So because only 1 end has multi subnets this wont work? or am I missunderstanding and so long as I use FQDN and they match on both sides for both tunnels (each tunnel uniq FQDN of course) I am good?

One end has 1 pub and 1 lan subnet, other has 1 pub and 2 lan subnets.

Right now I have the original posters problem but they do work, just is a mess.

So I guess there is no way possible to get DHCP over IPsec, huh?

I haven't had any success with OpenVPN either…seams much more complicated.

Seams like a deadend.

??? ::) :-[ :'(

yes, no Problem, if you meant 6 loactions with different lan subnets…. ;)

Cannot be both site static?

IPSEC wont allow you to play udp-broadcast based games.

IPSEC poses the same limitations as OpenVPN does.
In fact, less. Because you alwys can hack yourself an OpenVPN bridge together.

http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN at the bottom

Please post your settings!

With all my testing I've been up to, I've had this occur a couple times….it was the wierdest thing...The IPsec would show green, but I couldn't ping anything. It freaked me out the first time...

The first time, on the ipsec settings I had to put the remote public IP of the host for the Remote Gateway. I had accedently put the internal local IP fro the Remote Gateway. I was surprised it even connected!

The second time, I had rebooted the PF breaking the connection suddenly. And for some reason it seamed to get 'suck'. IPsec showed green, but the DHCP and Relay DHCP both were saying each other was active, so no settings showed. Dispite, my user PC was still connecting via DHCP ok. I made a backup config file, then restored to factory defaults, then restore the config....unsurprisingly, it also restored the issue! LOL! So I did it one more time...and it did the same thing, surprise, surprise... So I figured it was soemthing else causing it. So I changed the "Lifetime" setting from 28800 and 84400 to 1200 for both, and wammo! It resolved it. My guess is, if you're making lots of setting changes, it's better to have a shorter lifetime setting... then to make it longer once things have settled.

Hope that helps!

Hi,

I think you have to use different public IP addresses for tunnels terminated by pfSense and for L2TP/IPSec connections you are trying to forward to you L2TP server.
Put yourself in pfSense' place. You see UDP-packet coming to port 500. How do you differentiate between packets intended for pfSense (tunnels) and intended to you L2TP server?

Regards,
Eugene.

Cool!

Thanks!

Hi,

do you have any idea how to achieve this?

Ta,

R to the D

I got it to work finally.

I think I got caught thinking the tunnel would create automatically rather than waiting until a request was made on it. Some pings to the remote network forced it up and it worked fine.

Thanks to all for their help.

Here's my take on  it:

If you can, change your home network scheme to 192.168.64.x/24 or something higher than a value of 63 in the third octet.  That way, you could create one ipsec vpn tunnel and run a parallel vpn design.  Say you chose 192.168.75.0/24, you could use the following scheme:

From your home to the office:

Local:  192.168.75.0/24

Remote:  192.168.0.0/18

Of course, from the other end, you will reverse the groups and it should work just fine when you create the respective rules on the office side to allow entry into the different work subnets.

In case you have your 15 subnets ranging all over the place, change your home ip scheme to something either in the 172.16.x.x range or the 10.x.x.x range.  With that done, make the respective changes to your IPSEC vpn and you should be fine with the one IPSEC vpn tunnel.

Enjoy and good luck!

Good luck!

Hey razor,

Just to clarify, I am not trying to push anything from side1(cable modem) to side2(fios).  I am trying to pull from side2(fios).  Yes, Comcast Business is the ISP of the cable modem.  On the FIOS line, I can max out the bandwidth at speedtest.net and in multi-threaded downloads (usenet,downloadmanagers,etc).  I guess Ill have to figure out a work around until I can get FIOS at my side1 location.

Thanks for taking the time to reply!

nope, that doensn't do the trick.

i'm starting to believe that's not possible what i want.

Are there any other firewall/ipsec vpn solutions where all traffic goes standard over the tunnel?

Good to hear yours is ok.

Well I've been running for just over 24 hours and mine has been fine as well, I might try the ping test my self and test how stable it is. The only real difference between now and my last post is that I did have a duplex issue on my WAN that was fixed and have since reinstalled and loaded up the old config, and all is good so far.

Wasca