In the meantime this thread is off topic and should moved back to Prerelease 1.2.3 :-)

It takes no more than the time between I wrote the laste message.

Actual status:
WLAN to LAN: Access ok
WLAN to WAN (internet): no access
WLAN to VPN: no access

It works with the same configuration an hour before. I only reboot the notebook and let it "sleep" half an hour.

I have no more ideas… and go sleep now.

Sigma

I have the same question.  To put it in simpler terms, like your title - the question is:  Is it possible to route "all traffic" over an IPsec tunnel (between 2 pfsense)?

I tried using the "remote network" in the IPsec configuration as 0.0.0.0 / 0  and this does not route.  Could someone confirm if this is doable, with perhaps some routing tricks on the remote pfsense box?

I thought this would hold the clue: http://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

A simple yes/no would suffice.  I would create a bounty to have this done in a future version.

Thanks!

Hi,

I can not see the configuration image of the monowall.
I you be wary happy to see it…

Best regards
Martin

Dynamic DNS VPN tunnels work great in 1.2.3.  I been running 1.2.3 for quite time with no issue.
RC

Here is just a few things that we need:
Site 1&2
Internal IP address ranges:  192.168.xxx.xxx or 172.16.xxx.xxx
Gateway address at both sites
subnet mask at both sites.

We need to get the external addresses.

Are you planning to have moblie clients?  If so we need to plan for either shrew or OpenVPN clients.  What verison of PF-Sense are you planning to run.

What applications are going to run accross the VPN tunnel?
Outlook, internal web, etc

Once we get all that preliminary stuff togethor, Lets get online and the we can start the set up.  Then you can assist me to get into the firewalls and I can assist you in getting the configration locked down.

Just let me know what we got to work with, and we will get you back up and running.
RC

I don't know if is the same problem… In my case, the tunnel is up but there isn't traffic. Can't ping from site to site. Then, I go to config, save and aply and the ipsec tunnel is working. I can't understand it.

I listen a lot of people with the same problem. I don't know if is a racon problem but I think that is needed some mecanism to restart the ipsec tunnel. I don't know if is easy or not, but is a problem that have a lot of people.
The keep alive option is for something?

My Version 1.2.2.

Cheers

Something about it?????

I just happened to find this now that I'm messing with glxsb. We added the patch in kern/132622 in March, it's in 1.2.3 snapshots. Thanks much for your work on glxsb, Patrick!  Glad to see you on our forum too.

We're looking at building glxsb as a module right now, so we can test with and without it, and to get it out of the way when you have a much faster Hifn installed.

I'm seeing 19.4 Mbps through IPsec with AES-128 on an ALIX with glxsb, and 40 Mbps 3DES with a hifn 7955 (Soekris vpn1411) vs. 8.4 Mbps 3DES without hifn. Nice performance boost with the hifn. Not sure what impact glxsb has yet.

That sounds about like what happened the last time I tried to run multiple subnets with mobile clients.

The tunnel would drop and re-key for the alternate subnet, and then flip back and forth repeatedly. This was several months ago that I tried it though, and the particulars escape me.

OK after much messing about i realised that it was actual my test environment routing setup that was broken and the pfSense and OpenBSD were behaving as expected!!!

I now have my tunnel working with traffic happily passing up and down, for future reference the OpenBSD ipsec.conf that i posted above is the one i am using successfully!

Thanks and so far pfSense is looking pretty damn good.  Ideally i will be rolling this out to all my routers/firewalls over the next few weeks :)

What kinda of rules do you have set up?  Depending on the rules you have, have to add a rule for DCHP to be passed.  You also need to make sure that you DCHP server is setup to relay.  By default it is turned off on Windows 2003.

RC

If anyone has found the solution can they please post it?  I have ran across this same issue.  I have tried everything i can think of… nothing seems to fix this issue.

Well, after pulling my hair out of my head  ???, we decided to use another public address, and then… it worked...
thanks everyone for their valuable help! :)

best regards!

