's wrong… tell me, thanks a lot!!