I am wanting to tie down some security for the VPN tunnels I have running but I am not sure wht I am doing wrong.

I am having somewhat the same problems as others in this post. The IPSec rules tab is straight forward, but I am not sure what's going on with the remote site.

I have IPsec site-to-site, and both ends have static public IP's. On the remote ends I have a default rule of allow all and any on the IPsec tab. This is ok for now, but I want to tie down the security on the home office by only allowing access to certain host on the network.

I can establish a secusseful connection from both ends when the IPsec rule is set to allow all and any on both ends. When I tried to set the home office main rule to allow from only a single host/alias on the source being the remote public IP of the remote network and then set allow any protocol, and set the source to a single host / alias in the home office. I cannot ping that host from the remote site, but I can still ping all the host on the remote network as I exspected to still be able to do since it's rule is set to allow any and all.

I am scratching my head on why I can not ping the one host at the home office network. Keep in mind that I have only one rule set at the home office for testing reasons, so there is no way that any other rules can be voiding the situation.

@scottnguyen:

2 client computers with Shrewsoft VPN IPSEC client (2 Vista) connecting from home to work.  If I connect with computer #2, it disconnects computer #1 that's already connected and I never am able to connect using computer #2.  Can I have more that one client with same connection name, connect at the same time from same location (from home for example)?

Make sure both clients have different identifiers. Multiple tunnels should work, but I'm not sure how being behind a router/NAT will affect that. I've had multiple tunnels (for multiple subnets) originating from the router to another router before, but not from client PCs. Usually the part that will disconnect one in favor of the other is using the same identifier multiple times.

Can you not build a VPN tunnel directly to their router in that case? If you have multiple clients it would make more sense to terminate the tunnel at their router than at their individual PCs.

@fastcon68:

I have had a devil of a time getting Shew or any vpn client to connect to my pf-sense firewall.  Any words of wizdom you an share?  I have a real need to get it setup and working as well as documenting the process.  I need to add about 5 to 10 pc's at endusers sites that connect back to my VPN from time to time and need to get that working.

I have already documented the process of setting up mobile tunnels and the Shrew Soft client on the Doc Wiki here:
http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To

There are two ways to make it restart:

1: Go to the IPSec settings, click Save, and then click apply

2: Click Status > Services, and click the restart button [|>]

Weird thing is that I successfully manage all my firewalls with the same browser (Mozilla) and have not seen this issue on others.

What are you trying to do L2TP?  I have a 2003 SBS server and it sits behind a pfsense (it's a vitrual server).  It runs great.  I got http, vpn's. smtp traffic and file replication running over the wan.  Can you give just a little more detail.
RC

Thanks for the suggestions. I'll give them both ago when the users leave for the night and post back.

Thanks again.

Dave

I got my ipsec implemtation working, it was an issue with the routes of the computer I was testing with…

Looks like this could be a DHCP problem from the concentrator to pfSense.

Here is a DHCP log entry with latest log first:

Mar 17 08:19:34 dhcpd: send_packet: Permission denied
Mar 17 08:19:34 dhcpd: DHCPOFFER on 192.168.10.231 to 00:03:a0:89:86:1d (DSI9200) via 192.168.10.0
Mar 17 08:19:34 dhcpd: DHCPDISCOVER from 00:03:a0:89:86:1d (DSI9200) via 192.168.10.0

So it looks like the concentrator's internal IP address is being seen as 10.0 instead of 10.26… wonder if a DHCP relay is needed??

You should use gateway/failover configuration. I do not know how pfSense choses interfaces to fill  drop-down list.
You my wish to try to modify your config.xml just for testing ;-) For example I have in config:
<load_balancer><lbpool><type>gateway</type>
<behaviour>failover</behaviour>
<monitorip>x.x.x.x</monitorip>
<name>Internet</name>
<desc><port><servers>wan|y.y.y.y</servers>
<servers>opt1|x.x.x.x</servers></port></desc></lbpool></load_balancer>

You have to create a static route.

Assuming that the dns server on the other side is 192.168.100.1 and your pfSense on your side is 10.77.76.1, if not ajust accordingly. Note that the network for the remote dns server is /32 and not /24.

Interface  Network           Gateway LAN        192.168.100.1/32  10.77.76.1

After that you have to go to Service -> DNS Forwarder and in the section saying "Below you can override an entire domain by specifying an authoritative dns server to be queried for that domain." you add.

Domain      IP colo.local  192.168.100.1

You will now have to connect to your server using \server1.colo.local\Data or whatever you used in the previous section. To avoid to write the "colo.local" you could add this to your Windows TCP/IP Advanced DNS configuration.

To answer my question: gif interface is not mandatory, but recommended if you are about to debug your ipsec connection.