Well we contacted the ISP and they say nothing is wrong with the connection.
I had one location not far away from the Fiber Site witch has monowall running, but did not needed to connect to the main site.
I tried to setup an IPSEC tunnel from there (with monowall) and it worked like it should.   ???

So now i  have a fiber site with pfsense 1.2.3RC1 that cannot transfer data with other pfsense locations(1.2, 1.2.1 and 1.2.2), but can with a monowall site.

i am totaly lost here.

one of my SDSL routers is also 1.2.3 RC1 so it could not be the version i guess.

if i let the csup go i get this a s a result.

csup -g -L2 /usr/local/etc/cvsup/ports-supfile Parsing supfile "/usr/local/etc/cvsup/ports-supfile" Connecting to 192.168.1.22 Connected to 192.168.1.22 Server software version: SNAP_16_1h Negotiating file attribute support Exchanging collection information Establishing multiplexed-mode data connection Running Receiver: Operation timed out

hense is can remotly ssh to that cvsupd deamon machine and stay conected for more than one hour giving commands and so on.

what i also see on the Fiber site is the following in a tcpdump on the wan side of the firewall.
do not know if it could be something with that.
I did the following.
start the capture, then hit the command csup -g -L2 /usrlocal/etc/cvsup/port-supfile (wich connect to 192.168.1.22 on the main fiber side.)
When it says Running i stopped the capture.

