Hi.

You have to create a phase by network you want to give access to the tunnel. For example, I've to create tunnel between these 2 offices:

Main office:
DATA VLAN: 192.168.1.0/24
VOICE VLAN: 192.168.2.0/24
LAB VLAN: 192.168.3.0/24

Remote Office:
REMOTE LAN: 192.168.100.0/24

I want ot give access to DATA VLAN & VOICE VLAN only. So I've to create tunnel (on both pfSense) for these trafics:

DATA VLAN & REMOTE LAN (192.168.1.0 & 192.168.100.0)

VOICE VLAN & REMOTE LAN (192.168.2.0 & 192.168.100.0)

With the pfSense v1.3, you can do this with adding several phase 2 for the same phase 1. I don't know how you can do this with older version.

Hope this helps.

[EDIT] I've added a screenshot of my configuration.

capture1.png
capture1.png_thumb

I have simular thing already have a post.

http://forum.pfsense.org/index.php/topic,12095.0.html

Found out that the firewall must be opened which is not mentioned anywhere in the tutorial.  You must go to the ipsec tab under rules and open up the things you want to communicate.  Now i am just wondering how to properly route traffic.

I tried it but couldn't get it to work :(

I too would like to see your openswan config ;)

The setup I used was openSUSE 11… I'm going to try another OS, maybe Fedora 9, or just openSUSE 10.3 and see if that works...

@capitangiaco:

and please don't bore with the not stable story…. 1.3 is at the moment, the only way to use ipsec dynamic peers
Giacomo

Not true. 5 sites with dynamic IP only, site-to-site tunnels, pfS 1.2 with help of little custom script and crone job, up-time 7 months 20 days. So, it is possible but someone need to put some extra effort to make it work.

Sasa

I was able to get this working.
I had to configure local and remote subnets in the fortinet phase2 vpn definition.

Otherwise, it came up instantly.

So…should I even bother...?

23 looks, but no bites... is that telling enough...?

LOL

Thanks!

@capitangiaco:

Sometime I must use ip tcp adjust-mss 1350, and 1300

Giacomo

Better idea to configure mss to 1300…

@itadmin:

Hi,
  I decided to try a tunnel to the 172.16.100.x network for the time being just so I can see if I can get that one up first without having to go behind the router.
  When I ping from inside the juniper firewall I can get across. But the router behind the firewall can't seem to make it. Also from the main office over to the branch nothing happen. I will post my juniper config below. I assumed for some reason that if my firewall with a 172.16.100.254 address can ping across then so should the router on 172.16.100.1 be able to as well?

Badly, I don't know Juniper firewall but I suppose that success ping from LAN interface does not mean that someone on the LAN can ping through the Juniper… It's necessary to check how Juniper manage packets: does the packets goes through the NAT first, then the VPN and so on... Do you see what I mean?

Last but not least, I suppose that the Juniper is the default gateway for your Branch LAN? If not, you'll have to add a route on this default gateway telling that the Main Office LAN is behind the Juniper...

Hope this helps.

try to debug using traceroute: are packets exiting from the right interface ?

Giacomo

very true.

Thanks for the input.

Time to sell the pix

I like this one:
http://jodies.de/ipcalc

Same problem here…

It works Thanks

The remote peer is not sending a proposal that matches what you have listed as its configuration. For phase1 its using …

3DES-CBC
SHA1
DH Group 2

Try setting the pfsense phase1 parameters to match. It should get farther along.

This can usually be solved by enabling NAT-Traveral or IKE over TCP support in the Cisco VPN client. The gateway must also be configured to support this.

The Shrew Soft client works with pfSense 1.2.x but in a degraded fashion. That said, I don't think other clients would work any better. The major shortcoming is that the 1.2.x versions of pfSense do not take advantage of the ipsec-tools features which improve compatibility with mobile clients. For a bit more detail, please see the issues section of the Shrew Soft Zywall howto ( it has many similar problems ). http://www.shrew.net/support/wiki/HowtoZywall#KnownIssues

The 1.3 version of pfSense will address most of the 1.2.x shortcomings. Please see this blog entry for more details …
http://blog.pfsense.org/?p=211

Heh, and what says the other logs from the other endpoints?

regards
heiko

Make sure to set a ping address so that the tunnel is initiated after such an event.

I have 390 draytek routers doing the same thing and they succeed in about 3 minutes.