I always ignore these messages. I've never run into a tunnel not negotiating because of these messages. There is always a first for every error message.

I got tired of waiting for forum posts so I checked out IRC.  According to cmb, "you can't NAT traffic destined to IPSEC in FreeBSD" The only way to accomplish what I want is to set up an additional pfSense box, or move to a Linux distribution like IPCop.

i'm sorry - this is an IPsec vpn question, not openvpn. if someone could move it to that forum it would be great…

I have a rule allowing any any on the ipsec interface, thinking that this was the problem but it made no difference. Any other ideas? Pat

Thanks that worked!

@jimp: You may want to start a new thread for that question, it won't be seen by as many people when it is buried deep in a thread like this. u're right  ;D thanks for the advice  ;)

You can listen on enc0 with tcpdump instead of the physical interface; all encrypted traffic will pass through this virtual interface before the crypto is applied. pfSense seems to default to masking all of it via sysctl tunables however, so read enc(4) in the manual and adjust the tunables as necessary to see the traffic. The example below should show you what you want to see: sysctl -e net.enc.out.ipsec_bpf_mask=0x1 sysctl -e net.enc.out.ipsec_filter_mask=0x1 sysctl -e net.enc.in.ipsec_filter_mask=0x2 sysctl -e net.enc.in.ipsec_bpf_mask=0x2

found it. It was a incomplete IPSec profile for mobile clients. This screwed up the config.xml. fixed it. :)

not saying this will help but….. http://forum.pfsense.org/index.php/topic,17850.0.html the reason i suggest it is that i tried absolutely everything. tunnel was up & everything looked good. but still no traffic. altered the hash (as suggested) and bang….. it went. you would have thought that if the hash was wrong, the tunnel wouldn't establish. the endpoints matched etc but no traffic would flow. incidently, this was a watchgaurd box with pfsense on it! the thing is solid now!

I have a watchguard II 700 I am trying to setup a VPN IPSEC connection with PFsense, the connection seems to work, whereby I can RDP into the remote site via lan ip address and I can ping the Watchgaurd site from the PFsense side, but when I try to ping from the watchguard side to the PFsense side, or try any type of communication I get no response, I have tried so many rule changes and I can't figure this out I have alos downgraded to 1.2 and still no luck.  Was this a similar problem you guys were experiencing?

On the SG's: Click on Advanced for the IPSec Tunnel: Page 1: Keying: Main Local Address: Static IP Address Remote Address: dns hostname address Authentication: Pre-Shared Secret Uncheck Require Xauth Authenticaion Page 2: Check Initiate Tunnel Negotiation Optional Endpoint ID: Blank IP Payload Compression: Uncheck Dead Peer Detection: Checked Delay: 9 Timeout: 30 Initiate Phase 1 & 2 rekeying: Checked Page 3: Remote party DNS hostname: DNS address of remote PFSense box (okay to use dynamic DNS) Required Endpoint ID: email address Page 4: Key lifetime (sec) 3600 Rekey margin (sec) 600 Rekey fuzz (%) 100 Preshared Secret: Your call on this Phase 1 Proposal: 3DES-SHA-DH Group 2 (1024) Page 5: Add your local and remote networks Key lifetime (sec) 3600 Phase 2 Proposal: 3DES-SHA Perfect Forward Secrecy: Unchecked Click Finished.

I have 3 Dynamic DNS VPN client VPN's tunnels no issues. RC