i'm sorry - this is an IPsec vpn question, not openvpn. if someone could move it to that forum it would be great…

I have a rule allowing any any on the ipsec interface, thinking that this was the problem but it made no difference. Any other ideas? Pat

Thanks that worked!

@jimp: You may want to start a new thread for that question, it won't be seen by as many people when it is buried deep in a thread like this. u're right  ;D thanks for the advice  ;)

You can listen on enc0 with tcpdump instead of the physical interface; all encrypted traffic will pass through this virtual interface before the crypto is applied. pfSense seems to default to masking all of it via sysctl tunables however, so read enc(4) in the manual and adjust the tunables as necessary to see the traffic. The example below should show you what you want to see: sysctl -e net.enc.out.ipsec_bpf_mask=0x1 sysctl -e net.enc.out.ipsec_filter_mask=0x1 sysctl -e net.enc.in.ipsec_filter_mask=0x2 sysctl -e net.enc.in.ipsec_bpf_mask=0x2

found it. It was a incomplete IPSec profile for mobile clients. This screwed up the config.xml. fixed it. :)

not saying this will help but….. http://forum.pfsense.org/index.php/topic,17850.0.html the reason i suggest it is that i tried absolutely everything. tunnel was up & everything looked good. but still no traffic. altered the hash (as suggested) and bang….. it went. you would have thought that if the hash was wrong, the tunnel wouldn't establish. the endpoints matched etc but no traffic would flow. incidently, this was a watchgaurd box with pfsense on it! the thing is solid now!

I have a watchguard II 700 I am trying to setup a VPN IPSEC connection with PFsense, the connection seems to work, whereby I can RDP into the remote site via lan ip address and I can ping the Watchgaurd site from the PFsense side, but when I try to ping from the watchguard side to the PFsense side, or try any type of communication I get no response, I have tried so many rule changes and I can't figure this out I have alos downgraded to 1.2 and still no luck.  Was this a similar problem you guys were experiencing?

On the SG's: Click on Advanced for the IPSec Tunnel: Page 1: Keying: Main Local Address: Static IP Address Remote Address: dns hostname address Authentication: Pre-Shared Secret Uncheck Require Xauth Authenticaion Page 2: Check Initiate Tunnel Negotiation Optional Endpoint ID: Blank IP Payload Compression: Uncheck Dead Peer Detection: Checked Delay: 9 Timeout: 30 Initiate Phase 1 & 2 rekeying: Checked Page 3: Remote party DNS hostname: DNS address of remote PFSense box (okay to use dynamic DNS) Required Endpoint ID: email address Page 4: Key lifetime (sec) 3600 Rekey margin (sec) 600 Rekey fuzz (%) 100 Preshared Secret: Your call on this Phase 1 Proposal: 3DES-SHA-DH Group 2 (1024) Page 5: Add your local and remote networks Key lifetime (sec) 3600 Phase 2 Proposal: 3DES-SHA Perfect Forward Secrecy: Unchecked Click Finished.

I have 3 Dynamic DNS VPN client VPN's tunnels no issues. RC

I think it would be possible.  You need to contact her support for the Nortel device.  She would need to have a static IP address. I have talked with a friend of mine that used to support one and it should work. RC

In the meantime this thread is off topic and should moved back to Prerelease 1.2.3 :-) It takes no more than the time between I wrote the laste message. Actual status: WLAN to LAN: Access ok WLAN to WAN (internet): no access WLAN to VPN: no access It works with the same configuration an hour before. I only reboot the notebook and let it "sleep" half an hour. I have no more ideas… and go sleep now. Sigma

I have the same question.  To put it in simpler terms, like your title - the question is:  Is it possible to route "all traffic" over an IPsec tunnel (between 2 pfsense)? I tried using the "remote network" in the IPsec configuration as 0.0.0.0 / 0  and this does not route.  Could someone confirm if this is doable, with perhaps some routing tricks on the remote pfsense box? I thought this would hold the clue: http://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F A simple yes/no would suffice.  I would create a bounty to have this done in a future version. Thanks!