21:25:50.556717 IP (tos 0x10, ttl 255, id 55615, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->c893)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 53, prio 0, authtype none, intvl 1s, length 36, addrs(7): 244.201.250.45,239.151.131.255,91.102.75.234,67.104.75.221,239.214.110.143,61.144.15.165,67.129.197.78 21:25:50.626712 IP (tos 0x10, ttl 255, id 55361, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->c991)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 54, prio 0, authtype none, intvl 1s, length 36, addrs(7): 56.54.235.42,173.40.246.67,169.202.181.189,144.245.123.176,201.113.242.40,255.220.146.215,47.168.165.213 21:25:51.276823 IP (tos 0x10, ttl 255, id 52523, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->d4a7)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 50, prio 0, authtype none, intvl 1s, length 36, addrs(7): 233.106.174.249,155.20.150.202,211.34.143.254,15.186.44.85,158.20.184.87,103.232.91.113,201.21.228.48 21:25:51.456717 IP (tos 0x10, ttl 255, id 16938, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->5fa9)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 52, prio 0, authtype none, intvl 1s, length 36, addrs(7): 233.153.49.198,230.152.10.223,42.57.100.58,141.190.174.130,26.119.72.102,234.42.140.127,40.41.89.109 21:25:51.566720 IP (tos 0x10, ttl 255, id 8805, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->7f6e)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 53, prio 0, authtype none, intvl 1s, length 36, addrs(7): 203.193.59.95,236.64.210.109,202.60.129.232,98.65.160.2,188.182.97.39,133.249.204.141,146.127.198.175 21:25:51.636722 IP (tos 0x10, ttl 255, id 37934, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->da5)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 54, prio 0, authtype none, intvl 1s, length 36, addrs(7): 142.169.150.134,96.208.150.73,59.63.216.151,199.179.137.75,13.57.85.140,44.126.209.202,250.61.160.113 21:25:52.086603 IP (tos 0x0, ttl 57, id 43754, offset 0, flags [none], proto ESP (50), length 112) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x40e), length 92 21:25:52.096848 IP (tos 0x0, ttl 64, id 65102, offset 0, flags [none], proto ESP (50), length 112, bad cksum 0 (->fcfa)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x34d), length 92 21:25:52.106606 IP (tos 0x0, ttl 57, id 33443, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x40f), length 84 21:25:52.126803 IP (tos 0x0, ttl 64, id 60469, offset 0, flags [none], proto ESP (50), length 144, bad cksum 0 (->ef4)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x34e), length 124 21:25:52.136605 IP (tos 0x0, ttl 57, id 42443, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x410), length 84 21:25:52.136721 IP (tos 0x0, ttl 57, id 33521, offset 0, flags [none], proto ESP (50), length 128) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x411), length 108 21:25:52.146781 IP (tos 0x0, ttl 64, id 20094, offset 0, flags [none], proto ESP (50), length 120, bad cksum 0 (->acc3)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x34f), length 100 21:25:52.156606 IP (tos 0x0, ttl 57, id 10201, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x412), length 84 21:25:52.156720 IP (tos 0x0, ttl 57, id 7111, offset 0, flags [none], proto ESP (50), length 152) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x413), length 132 21:25:52.176779 IP (tos 0x0, ttl 64, id 1369, offset 0, flags [none], proto ESP (50), length 120, bad cksum 0 (->f5e8)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x350), length 100 21:25:52.176794 IP (tos 0x0, ttl 57, id 25585, offset 0, flags [none], proto ESP (50), length 184) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x414), length 164 21:25:52.176965 IP (tos 0x0, ttl 57, id 56203, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x415), length 84 21:25:52.186809 IP (tos 0x0, ttl 64, id 37728, offset 0, flags [none], proto ESP (50), length 104, bad cksum 0 (->67f1)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x351), length 84 21:25:52.186986 IP (tos 0x0, ttl 64, id 65076, offset 0, flags [none], proto ESP (50), length 104, bad cksum 0 (->fd1c)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x352), length 84 21:25:52.187000 IP (tos 0x0, ttl 57, id 39913, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x416), length 84 21:25:52.187111 IP (tos 0x0, ttl 57, id 8360, offset 0, flags [none], proto ESP (50), length 120) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x417), length 100 21:25:52.196772 IP (tos 0x0, ttl 64, id 51020, offset 0, flags [none], proto ESP (50), length 112, bad cksum 0 (->33fd)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x353), length 92 21:25:52.196786 IP (tos 0x0, ttl 57, id 4520, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x418), length 84 21:25:52.206605 IP (tos 0x0, ttl 57, id 40382, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x419), length 84 21:25:52.206720 IP (tos 0x0, ttl 57, id 64645, offset 0, flags [none], proto ESP (50), length 136) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x41a), length 116 21:25:52.216801 IP (tos 0x0, ttl 64, id 37695, offset 0, flags [none], proto ESP (50), length 136, bad cksum 0 (->67f2)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x354), length 116 21:25:52.226609 IP (tos 0x0, ttl 57, id 27029, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x41b), length 84 21:25:52.226743 IP (tos 0x0, ttl 57, id 15567, offset 0, flags [none], proto ESP (50), length 136) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x41c), length 116 21:25:52.246909 IP (tos 0x0, ttl 64, id 12856, offset 0, flags [none], proto ESP (50), length 200, bad cksum 0 (->c8b9)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x355), length 180 21:25:52.256608 IP (tos 0x0, ttl 57, id 45255, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x41d), length 84 21:25:52.256740 IP (tos 0x0, ttl 57, id 61108, offset 0, flags [none], proto ESP (50), length 112) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x41e), length 92 21:25:52.286735 IP (tos 0x10, ttl 255, id 21571, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->4d90)!) 