@capitangiaco: Sometime I must use ip tcp adjust-mss 1350, and 1300 Giacomo Better idea to configure mss to 1300…

@itadmin: Hi,   I decided to try a tunnel to the 172.16.100.x network for the time being just so I can see if I can get that one up first without having to go behind the router.   When I ping from inside the juniper firewall I can get across. But the router behind the firewall can't seem to make it. Also from the main office over to the branch nothing happen. I will post my juniper config below. I assumed for some reason that if my firewall with a 172.16.100.254 address can ping across then so should the router on 172.16.100.1 be able to as well? Badly, I don't know Juniper firewall but I suppose that success ping from LAN interface does not mean that someone on the LAN can ping through the Juniper… It's necessary to check how Juniper manage packets: does the packets goes through the NAT first, then the VPN and so on... Do you see what I mean? Last but not least, I suppose that the Juniper is the default gateway for your Branch LAN? If not, you'll have to add a route on this default gateway telling that the Main Office LAN is behind the Juniper... Hope this helps.

try to debug using traceroute: are packets exiting from the right interface ? Giacomo

very true. Thanks for the input. Time to sell the pix

I like this one: http://jodies.de/ipcalc

Same problem here…

It works Thanks

The remote peer is not sending a proposal that matches what you have listed as its configuration. For phase1 its using … 3DES-CBC SHA1 DH Group 2 Try setting the pfsense phase1 parameters to match. It should get farther along.

This can usually be solved by enabling NAT-Traveral or IKE over TCP support in the Cisco VPN client. The gateway must also be configured to support this.

The Shrew Soft client works with pfSense 1.2.x but in a degraded fashion. That said, I don't think other clients would work any better. The major shortcoming is that the 1.2.x versions of pfSense do not take advantage of the ipsec-tools features which improve compatibility with mobile clients. For a bit more detail, please see the issues section of the Shrew Soft Zywall howto ( it has many similar problems ). http://www.shrew.net/support/wiki/HowtoZywall#KnownIssues The 1.3 version of pfSense will address most of the 1.2.x shortcomings. Please see this blog entry for more details … http://blog.pfsense.org/?p=211

Heh, and what says the other logs from the other endpoints? regards heiko

Make sure to set a ping address so that the tunnel is initiated after such an event. I have 390 draytek routers doing the same thing and they succeed in about 3 minutes.

I have this working one way now.  The server from behind the pfSense box can map drives, copy files, remote desktop to a server behind the Fortigate.  So if that server initiaites the connection everything works.  However, if the server from behind the FortiGate trys to initiate a connection it does not work. By looking at a tracert, it appears that once the packet gets to the Fortigate, it does not know where to go.  I just get "Request timed out". I think it is a Fortigate routing issue and I am going to keep fiddling with it.  ??? -John

Well you "could" place pfSense in front of your other default gateway (WAN side), so that all traffic has to go over pfSense. Or you could add static routes to all your clients which need access to the other site. But i suppose that's not really what you want ^^

@fastcon68: check you ipsec rules, icmp may not be allowed to pass. RC No, i'm fine passing traffic over the tunnel, Its when the IPSec tunnel is enabled, i can't pass any traffic from pfSense to any of the IPs assigned to the LAN interface.. For example, any device on the LAN can't ping the pfsense IP of "10.27.0.1" when the ipsec tunnel is up.\ IPSec Tunnel -> pfSense -> LAN Device So between pfSense and the LAN Device is broken.

Thanks, and I did suggest that to the SQL developer who I am assisting.  My suggestion was to create a DTS package is MySQL and FTP out to the MSSQL, then import that DTS package into MSSQL.  Not sure if MySQL has that capability.  I know that there is only a certain table that the developer needs to pull from MySQL into MSSQL - not entire database.  could you explain exactly how you do it and what methods or scripts helped you?  thanks.

@databeestje Thanks for the response!

Fine  :D

1.  ok, at least 10 IPSEC partners 2.  can you at least provide another vendor you maybe also using (i.e. Cisco plus model, SonicWall plus model, etc)