Personally, I've not seen polling ever help on an ALIX. I haven't tried a Hifn card though.

I think cmb said he was able to get >30Mbit of IPsec on ALIX with 3DES (and DES, AES, and AES 256)

I don't think he had polling enabled when he did the tests, but I'm not 100% sure on that.

Create a static route for the endpoint of the tunnel with as gateway the WAN you want to use.

example:
WAN1: 10.0.1.2/24 Gateway 10.0.1.1/24
WAN2: 10.0.2.2/24 Gateway 10.0.2.1/24

Endpoint1: 192.168.1.1
Endpoint2: 192.168.2.1

For traffic to endpoint1 on WAN1 you dont have to do anything special.
For traffic to endpoint2 on WAN2 you have to create a static route for: 192.168.2.1/32 to 10.0.2.1

@fabioc:

Seems like rekeyforcevpn.inc is no longer available, could anyone kindly post it somewhere else?

Because it did nothing but generate a broken configuration, so it was removed. It's also not needed.

Widows is using the same ports.
In the logs on pf sense, I can see 4500 and 500 being passed to the windows box.

Basically, what this comes down to, can the pf sense pass-through IPSEC/L2PT vpn requests.
It seems it will do IPSEC/L2PT no issue at all, but when i want to use a pre-shared key, it dies.

Its possible this could be because of NAT-T?

I am not very good at this stuff, but I am trying.
Thanks for your quick reply.
-Shane

@Visseroth:

Well in new news I setup a tunnel between me and another local location and it was working fine then went down. I brought the tunnels back up but again I can't get traffic through the tunnels.

Can I ask what version you have at both locations?

Parallel tunnels are the way to go for this in 1.2.x, some people are using them with no ill effects.

In 2.0 this will be a non-issue, as you can have multiple phase 2 entries for each phase 1 entry, so you can specify as many subnets (or single hosts) as you like.

I followed the tutorial to a T - and could not get it to work.
Gave up on that one.

So I switched PFSense to my other ISP (non-NAT address) and tried to use mobile config at the "work" end.
Configured the tunnel end at my "home", and even though the tunnel would setup (at the hone end) green icon and all,
I could not ping a known host at the work end. The work PFsense knew nothing about a tunnel in it's IPSec monitor pages. (SPD, etc) when I came into work and looked at the status and logs.

Only when I reconfigured the "work end" to not use mobile, and entered in the IPSec parameters for the "home" end did it begin to flow traffic.
(I'm using DynDNS)
EDIT- traffic only flows from work to home.
When I came home, even though the tunnel is still "up" I can't ping into work.
Very strange. There are posts about only 1 way ping here, I'll read those and look for a solution.
Also, OpenVPN wont ping either. It establishes the connection, I get pushed the IP from the pool, but I cant ping from home. It's like the other end doesn't exist.

My goal is to use PFsense as the IPSec gateway for remote users. This isn't a solution, but its something.
I've created an OpenVPN client certificate etc pased in the work end, copied the files to a USB stick and will try that later from home.

EDIT2 - I did finally get OpenVPN client to work. Not sure exactly what I did but its working now.

And - I did get a Full tunnel between my home PFsense and work's PF sense.
Upgrading to the latest build (work had early October build), home is Alix Flash about Mid Nov)
and deleting & recreating both ends helped.

My next question - is there a way to have OpenVPN configured as Name & Password (I see that Radius can be made to work in other posts here… ) thats OK, but creating and distributing the certificates is a PITA.
I'm trying to emulate Checkpoints SecureRemote... I give the users software, a name & PW and it connects.  Can OpenVPN be made to be "no certificates"? (Shrewsoft maybe?)