193.173.YYY.YYY > 224.0.0.18: VRRPv2, Advertisement, vrid 50, prio 0, authtype none, intvl 1s, length 36, addrs(7): 233.106.174.249,155.20.150.203,76.160.207.216,86.179.189.21,77.227.123.119,46.169.255.8,192.68.9.89 21:25:52.376795 IP (tos 0x0, ttl 64, id 10790, offset 0, flags [none], proto ESP (50), length 104, bad cksum 0 (->d12b)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x356), length 84 21:25:52.386611 IP (tos 0x0, ttl 57, id 63728, offset 0, flags [none], proto ESP (50), length 112) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x41f), length 92 21:25:52.396781 IP (tos 0x0, ttl 64, id 44904, offset 0, flags [none], proto ESP (50), length 112, bad cksum 0 (->4be1)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x357), length 92 21:25:52.406607 IP (tos 0x0, ttl 57, id 40878, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x420), length 84 21:25:52.406722 IP (tos 0x0, ttl 57, id 18343, offset 0, flags [none], proto ESP (50), length 112) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x421), length 92 21:25:52.416778 IP (tos 0x0, ttl 64, id 5916, offset 0, flags [none], proto ESP (50), length 112, bad cksum 0 (->e42d)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x358), length 92 21:25:52.426607 IP (tos 0x0, ttl 57, id 34180, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x422), length 84 21:25:52.426720 IP (tos 0x0, ttl 57, id 5273, offset 0, flags [none], proto ESP (50), length 120) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x423), length 100 21:25:52.436779 IP (tos 0x0, ttl 64, id 47120, offset 0, flags [none], proto ESP (50), length 112, bad cksum 0 (->4339)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x359), length 92 21:25:52.446606 IP (tos 0x0, ttl 57, id 19897, offset 0, flags [none], proto ESP (50), length 104) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x424), length 84 21:25:52.446720 IP (tos 0x0, ttl 57, id 64944, offset 0, flags [none], proto ESP (50), length 112) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x425), length 92 21:25:52.456782 IP (tos 0x0, ttl 64, id 39268, offset 0, flags [none], proto ESP (50), length 112, bad cksum 0 (->61e5)!) 193.173.XXX.XXX > 217.166.XXX.XXX: ESP(spi=0x0a842405,seq=0x35a), length 92 21:25:52.456906 IP (tos 0x0, ttl 57, id 39372, offset 0, flags [+], proto ESP (50), length 1492) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x426), length 1472 21:25:52.456934 IP (tos 0x0, ttl 57, id 39372, offset 1480, flags [none], proto ESP (50), length 72) 217.166.XXX.XXX > 193.173.XXX.XXX: esp 21:25:52.456947 IP (tos 0x0, ttl 57, id 53480, offset 0, flags [+], proto ESP (50), length 1492) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x427), length 1472 21:25:52.456968 IP (tos 0x0, ttl 57, id 53480, offset 1480, flags [none], proto ESP (50), length 72) 217.166.XXX.XXX > 193.173.XXX.XXX: esp 21:25:52.466616 IP (tos 0x0, ttl 57, id 29348, offset 0, flags [+], proto ESP (50), length 1492) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x428), length 1472 21:25:52.466638 IP (tos 0x0, ttl 57, id 29348, offset 1480, flags [none], proto ESP (50), length 72) 217.166.XXX.XXX > 193.173.XXX.XXX: esp 21:25:52.466650 IP (tos 0x0, ttl 57, id 59795, offset 0, flags [+], proto ESP (50), length 1492) 217.166.XXX.XXX > 193.173.XXX.XXX: ESP(spi=0x0a7d5c27,seq=0x429), length 1472 21:25:52.466669 IP (tos 0x0, ttl 57, id 59795, offset 1480, flags [none], proto ESP (50), length 72) 217.166.XXX.XXX > 193.173.XXX.XXX: esp

193.173.XXX.XXX is my faulty fiber site(CARP0) 217.166.XXX.XXX is my other site (in this case fiber also, from the same ISP)
193.173.YYY.YYY is the WAN address itself

On the other side 217.166.XXX.XXX i do not see those bad cksum's

I hope someone can shed a light on this.
And sorry for my poor explanation capability's in english

regards, and thanks for your time reading this
Johan

Hello,

I appear to be having a similar issue.

I have 3 PFsense boxes that i manage. All are running 1.2.3-rc1
All 3 firewalls are connected by ipsec tunnels over the internet and have mobile IPsec (road warrior) setup. I am using the shrew soft vpn client on win xp sp2

If i try to VPN using shrew soft to one of the other sites from behind my pfsense box i get the "negotiation timeout occurred" message. If i disconnect pfsense from my modem and plug my computer directly to the public net i can connect fine.

This happens at all 3 of my sites so i am assuming that there is a setting that needs to be tweaked in the outbound settings of whatever pfsense box i am behind to allow the connection out.

Any ideas on what i can check?

http://doc.pfsense.org/index.php/PfSense_to_Fortigate_IPsec

that's most likely it.  When he restarts his firewall it will come up but then drops  few days later.  I hope you all will figure it out soon.
RC