Hi,

I think you have to use different public IP addresses for tunnels terminated by pfSense and for L2TP/IPSec connections you are trying to forward to you L2TP server.
Put yourself in pfSense' place. You see UDP-packet coming to port 500. How do you differentiate between packets intended for pfSense (tunnels) and intended to you L2TP server?

Regards,
Eugene.

Cool!

Thanks!

Hi,

do you have any idea how to achieve this?

Ta,

R to the D

I got it to work finally.

I think I got caught thinking the tunnel would create automatically rather than waiting until a request was made on it. Some pings to the remote network forced it up and it worked fine.

Thanks to all for their help.

Here's my take on  it:

If you can, change your home network scheme to 192.168.64.x/24 or something higher than a value of 63 in the third octet.  That way, you could create one ipsec vpn tunnel and run a parallel vpn design.  Say you chose 192.168.75.0/24, you could use the following scheme:

From your home to the office:

Local:  192.168.75.0/24

Remote:  192.168.0.0/18

Of course, from the other end, you will reverse the groups and it should work just fine when you create the respective rules on the office side to allow entry into the different work subnets.

In case you have your 15 subnets ranging all over the place, change your home ip scheme to something either in the 172.16.x.x range or the 10.x.x.x range.  With that done, make the respective changes to your IPSEC vpn and you should be fine with the one IPSEC vpn tunnel.

Enjoy and good luck!

Good luck!

Hey razor,

Just to clarify, I am not trying to push anything from side1(cable modem) to side2(fios).  I am trying to pull from side2(fios).  Yes, Comcast Business is the ISP of the cable modem.  On the FIOS line, I can max out the bandwidth at speedtest.net and in multi-threaded downloads (usenet,downloadmanagers,etc).  I guess Ill have to figure out a work around until I can get FIOS at my side1 location.

Thanks for taking the time to reply!

nope, that doensn't do the trick.

i'm starting to believe that's not possible what i want.

Are there any other firewall/ipsec vpn solutions where all traffic goes standard over the tunnel?

Good to hear yours is ok.

Well I've been running for just over 24 hours and mine has been fine as well, I might try the ping test my self and test how stable it is. The only real difference between now and my last post is that I did have a duplex issue on my WAN that was fixed and have since reinstalled and loaded up the old config, and all is good so far.

Wasca

ok thanks,

R to the D

Thank you for your help, I had found the setting late last night which explains a lot i quess we can now consider this thread closed

again thanks heiko

Your Cisco client needs to specify a local subnet for his end of the tunnel (from the pfSense point of view this is the remote subnet behind the tunnel). As this is a single client ist should be a /32. I don't know the cisco client so I can't tell you how to set it up.

Don't use IP address, it is dynamic. Try other identifier types.

Try to lower the mtu of the clients that are not working.

Natting through IPSEC iss not possible for versions up to 1.2. Maybe it will be possible for an upcoming version (I think ermal said theoretically it is possible but he has some other features that keep him busy currently, so don't take this as a promise).

Thanks now everything is working well

LOL - OK, total brainfart as that is how it is setup at the my other location.  Oops … like I said at the beginning, mesa confused! :)

Thanks as usual guys.

-- Phob