Hi Heiko, thank you very much for the detail reply. I will test with greater lifetime and search the forum for better lifetime setting. Thanks again.

please take a look….. http://forum.pfsense.org/index.php/topic,3701.0.html

Except I want to do it by port, not destination IP.

I've beaten the hell out of a WRAP with a Xeon server as the other end point and it was never unstable. That sounds like an ALIX, which I haven't put through the same rigor yet. It's kernel panicing, so you're hitting either some sort of FreeBSD bug or hardware problem. Can you follow this: http://devwiki.pfsense.org/ObtainingPanicInfoForDevelopers and get us the results from when it panics? Assuming you can reliably replicate it, or at least replicate it once. you can email it to me (cmb@pfsense.org), it'll be pretty long.

So because only 1 end has multi subnets this wont work? or am I missunderstanding and so long as I use FQDN and they match on both sides for both tunnels (each tunnel uniq FQDN of course) I am good? One end has 1 pub and 1 lan subnet, other has 1 pub and 2 lan subnets. Right now I have the original posters problem but they do work, just is a mess.

So I guess there is no way possible to get DHCP over IPsec, huh? I haven't had any success with OpenVPN either…seams much more complicated. Seams like a deadend. ??? ::) :-[ :'(

yes, no Problem, if you meant 6 loactions with different lan subnets…. ;)

Cannot be both site static?

IPSEC wont allow you to play udp-broadcast based games. IPSEC poses the same limitations as OpenVPN does. In fact, less. Because you alwys can hack yourself an OpenVPN bridge together. http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN at the bottom

Please post your settings!

With all my testing I've been up to, I've had this occur a couple times….it was the wierdest thing...The IPsec would show green, but I couldn't ping anything. It freaked me out the first time... The first time, on the ipsec settings I had to put the remote public IP of the host for the Remote Gateway. I had accedently put the internal local IP fro the Remote Gateway. I was surprised it even connected! The second time, I had rebooted the PF breaking the connection suddenly. And for some reason it seamed to get 'suck'. IPsec showed green, but the DHCP and Relay DHCP both were saying each other was active, so no settings showed. Dispite, my user PC was still connecting via DHCP ok. I made a backup config file, then restored to factory defaults, then restore the config....unsurprisingly, it also restored the issue! LOL! So I did it one more time...and it did the same thing, surprise, surprise... So I figured it was soemthing else causing it. So I changed the "Lifetime" setting from 28800 and 84400 to 1200 for both, and wammo! It resolved it. My guess is, if you're making lots of setting changes, it's better to have a shorter lifetime setting... then to make it longer once things have settled. Hope that helps!

Hi, I think you have to use different public IP addresses for tunnels terminated by pfSense and for L2TP/IPSec connections you are trying to forward to you L2TP server. Put yourself in pfSense' place. You see UDP-packet coming to port 500. How do you differentiate between packets intended for pfSense (tunnels) and intended to you L2TP server? Regards, Eugene.

Cool! Thanks!

Hi, do you have any idea how to achieve this? Ta, R to the D

I got it to work finally. I think I got caught thinking the tunnel would create automatically rather than waiting until a request was made on it. Some pings to the remote network forced it up and it worked fine. Thanks to all for their help.

Here's my take on  it: If you can, change your home network scheme to 192.168.64.x/24 or something higher than a value of 63 in the third octet.  That way, you could create one ipsec vpn tunnel and run a parallel vpn design.  Say you chose 192.168.75.0/24, you could use the following scheme: From your home to the office: Local:  192.168.75.0/24 Remote:  192.168.0.0/18 Of course, from the other end, you will reverse the groups and it should work just fine when you create the respective rules on the office side to allow entry into the different work subnets. In case you have your 15 subnets ranging all over the place, change your home ip scheme to something either in the 172.16.x.x range or the 10.x.x.x range.  With that done, make the respective changes to your IPSEC vpn and you should be fine with the one IPSEC vpn tunnel. Enjoy and good luck! Good luck!