Are you using PPTP or IPSEC?

I don't think so….. ???

Have you tried putting pfSense in all locations?  You could even try with the CD and floppy combo as to not mess with your freebsd setup.

Window sizes are a function of the endpoints. WAN optimization devices are largely an overpriced way to accommodate things you can do on the endpoints if you know what you're doing. There are some benefits, but most of them can be accommodated by configuring the endpoints accordingly.

@ChuckShoe:

So, I was running some tests between the two sites (Mainly doing tracert's and pings, Latency between the two sites is consistent at 27ms) The Tracerts always error out on Hop 2, because its going across the encrypted tunnel and it doesn't make it to the other end before it times out. This got me thinking that this delay or lack of acknowledgement is causing the TCP window settings to not open up to their fullest potential.

Again, strictly a function of the endpoints. traceroute not answering on a hop has nothing to do with TCP ACKs. Delay isn't what causes a lack of response, there is a hop where you won't see anything when going over IPsec, that's just how it works.

Hello,
looks here….in the next release, i hope so,

http://forum.pfsense.org/index.php/topic,12648.0.html

Regards
Heiko

This bounty has been completed:
http://forum.pfsense.org/index.php/topic,12648.0.html

it was my first guess … but I think routing to ipsec network devices should be creating automaticaly. I consider to set it manually but there is a note

Do not enter static routes for networks assigned on any interface of this firewall. Static routes are only used for networks reachable via a different router, and not reachable via your default gateway.

hmmm ???

thans CMB
The fortunate thing about challenges like this is that it gives me a chance to learn, although sometimes painfully, about topics that I would otherwise never delve into. In this case I came to the same conclusion that you already knew.

I have verified that PPtP does work with the iPhone and PFsense. I suppose it is up to each admin to determine how they feel about the security of pptp and their network. For me, it was not worth the risk, so I am still searching for other solutions.

In my case its complicated by having only one WAN IP and an existing IPsec tunnel…otherwise I'd forward the ports to Leopard Server and use L2TP.

They invented Dynamic DNS for this?

I assume this work work with the following solution to as the remote branches are all a "class c" subnet correct? and just creating a "class b" subnet on the HQ location would allow traffic to pass between the remote sites?

A 192.168.0.0/22 HQ
B 192.168.2.0/24 Remote
C 192.168.3.0/24 Remote
D 192.168.4.0/24 Remote
E 192.168.5.0/24 Remote
F 192.168.6.0/24 Remote
G 192.168.7.0/24 Remote
H 192.168.8.0/24 Remote
J 192.168.9.0/24 Remote

I have the same problem…Any fix or places to look at?

Great, I'll do that. Thanks Heiko…

@HypeTelecon:

I have 5 pfSense boxes:

Main Office: 172.16.180.0 / 24 (this is the pfSense box configured to accept IPSec mobile clients)

Remote Site 1: 172.31.0.0 / 24

Remote Site 2: 172.31.1.0 / 24

Remote Site 3: 172.31.2.0 / 24

Remote Site 4: 172.31.3.0 / 24

I have the boxes establishing the tunnels just fine. Now, there are several other subnets available through the default gateway at the main office. How would I allow these remote sites access to these subnets (172.16.0.0 / 24, 172.16.1.0 / 24, 10.30.0.0 / 16, etc.)?

On a static route that you add for routing traffic to those subnets use  /20 mask
This will route the range 172.31.0.1 - 172.31.15.254

Two tunnels between the 2 devices only works if they connect different subnets on each device, since you want to use load balancing I assume this is not the case.
You can find more about this in the IPSEC and Mutiple Wan sections of this forum.

Regards,

Thanks for the advice.  I'll go adjust my rules.

Interestingly, the "black magic" rules weren't created automatically.  That was a huge stumbling block for me in getting the tunnel up.  I found the answer here on the forum.

I rarely need to initiate a connection from the colo to the office.  I think I can safely lock that down completely.  On the rare occasion I need to access the office from there, I can either open it up, or create a PPTP VPN session through an alternate network.

I did that as well…still doesn't work?

Thanks for the configuration.  I have been away for a long time due to my job and have been unable to monitor the thread.  As soon as I get my pfsense box up, ill give it a try

Thanks,
-V