I got tired of waiting for forum posts so I checked out IRC.  According to cmb, "you can't NAT traffic destined to IPSEC in FreeBSD"
The only way to accomplish what I want is to set up an additional pfSense box, or move to a Linux distribution like IPCop.

i'm sorry - this is an IPsec vpn question, not openvpn. if someone could move it to that forum it would be great…

I have a rule allowing any any on the ipsec interface, thinking that this was the problem but it made no difference.
Any other ideas?
Pat

Thanks that worked!

@jimp:

You may want to start a new thread for that question, it won't be seen by as many people when it is buried deep in a thread like this.

u're right  ;D

thanks for the advice  ;)

You can listen on enc0 with tcpdump instead of the physical interface; all encrypted traffic will pass through this virtual interface before the crypto is applied.

pfSense seems to default to masking all of it via sysctl tunables however, so read enc(4) in the manual and adjust the tunables as necessary to see the traffic. The example below should show you what you want to see:

sysctl -e net.enc.out.ipsec_bpf_mask=0x1 sysctl -e net.enc.out.ipsec_filter_mask=0x1 sysctl -e net.enc.in.ipsec_filter_mask=0x2 sysctl -e net.enc.in.ipsec_bpf_mask=0x2

found it.
It was a incomplete IPSec profile for mobile clients.
This screwed up the config.xml. fixed it.
:)

not saying this will help but…..
http://forum.pfsense.org/index.php/topic,17850.0.html

the reason i suggest it is that i tried absolutely everything. tunnel was up & everything looked good. but still no traffic. altered the hash (as suggested) and bang….. it went. you would have thought that if the hash was wrong, the tunnel wouldn't establish. the endpoints matched etc but no traffic would flow.
incidently, this was a watchgaurd box with pfsense on it! the thing is solid now!

I have a watchguard II 700 I am trying to setup a VPN IPSEC connection with PFsense, the connection seems to work, whereby I can RDP into the remote site via lan ip address and I can ping the Watchgaurd site from the PFsense side, but when I try to ping from the watchguard side to the PFsense side, or try any type of communication I get no response, I have tried so many rule changes and I can't figure this out I have alos downgraded to 1.2 and still no luck.  Was this a similar problem you guys were experiencing?

On the SG's:

Click on Advanced for the IPSec Tunnel:

Page 1:

Keying: Main
Local Address: Static IP Address
Remote Address: dns hostname address
Authentication: Pre-Shared Secret
Uncheck Require Xauth Authenticaion

Page 2:
Check Initiate Tunnel Negotiation
Optional Endpoint ID: Blank
IP Payload Compression: Uncheck
Dead Peer Detection: Checked
Delay: 9
Timeout: 30
Initiate Phase 1 & 2 rekeying: Checked

Page 3:
Remote party DNS hostname: DNS address of remote PFSense box (okay to use dynamic DNS)
Required Endpoint ID: email address

Page 4:
Key lifetime (sec) 3600
Rekey margin (sec) 600
Rekey fuzz (%) 100
Preshared Secret: Your call on this
Phase 1 Proposal: 3DES-SHA-DH Group 2 (1024)

Page 5:
Add your local and remote networks
Key lifetime (sec) 3600
Phase 2 Proposal: 3DES-SHA
Perfect Forward Secrecy: Unchecked

Click Finished.

I have 3 Dynamic DNS VPN client VPN's tunnels no issues.
RC

I think it would be possible.  You need to contact her support for the Nortel device.  She would need to have a static IP address.

I have talked with a friend of mine that used to support one and it should work.
RC