found it.
It was a incomplete IPSec profile for mobile clients.
This screwed up the config.xml. fixed it.
:)

not saying this will help but…..
http://forum.pfsense.org/index.php/topic,17850.0.html

the reason i suggest it is that i tried absolutely everything. tunnel was up & everything looked good. but still no traffic. altered the hash (as suggested) and bang….. it went. you would have thought that if the hash was wrong, the tunnel wouldn't establish. the endpoints matched etc but no traffic would flow.
incidently, this was a watchgaurd box with pfsense on it! the thing is solid now!

I have a watchguard II 700 I am trying to setup a VPN IPSEC connection with PFsense, the connection seems to work, whereby I can RDP into the remote site via lan ip address and I can ping the Watchgaurd site from the PFsense side, but when I try to ping from the watchguard side to the PFsense side, or try any type of communication I get no response, I have tried so many rule changes and I can't figure this out I have alos downgraded to 1.2 and still no luck.  Was this a similar problem you guys were experiencing?

On the SG's:

Click on Advanced for the IPSec Tunnel:

Page 1:

Keying: Main
Local Address: Static IP Address
Remote Address: dns hostname address
Authentication: Pre-Shared Secret
Uncheck Require Xauth Authenticaion

Page 2:
Check Initiate Tunnel Negotiation
Optional Endpoint ID: Blank
IP Payload Compression: Uncheck
Dead Peer Detection: Checked
Delay: 9
Timeout: 30
Initiate Phase 1 & 2 rekeying: Checked

Page 3:
Remote party DNS hostname: DNS address of remote PFSense box (okay to use dynamic DNS)
Required Endpoint ID: email address

Page 4:
Key lifetime (sec) 3600
Rekey margin (sec) 600
Rekey fuzz (%) 100
Preshared Secret: Your call on this
Phase 1 Proposal: 3DES-SHA-DH Group 2 (1024)

Page 5:
Add your local and remote networks
Key lifetime (sec) 3600
Phase 2 Proposal: 3DES-SHA
Perfect Forward Secrecy: Unchecked

Click Finished.

I have 3 Dynamic DNS VPN client VPN's tunnels no issues.
RC

I think it would be possible.  You need to contact her support for the Nortel device.  She would need to have a static IP address.

I have talked with a friend of mine that used to support one and it should work.
RC

In the meantime this thread is off topic and should moved back to Prerelease 1.2.3 :-)

It takes no more than the time between I wrote the laste message.

Actual status:
WLAN to LAN: Access ok
WLAN to WAN (internet): no access
WLAN to VPN: no access

It works with the same configuration an hour before. I only reboot the notebook and let it "sleep" half an hour.

I have no more ideas… and go sleep now.

Sigma

I have the same question.  To put it in simpler terms, like your title - the question is:  Is it possible to route "all traffic" over an IPsec tunnel (between 2 pfsense)?

I tried using the "remote network" in the IPsec configuration as 0.0.0.0 / 0  and this does not route.  Could someone confirm if this is doable, with perhaps some routing tricks on the remote pfsense box?

I thought this would hold the clue: http://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

A simple yes/no would suffice.  I would create a bounty to have this done in a future version.

Thanks!

Hi,

I can not see the configuration image of the monowall.
I you be wary happy to see it…

Best regards
Martin

Dynamic DNS VPN tunnels work great in 1.2.3.  I been running 1.2.3 for quite time with no issue.
RC

Here is just a few things that we need:
Site 1&2
Internal IP address ranges:  192.168.xxx.xxx or 172.16.xxx.xxx
Gateway address at both sites
subnet mask at both sites.

We need to get the external addresses.

Are you planning to have moblie clients?  If so we need to plan for either shrew or OpenVPN clients.  What verison of PF-Sense are you planning to run.

What applications are going to run accross the VPN tunnel?
Outlook, internal web, etc

Once we get all that preliminary stuff togethor, Lets get online and the we can start the set up.  Then you can assist me to get into the firewalls and I can assist you in getting the configration locked down.

Just let me know what we got to work with, and we will get you back up and running.
RC

I don't know if is the same problem… In my case, the tunnel is up but there isn't traffic. Can't ping from site to site. Then, I go to config, save and aply and the ipsec tunnel is working. I can't understand it.

I listen a lot of people with the same problem. I don't know if is a racon problem but I think that is needed some mecanism to restart the ipsec tunnel. I don't know if is easy or not, but is a problem that have a lot of people.
The keep alive option is for something?

My Version 1.2.2.

Cheers

Something about it?????

I just happened to find this now that I'm messing with glxsb. We added the patch in kern/132622 in March, it's in 1.2.3 snapshots. Thanks much for your work on glxsb, Patrick!  Glad to see you on our forum too.

We're looking at building glxsb as a module right now, so we can test with and without it, and to get it out of the way when you have a much faster Hifn installed.

I'm seeing 19.4 Mbps through IPsec with AES-128 on an ALIX with glxsb, and 40 Mbps 3DES with a hifn 7955 (Soekris vpn1411) vs. 8.4 Mbps 3DES without hifn. Nice performance boost with the hifn. Not sure what impact glxsb has yet.

That sounds about like what happened the last time I tried to run multiple subnets with mobile clients.

The tunnel would drop and re-key for the alternate subnet, and then flip back and forth repeatedly. This was several months ago that I tried it though, and the particulars escape me.

OK after much messing about i realised that it was actual my test environment routing setup that was broken and the pfSense and OpenBSD were behaving as expected!!!

I now have my tunnel working with traffic happily passing up and down, for future reference the OpenBSD ipsec.conf that i posted above is the one i am using successfully!

Thanks and so far pfSense is looking pretty damn good.  Ideally i will be rolling this out to all my routers/firewalls over the next few weeks :)