it was my first guess … but I think routing to ipsec network devices should be creating automaticaly. I consider to set it manually but there is a note Do not enter static routes for networks assigned on any interface of this firewall. Static routes are only used for networks reachable via a different router, and not reachable via your default gateway. hmmm ???

thans CMB The fortunate thing about challenges like this is that it gives me a chance to learn, although sometimes painfully, about topics that I would otherwise never delve into. In this case I came to the same conclusion that you already knew. I have verified that PPtP does work with the iPhone and PFsense. I suppose it is up to each admin to determine how they feel about the security of pptp and their network. For me, it was not worth the risk, so I am still searching for other solutions. In my case its complicated by having only one WAN IP and an existing IPsec tunnel…otherwise I'd forward the ports to Leopard Server and use L2TP.

They invented Dynamic DNS for this?

I assume this work work with the following solution to as the remote branches are all a "class c" subnet correct? and just creating a "class b" subnet on the HQ location would allow traffic to pass between the remote sites? A 192.168.0.0/22 HQ B 192.168.2.0/24 Remote C 192.168.3.0/24 Remote D 192.168.4.0/24 Remote E 192.168.5.0/24 Remote F 192.168.6.0/24 Remote G 192.168.7.0/24 Remote H 192.168.8.0/24 Remote J 192.168.9.0/24 Remote

I have the same problem…Any fix or places to look at?

Great, I'll do that. Thanks Heiko…

@HypeTelecon: I have 5 pfSense boxes: Main Office: 172.16.180.0 / 24 (this is the pfSense box configured to accept IPSec mobile clients) Remote Site 1: 172.31.0.0 / 24 Remote Site 2: 172.31.1.0 / 24 Remote Site 3: 172.31.2.0 / 24 Remote Site 4: 172.31.3.0 / 24 I have the boxes establishing the tunnels just fine. Now, there are several other subnets available through the default gateway at the main office. How would I allow these remote sites access to these subnets (172.16.0.0 / 24, 172.16.1.0 / 24, 10.30.0.0 / 16, etc.)? On a static route that you add for routing traffic to those subnets use  /20 mask This will route the range 172.31.0.1 - 172.31.15.254

Two tunnels between the 2 devices only works if they connect different subnets on each device, since you want to use load balancing I assume this is not the case. You can find more about this in the IPSEC and Mutiple Wan sections of this forum. Regards,

Thanks for the advice.  I'll go adjust my rules. Interestingly, the "black magic" rules weren't created automatically.  That was a huge stumbling block for me in getting the tunnel up.  I found the answer here on the forum. I rarely need to initiate a connection from the colo to the office.  I think I can safely lock that down completely.  On the rare occasion I need to access the office from there, I can either open it up, or create a PPTP VPN session through an alternate network.

I did that as well…still doesn't work?

Thanks for the configuration.  I have been away for a long time due to my job and have been unable to monitor the thread.  As soon as I get my pfsense box up, ill give it a try Thanks, -V

yes i did (ping to remote gateway lan adress) but only from branch to HQ because branch has no full time connection

Hello, I've checked the release notes and I think that IPSec NAT-Traversal (feature you need here) is only supported in version 2.0. Hope this helps.

I have run into this same issue on my 6 site vpn setup I can access all of the sites from my main location and from some of the sites I cannot access the main site.. I only have pfsense at the main location so I believe its something to do with firewall rules.