@dotdash:

I'm out of ideas at this point. Why don't you post the <ipsec>section of your config?</ipsec>

Because i have lot of IPSec config, i'm sure about this part and i checked it 100 times…
I'm trying to know why the conf file doesn't update.

I have been searching an searching the posts.  I will rephrase and ask this question. I also thank anyone that will reply and give me some kind of hint.

Can you connect via ipsec tunnel this setup

main site- pfsense has external ip address normal tunnel setup. Behind this is 2 class c ip address ranges connected to a 3550xl cicso with routing turned on. The internal side of the pfsense is on a separate class c that is also connected to the 3550xl.  The tunnel or tunnels need to route traffic from the 2 class c networks on the 3550xl through to the other side of the tunnel.

remote site-pfsense is behind a provider router(minimal changes can be done to this router), this router also has forced NAT. The pfsense has a class c wan address(192.168).  It also has class c interall addresses.  The internal flat network needs to connect to the other networks at the main site via the tunnel(s).

I have static routes on the main site pfsense so the 2 class c internal networks can reach the internet. The remote site works normally with the normal settings, however i cannot get the tunnel to connect.  I have done a test setup with 2 external ip addresses with the same hardware and the tunnel works.

Can you tell me if it is possible to setup a tunnel at a remote site that is behind a router with NAT and the remote site pfsense has a class c wan address?

Here is an error from the logs from the main site.

1 10. 009466 rule 33/0(match): block in on fxp1: (tos 0x0, ttl 64, id 11377, offset 0, flags [none], proto: UDP (17), length: 320) 192.1xxx.xxx.xxx > xxx.xxx.xxx.xxx: [|isakmp]

If I use my IP address, I am able to get it connect without a problem, however since my IP changes I need to be able to use my DDNS.  My boss actually caught this, the 'unya' is actually part of my DDNS name of: dbUNYArd.homeip.net.  Is there something I am missing here?

I've done a couple of pfSense-PIX tunnels and haven't had problems.
I generally use agressive/3DES/SHA and set the PFS group at 2.
You might also want to post the crypto section of your PIX config.

I might add after doing a little testing and some research that it worked perfectly for months and months on AT&T 6 meg / 768k DSL and I upgraded to Uverse 10 meg / 1.5 meg and thats when I started having the problems. I am not sure why but its like I have one way communication and there is something wrong with the phase 2.

Creating only a one way tunnel worked for me.

OK.

I don't know if you can make a lab to test IPSec between ISA and pfSense without NAT…

Last but not least, I think NAT-T is supported since v1.3 on pfSense... Right?

I've been playing with this again today, and discovered that I must have broken something last time.

I'm now seeing RIPv2 advertise packets when I sniff, but they don't contain any reference to the IP range at the other end of my IPSec tunnel.

Here's an example packet, decoded by Wireshark.

No.    Time        Source                Destination          Protocol Info
      7 180.006426  10.0.1.250            224.0.0.9            RIPv2    Response

Frame 7 (106 bytes on wire, 106 bytes captured)
    Arrival Time: Oct 29, 2008 16:43:18.834316000

@moffl:

Sorry:

I worded it wrong it is actually configured on the home side for the remote lan subnet

So if I understand your config:

Remote site:
You have a rule permitting anything. So, something like this:
any -> any permit.

Home site:
You have a rule permitting anything from you LAN. So, something like this:
Hom LAN -> any permit

Am I right? If so, can you ping the server you're trying to reach with VNC?

Hi.

You have to create a phase by network you want to give access to the tunnel. For example, I've to create tunnel between these 2 offices:

Main office:
DATA VLAN: 192.168.1.0/24
VOICE VLAN: 192.168.2.0/24
LAB VLAN: 192.168.3.0/24

Remote Office:
REMOTE LAN: 192.168.100.0/24

I want ot give access to DATA VLAN & VOICE VLAN only. So I've to create tunnel (on both pfSense) for these trafics:

DATA VLAN & REMOTE LAN (192.168.1.0 & 192.168.100.0)

VOICE VLAN & REMOTE LAN (192.168.2.0 & 192.168.100.0)

With the pfSense v1.3, you can do this with adding several phase 2 for the same phase 1. I don't know how you can do this with older version.

Hope this helps.

[EDIT] I've added a screenshot of my configuration.

capture1.png
capture1.png_thumb

I have simular thing already have a post.

http://forum.pfsense.org/index.php/topic,12095.0.html

Found out that the firewall must be opened which is not mentioned anywhere in the tutorial.  You must go to the ipsec tab under rules and open up the things you want to communicate.  Now i am just wondering how to properly route traffic.

I tried it but couldn't get it to work :(

I too would like to see your openswan config ;)

The setup I used was openSUSE 11… I'm going to try another OS, maybe Fedora 9, or just openSUSE 10.3 and see if that works...

@capitangiaco:

and please don't bore with the not stable story…. 1.3 is at the moment, the only way to use ipsec dynamic peers
Giacomo

Not true. 5 sites with dynamic IP only, site-to-site tunnels, pfS 1.2 with help of little custom script and crone job, up-time 7 months 20 days. So, it is possible but someone need to put some extra effort to make it work.

Sasa

I was able to get this working.
I had to configure local and remote subnets in the fortinet phase2 vpn definition.

Otherwise, it came up instantly.

So…should I even bother...?

23 looks, but no bites... is that telling enough...?

LOL

Thanks!

@capitangiaco:

Sometime I must use ip tcp adjust-mss 1350, and 1300

Giacomo

Better idea to configure mss to 1300…