Check out IPSec config on the new 1.3AlphaAlpha builds- It has DPD and more.

IMO, IPSec is more suited to permanent site-site connections.
OpenVPN is more secure, but needs a client-side app. PPTP may be a better choice if you need occasional access from various places- you can use the stock VPN wizard on Windows boxes.

I've found a confirmation of what heiko said about the identification mode with a preshared key, in the source code
ipsec_doi.c
/* In main mode with pre-shared key, only address type can be used. */

1.21 isn´t available at the moment

I cannot explain it but things just started working…
I didn't make any changes, but after letting it sit a few days, the tunnel just came up on its own.

Thanks for all the great help from this thread - I'm sure it was something from here that was the cure!

fine

You cannot "see" them in your network places because of the same reason you cannot play games over a VPN.
The discovery of windows shares works via UDP broadcasts which dont get routed.

If you want to access a windows share on the other side of a tunnel, you can do that directly via the IP of the destination computer.
Another possibility would be to set up a WINS server on the other side of the tunnel, which resolves your SMB-names into IP's.

You really should read up on how routing works and what it means, since you seem to run into the same problems over and over again.

I think I figured this one out on my own…

I had to change my setup to advanced outbound NAT, create two NAT rules (one for each WAN interface), and make sure that the remote subnet was excluded from those rules.  There is still no route to the remote subnet that displays in the web interface, but maybe that's normal.  I'm just used to seeing one having come from a Linux/OpenSwan world.

So, judging from what I had to do, I'm assuming the NAT portion of the packet processing happens prior to the routing?  It seems like you should figure out where the packet is headed before you figure out if it needs to be NAT'ed or not.  ???

I think with EZVPN server on the ASA, no.

I think you can setup a pure IPSec SA on the ASA which can work with FreeBSD/pfSense.  I believe the considerations are the same as for regular FreeBSD.

http://www.google.com/search?q=FreeBSD+IPSec+PIX

I hope this helps, or at least does no harm. :-)

Use rSync instead of iSCSI, FTP or SAMBA …

There are rSync client and server for Windows out there. That is fast reliable and it's designed to work over unreliable network. Plus the algorithm of rSync will only send what have changed in your file instead of sending everything back. So your file of 1.5 GB could be backed up in less than 100 KB if only small portion of the file where changed.

I have several rSync configurer on Windows as server and client and it's working great. Then you schedule a batch file.

Instead of using IPSec VPN you could use SSH tunnelling again available a client and server for Windows

Here is the site you should look at: http://itefix.no/cwrsync/

If your more serious about backup, you should also check Ahsay Online Backup Server. That's what we use at work, we have an offsite server in a datacenter running Ahsay OBS there's about 150 GB of data there backup takes less than 30 minutes each day... Ahsay technology is based on rsync. We have used Storegrid for a year and the backup set got corrupted ... We have switched to Ahsay for that reason.

MageMinds

;)
regards
heiko

Hi Heiko, thank you very much for the detail reply. I will test with greater lifetime and search the forum for better lifetime setting. Thanks again.

please take a look…..

http://forum.pfsense.org/index.php/topic,3701.0.html

Except I want to do it by port, not destination IP.

I've beaten the hell out of a WRAP with a Xeon server as the other end point and it was never unstable. That sounds like an ALIX, which I haven't put through the same rigor yet.

It's kernel panicing, so you're hitting either some sort of FreeBSD bug or hardware problem. Can you follow this:
http://devwiki.pfsense.org/ObtainingPanicInfoForDevelopers

and get us the results from when it panics? Assuming you can reliably replicate it, or at least replicate it once. you can email it to me (cmb@pfsense.org), it'll be pretty long.