@Phil:

Solved… See http://forum.pfsense.org/index.php/board,16.0.html

I have exactly the same problem as you described, but the link you posted does not work.

Can you tell me how you solved your problem?

\Ronni

@jimp:

Multiple subnets w/IPSec are possible in 1.2.x in a non-obvious way, and there are some issues, but you can try it to see if it works for you:

http://doc.pfsense.org/index.php/IPSec_with_Multiple_Subnets

It didn't work for me, but I think that was mainly due to the fact that I was using a mobile tunnel and not a static site-to-site tunnel. The parts of my VPN that needed multiple subnets got moved to an OpenVPN tunnel and have been working happily ever since.

Parallel tunnels works.  You have to make sure ALL settings (except the network) are exactly the same, but it works.  I have this between pfSense <-> pfSense and pfSense <-> Cisco.

Roy

@jimp:

A little late, but better late than never:

Yup!

I read over it briefly. It looks good to me. It's been a while since I set it up from scratch and maybe some things have changed since 1.2.2 but everything seems to be there.

Thanks for updating.

hmmm … i'd think that the problem is, that mobile IPSec clients behind a NAT router can't conntect to your pfsense IPSec Endpoint (which should be connected direct to the internet - no NAT)!

I simply can't believe it !  ??? ??? ??? This morning, without changing anything, the tunnel is up ! ??? ??? ??? Is it necessary to wait before the tunnel get up ? How many time ?

Anyway, this looks like a good news. I will continue my exploration. Thanks for your help !  ;D ;D ;D

Someone had posted a bounty for NAT over IPSec, the post is still there in the Bounty Forum on this site. I'm not sure this actually has a distinct name, but some people call it "NAT over IPSec", "Policy NAT for IPSec", etc. This functionality does not currently exist in pfSense, though with enough interest (and perhaps bounty money) it could be added.

Basically what you need to do is NAT before the traffic enters the tunnel, and/or after it leaves, like so:

Site A: 192.168.1.x <1:1 NAT> 10.0.1.x <–- IPSec ---> 10.0.2.x <1:1 NAT> 192.168.1.x :Site B

Site B uses the 10.0.1.x addresses to talk to Site A, and Site A uses the 10.0.2.x addresses to talk to site B. It will appear to each side and though the other end does not, in fact, share its same subnet.

If only one-way communications will be initiated, you only need to do NAT on the far side, so when you try to talk to the address your system will know to send it to the tunnel and not try to reach it locally.

Some have had success with bridging networks via OpenVPN, so both sides can have addresses in the same subnet, but I believe in that case they still can't conflict, just use separate areas of the same larger subnet. Someone else more familiar with this OpenVPN tactic may be of greater help in this area.

Tried the suggestion and modified the vpn.inc file but it still is unable to bring the tunnel back up.

I am wanting to tie down some security for the VPN tunnels I have running but I am not sure wht I am doing wrong.

I am having somewhat the same problems as others in this post. The IPSec rules tab is straight forward, but I am not sure what's going on with the remote site.

I have IPsec site-to-site, and both ends have static public IP's. On the remote ends I have a default rule of allow all and any on the IPsec tab. This is ok for now, but I want to tie down the security on the home office by only allowing access to certain host on the network.

I can establish a secusseful connection from both ends when the IPsec rule is set to allow all and any on both ends. When I tried to set the home office main rule to allow from only a single host/alias on the source being the remote public IP of the remote network and then set allow any protocol, and set the source to a single host / alias in the home office. I cannot ping that host from the remote site, but I can still ping all the host on the remote network as I exspected to still be able to do since it's rule is set to allow any and all.

I am scratching my head on why I can not ping the one host at the home office network. Keep in mind that I have only one rule set at the home office for testing reasons, so there is no way that any other rules can be voiding the situation.

@scottnguyen:

2 client computers with Shrewsoft VPN IPSEC client (2 Vista) connecting from home to work.  If I connect with computer #2, it disconnects computer #1 that's already connected and I never am able to connect using computer #2.  Can I have more that one client with same connection name, connect at the same time from same location (from home for example)?

Make sure both clients have different identifiers. Multiple tunnels should work, but I'm not sure how being behind a router/NAT will affect that. I've had multiple tunnels (for multiple subnets) originating from the router to another router before, but not from client PCs. Usually the part that will disconnect one in favor of the other is using the same identifier multiple times.

Can you not build a VPN tunnel directly to their router in that case? If you have multiple clients it would make more sense to terminate the tunnel at their router than at their individual PCs.

@fastcon68:

I have had a devil of a time getting Shew or any vpn client to connect to my pf-sense firewall.  Any words of wizdom you an share?  I have a real need to get it setup and working as well as documenting the process.  I need to add about 5 to 10 pc's at endusers sites that connect back to my VPN from time to time and need to get that working.

I have already documented the process of setting up mobile tunnels and the Shrew Soft client on the Doc Wiki here:
http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To

There are two ways to make it restart:

1: Go to the IPSec settings, click Save, and then click apply

2: Click Status > Services, and click the restart button [|>]

Weird thing is that I successfully manage all my firewalls with the same browser (Mozilla) and have not seen this issue on others.

What are you trying to do L2TP?  I have a 2003 SBS server and it sits behind a pfsense (it's a vitrual server).  It runs great.  I got http, vpn's. smtp traffic and file replication running over the wan.  Can you give just a little more detail.
RC

Thanks for the suggestions. I'll give them both ago when the users leave for the night and post back.

Thanks again.

Dave