very true. Thanks for the input. Time to sell the pix

I like this one: http://jodies.de/ipcalc

Same problem here…

It works Thanks

The remote peer is not sending a proposal that matches what you have listed as its configuration. For phase1 its using … 3DES-CBC SHA1 DH Group 2 Try setting the pfsense phase1 parameters to match. It should get farther along.

This can usually be solved by enabling NAT-Traveral or IKE over TCP support in the Cisco VPN client. The gateway must also be configured to support this.

The Shrew Soft client works with pfSense 1.2.x but in a degraded fashion. That said, I don't think other clients would work any better. The major shortcoming is that the 1.2.x versions of pfSense do not take advantage of the ipsec-tools features which improve compatibility with mobile clients. For a bit more detail, please see the issues section of the Shrew Soft Zywall howto ( it has many similar problems ). http://www.shrew.net/support/wiki/HowtoZywall#KnownIssues The 1.3 version of pfSense will address most of the 1.2.x shortcomings. Please see this blog entry for more details … http://blog.pfsense.org/?p=211

Heh, and what says the other logs from the other endpoints? regards heiko

Make sure to set a ping address so that the tunnel is initiated after such an event. I have 390 draytek routers doing the same thing and they succeed in about 3 minutes.

I have this working one way now.  The server from behind the pfSense box can map drives, copy files, remote desktop to a server behind the Fortigate.  So if that server initiaites the connection everything works.  However, if the server from behind the FortiGate trys to initiate a connection it does not work. By looking at a tracert, it appears that once the packet gets to the Fortigate, it does not know where to go.  I just get "Request timed out". I think it is a Fortigate routing issue and I am going to keep fiddling with it.  ??? -John

Well you "could" place pfSense in front of your other default gateway (WAN side), so that all traffic has to go over pfSense. Or you could add static routes to all your clients which need access to the other site. But i suppose that's not really what you want ^^

@fastcon68: check you ipsec rules, icmp may not be allowed to pass. RC No, i'm fine passing traffic over the tunnel, Its when the IPSec tunnel is enabled, i can't pass any traffic from pfSense to any of the IPs assigned to the LAN interface.. For example, any device on the LAN can't ping the pfsense IP of "10.27.0.1" when the ipsec tunnel is up.\ IPSec Tunnel -> pfSense -> LAN Device So between pfSense and the LAN Device is broken.

Thanks, and I did suggest that to the SQL developer who I am assisting.  My suggestion was to create a DTS package is MySQL and FTP out to the MSSQL, then import that DTS package into MSSQL.  Not sure if MySQL has that capability.  I know that there is only a certain table that the developer needs to pull from MySQL into MSSQL - not entire database.  could you explain exactly how you do it and what methods or scripts helped you?  thanks.

@databeestje Thanks for the response!

Fine  :D

1.  ok, at least 10 IPSEC partners 2.  can you at least provide another vendor you maybe also using (i.e. Cisco plus model, SonicWall plus model, etc)

Please search also this forum… ipsec works in 1.2 as it should from pfsense to pfsense....

No. workgroups are based on UDP broadcasts. Broadcasts wont go over a router. But you can access windows shares directly via the IP. So while you cannot access a workgroup, yes you can access windows-shares.

AFAIK, running with the MTU at 1400 should not cause any issues. Your box will have to work slightly harder, but unless you hardware is already running near capacity, it shouldn't be a problem. Ideally, you could get the equipment that is causing the issue fixed and set the MTU back, but this is not always possible. I would trace the route and do some tests. With more specific information, it might be easier to get your ISP to investigate. As for the remote sites, they should be fine with their default MTUs.