As we are going to connect to that public ip on a continuous basis that might be a good workaround, but a less preferred one.
It would require me to read up on all the technical stuff because i have never established tunnels before and i'm a bit short on time.
Not that i'm lazy :)

Hi,

I'm trying to do the same with my Nokia E66-1,

here's my log:

Oct 27 08:16:30 [info] racoon: INFO: respond new phase 1 negotiation: pfSense.ext.ip[500]<=>E66-1.ext.ip[64276]
Oct 27 08:16:30 [info] racoon: INFO: begin Aggressive mode.
Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: RFC 3947
Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: DPD
Oct 27 08:16:30 [info] racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: CISCO-UNITY
Oct 27 08:16:30 [info] racoon: INFO: Selected NAT-T version: RFC 3947
Oct 27 08:16:30 [info] racoon: INFO: Adding remote and local NAT-D payloads.
Oct 27 08:16:30 [info] racoon: INFO: Hashing E66-1.ext.ip[64276] with algo #2
Oct 27 08:16:30 [info] racoon: INFO: Hashing pfSense.ext.ip[500] with algo #2
Oct 27 08:16:31 [info] racoon: INFO: NAT-T: ports changed to: E66-1.ext.ip[64518]<->pfSense.ext.ip[4500]
Oct 27 08:16:31 [info] racoon: INFO: Hashing pfSense.ext.ip[4500] with algo #2
Oct 27 08:16:31 [info] racoon: INFO: NAT-D payload #0 verified
Oct 27 08:16:31 [info] racoon: INFO: Hashing E66-1.ext.ip[64518] with algo #2
Oct 27 08:16:31 [info] racoon: INFO: NAT-D payload #1 doesn't match
Oct 27 08:16:31 [info] racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Oct 27 08:16:31 [info] racoon: INFO: NAT detected: PEER
Oct 27 08:16:31 [info] racoon: INFO: ISAKMP-SA established pfSense.ext.ip[4500]-E66-1.ext.ip[64518] spi:5a013d7dc112f723:fe936afd9e58da7e
Oct 27 08:16:32 [info] racoon: INFO: respond new phase 2 negotiation: pfSense.ext.ip[4500]<=>E66-1.ext.ip[64518]
Oct 27 08:16:32 [info] racoon: INFO: no policy found, try to generate the policy : E66-1.priv.ip/32[0] pfSense.priv.net/28[0] proto=any dir=in
Oct 27 08:16:32 [info] racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Oct 27 08:16:32 [info] racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Oct 27 08:16:33 [info] racoon: INFO: IPsec-SA established: ESP E66-1.ext.ip[64518]->pfSense.ext.ip[4500] spi=35516524(0x21df06c)
Oct 27 08:16:33 [info] racoon: INFO: IPsec-SA established: ESP pfSense.ext.ip[4500]->E66-1.ext.ip[64518] spi=323000828(0x134099fc)
Oct 27 08:16:33 [info] racoon: ERROR: such policy does not already exist: "E66-1.priv.ip/32[0] pfSense.priv.net/28[0] proto=any dir=in"
Oct 27 08:16:33 [info] racoon: ERROR: such policy does not already exist: "pfSense.priv.net/28[0] E66-1.priv.ip/32[0] proto=any dir=out"
Oct 27 08:16:33 [info] racoon: ERROR: pfkey DELETE received: ESP pfSense.ext.ip[500]->E66-1.ext.ip[500] spi=157776447(0x9677a3f)

Now,
inside the VPN I wish to give my Nokia E66-1 a single (/32) specific private IP (E66-1.priv.ip) OUT_OF the range of internal private net (pfSense.priv.net/28), the same way I do with any other client (racoon on Mac OSX, {Free|Net}BSD and M0n0Wall, StrongSwan on Linux, ShrewSoft and GreenBow on Windoze).

Reading the docs found @Nokia I didn't catch anything clear about this, so it seems to me that this type of configuration is unsupported and, eventually, not working.

Have any clue about that?

The Cisco VPN won't connect to pfSense ipsec, due to the current lack of xauth support.
If you can't find an IPsec client, you could use PPTP or OpenVPN.

I moved the IPSec to an opt connection with a internet ADSL modem connected to, so the IPSec is dirrectly on Internet without NAT anymore.

I'll move to other trouble I guess.

In my experience this is generally caused by the Interesting Traffic not matching EXACTLY on both firewalls.