There are two ways to make it restart: 1: Go to the IPSec settings, click Save, and then click apply 2: Click Status > Services, and click the restart button [|>]

Weird thing is that I successfully manage all my firewalls with the same browser (Mozilla) and have not seen this issue on others.

What are you trying to do L2TP?  I have a 2003 SBS server and it sits behind a pfsense (it's a vitrual server).  It runs great.  I got http, vpn's. smtp traffic and file replication running over the wan.  Can you give just a little more detail. RC

Thanks for the suggestions. I'll give them both ago when the users leave for the night and post back. Thanks again. Dave

I got my ipsec implemtation working, it was an issue with the routes of the computer I was testing with…

Looks like this could be a DHCP problem from the concentrator to pfSense. Here is a DHCP log entry with latest log first: Mar 17 08:19:34 dhcpd: send_packet: Permission denied Mar 17 08:19:34 dhcpd: DHCPOFFER on 192.168.10.231 to 00:03:a0:89:86:1d (DSI9200) via 192.168.10.0 Mar 17 08:19:34 dhcpd: DHCPDISCOVER from 00:03:a0:89:86:1d (DSI9200) via 192.168.10.0 So it looks like the concentrator's internal IP address is being seen as 10.0 instead of 10.26… wonder if a DHCP relay is needed??

You should use gateway/failover configuration. I do not know how pfSense choses interfaces to fill  drop-down list. You my wish to try to modify your config.xml just for testing ;-) For example I have in config: <load_balancer><lbpool><type>gateway</type> <behaviour>failover</behaviour> <monitorip>x.x.x.x</monitorip> <name>Internet</name> <desc><port><servers>wan|y.y.y.y</servers> <servers>opt1|x.x.x.x</servers></port></desc></lbpool></load_balancer>

You have to create a static route. Assuming that the dns server on the other side is 192.168.100.1 and your pfSense on your side is 10.77.76.1, if not ajust accordingly. Note that the network for the remote dns server is /32 and not /24. Interface  Network           Gateway LAN        192.168.100.1/32  10.77.76.1 After that you have to go to Service -> DNS Forwarder and in the section saying "Below you can override an entire domain by specifying an authoritative dns server to be queried for that domain." you add. Domain      IP colo.local  192.168.100.1 You will now have to connect to your server using \server1.colo.local\Data or whatever you used in the previous section. To avoid to write the "colo.local" you could add this to your Windows TCP/IP Advanced DNS configuration. [image: 313oqc8.jpg]

To answer my question: gif interface is not mandatory, but recommended if you are about to debug your ipsec connection.

Thanks, I will try it. Best regards