I assume this work work with the following solution to as the remote branches are all a "class c" subnet correct? and just creating a "class b" subnet on the HQ location would allow traffic to pass between the remote sites? A 192.168.0.0/22 HQ B 192.168.2.0/24 Remote C 192.168.3.0/24 Remote D 192.168.4.0/24 Remote E 192.168.5.0/24 Remote F 192.168.6.0/24 Remote G 192.168.7.0/24 Remote H 192.168.8.0/24 Remote J 192.168.9.0/24 Remote

I have the same problem…Any fix or places to look at?

Great, I'll do that. Thanks Heiko…

@HypeTelecon: I have 5 pfSense boxes: Main Office: 172.16.180.0 / 24 (this is the pfSense box configured to accept IPSec mobile clients) Remote Site 1: 172.31.0.0 / 24 Remote Site 2: 172.31.1.0 / 24 Remote Site 3: 172.31.2.0 / 24 Remote Site 4: 172.31.3.0 / 24 I have the boxes establishing the tunnels just fine. Now, there are several other subnets available through the default gateway at the main office. How would I allow these remote sites access to these subnets (172.16.0.0 / 24, 172.16.1.0 / 24, 10.30.0.0 / 16, etc.)? On a static route that you add for routing traffic to those subnets use  /20 mask This will route the range 172.31.0.1 - 172.31.15.254

Two tunnels between the 2 devices only works if they connect different subnets on each device, since you want to use load balancing I assume this is not the case. You can find more about this in the IPSEC and Mutiple Wan sections of this forum. Regards,

Thanks for the advice.  I'll go adjust my rules. Interestingly, the "black magic" rules weren't created automatically.  That was a huge stumbling block for me in getting the tunnel up.  I found the answer here on the forum. I rarely need to initiate a connection from the colo to the office.  I think I can safely lock that down completely.  On the rare occasion I need to access the office from there, I can either open it up, or create a PPTP VPN session through an alternate network.

I did that as well…still doesn't work?

Thanks for the configuration.  I have been away for a long time due to my job and have been unable to monitor the thread.  As soon as I get my pfsense box up, ill give it a try Thanks, -V

yes i did (ping to remote gateway lan adress) but only from branch to HQ because branch has no full time connection

Hello, I've checked the release notes and I think that IPSec NAT-Traversal (feature you need here) is only supported in version 2.0. Hope this helps.

I have run into this same issue on my 6 site vpn setup I can access all of the sites from my main location and from some of the sites I cannot access the main site.. I only have pfsense at the main location so I believe its something to do with firewall rules.

@dotdash: I'm out of ideas at this point. Why don't you post the <ipsec>section of your config?</ipsec> Because i have lot of IPSec config, i'm sure about this part and i checked it 100 times… I'm trying to know why the conf file doesn't update.

I have been searching an searching the posts.  I will rephrase and ask this question. I also thank anyone that will reply and give me some kind of hint. Can you connect via ipsec tunnel this setup main site- pfsense has external ip address normal tunnel setup. Behind this is 2 class c ip address ranges connected to a 3550xl cicso with routing turned on. The internal side of the pfsense is on a separate class c that is also connected to the 3550xl.  The tunnel or tunnels need to route traffic from the 2 class c networks on the 3550xl through to the other side of the tunnel. remote site-pfsense is behind a provider router(minimal changes can be done to this router), this router also has forced NAT. The pfsense has a class c wan address(192.168).  It also has class c interall addresses.  The internal flat network needs to connect to the other networks at the main site via the tunnel(s). I have static routes on the main site pfsense so the 2 class c internal networks can reach the internet. The remote site works normally with the normal settings, however i cannot get the tunnel to connect.  I have done a test setup with 2 external ip addresses with the same hardware and the tunnel works. Can you tell me if it is possible to setup a tunnel at a remote site that is behind a router with NAT and the remote site pfsense has a class c wan address? Here is an error from the logs from the main site. 1 10. 009466 rule 33/0(match): block in on fxp1: (tos 0x0, ttl 64, id 11377, offset 0, flags [none], proto: UDP (17), length: 320) 192.1xxx.xxx.xxx > xxx.xxx.xxx.xxx: [|isakmp]