If I use my IP address, I am able to get it connect without a problem, however since my IP changes I need to be able to use my DDNS.  My boss actually caught this, the 'unya' is actually part of my DDNS name of: dbUNYArd.homeip.net.  Is there something I am missing here?

I've done a couple of pfSense-PIX tunnels and haven't had problems. I generally use agressive/3DES/SHA and set the PFS group at 2. You might also want to post the crypto section of your PIX config.

I might add after doing a little testing and some research that it worked perfectly for months and months on AT&T 6 meg / 768k DSL and I upgraded to Uverse 10 meg / 1.5 meg and thats when I started having the problems. I am not sure why but its like I have one way communication and there is something wrong with the phase 2.

Creating only a one way tunnel worked for me.

OK. I don't know if you can make a lab to test IPSec between ISA and pfSense without NAT… Last but not least, I think NAT-T is supported since v1.3 on pfSense... Right?

I've been playing with this again today, and discovered that I must have broken something last time. I'm now seeing RIPv2 advertise packets when I sniff, but they don't contain any reference to the IP range at the other end of my IPSec tunnel. Here's an example packet, decoded by Wireshark. No.    Time        Source                Destination          Protocol Info       7 180.006426  10.0.1.250            224.0.0.9            RIPv2    Response Frame 7 (106 bytes on wire, 106 bytes captured)     Arrival Time: Oct 29, 2008 16:43:18.834316000

@moffl: Sorry: I worded it wrong it is actually configured on the home side for the remote lan subnet So if I understand your config: Remote site: You have a rule permitting anything. So, something like this: any -> any permit. Home site: You have a rule permitting anything from you LAN. So, something like this: Hom LAN -> any permit Am I right? If so, can you ping the server you're trying to reach with VNC?

Hi. You have to create a phase by network you want to give access to the tunnel. For example, I've to create tunnel between these 2 offices: Main office: DATA VLAN: 192.168.1.0/24 VOICE VLAN: 192.168.2.0/24 LAB VLAN: 192.168.3.0/24 Remote Office: REMOTE LAN: 192.168.100.0/24 I want ot give access to DATA VLAN & VOICE VLAN only. So I've to create tunnel (on both pfSense) for these trafics: DATA VLAN & REMOTE LAN (192.168.1.0 & 192.168.100.0) VOICE VLAN & REMOTE LAN (192.168.2.0 & 192.168.100.0) With the pfSense v1.3, you can do this with adding several phase 2 for the same phase 1. I don't know how you can do this with older version. Hope this helps. [EDIT] I've added a screenshot of my configuration. [image: capture1.png] [image: capture1.png_thumb]

I have simular thing already have a post. http://forum.pfsense.org/index.php/topic,12095.0.html

Found out that the firewall must be opened which is not mentioned anywhere in the tutorial.  You must go to the ipsec tab under rules and open up the things you want to communicate.  Now i am just wondering how to properly route traffic.

I tried it but couldn't get it to work :( I too would like to see your openswan config ;) The setup I used was openSUSE 11… I'm going to try another OS, maybe Fedora 9, or just openSUSE 10.3 and see if that works...

@capitangiaco: and please don't bore with the not stable story…. 1.3 is at the moment, the only way to use ipsec dynamic peers Giacomo Not true. 5 sites with dynamic IP only, site-to-site tunnels, pfS 1.2 with help of little custom script and crone job, up-time 7 months 20 days. So, it is possible but someone need to put some extra effort to make it work. Sasa

I was able to get this working. I had to configure local and remote subnets in the fortinet phase2 vpn definition. Otherwise, it came up instantly.

So…should I even bother...? 23 looks, but no bites... is that telling enough...? LOL Thanks!

@capitangiaco: Sometime I must use ip tcp adjust-mss 1350, and 1300 Giacomo Better idea to configure mss to 1300…

@itadmin: Hi,   I decided to try a tunnel to the 172.16.100.x network for the time being just so I can see if I can get that one up first without having to go behind the router.   When I ping from inside the juniper firewall I can get across. But the router behind the firewall can't seem to make it. Also from the main office over to the branch nothing happen. I will post my juniper config below. I assumed for some reason that if my firewall with a 172.16.100.254 address can ping across then so should the router on 172.16.100.1 be able to as well? Badly, I don't know Juniper firewall but I suppose that success ping from LAN interface does not mean that someone on the LAN can ping through the Juniper… It's necessary to check how Juniper manage packets: does the packets goes through the NAT first, then the VPN and so on... Do you see what I mean? Last but not least, I suppose that the Juniper is the default gateway for your Branch LAN? If not, you'll have to add a route on this default gateway telling that the Main Office LAN is behind the Juniper... Hope this helps.

try to debug using traceroute: are packets exiting from the right interface ? Giacomo