Hey razor, Just to clarify, I am not trying to push anything from side1(cable modem) to side2(fios).  I am trying to pull from side2(fios).  Yes, Comcast Business is the ISP of the cable modem.  On the FIOS line, I can max out the bandwidth at speedtest.net and in multi-threaded downloads (usenet,downloadmanagers,etc).  I guess Ill have to figure out a work around until I can get FIOS at my side1 location. Thanks for taking the time to reply!

nope, that doensn't do the trick. i'm starting to believe that's not possible what i want. Are there any other firewall/ipsec vpn solutions where all traffic goes standard over the tunnel?

Good to hear yours is ok. Well I've been running for just over 24 hours and mine has been fine as well, I might try the ping test my self and test how stable it is. The only real difference between now and my last post is that I did have a duplex issue on my WAN that was fixed and have since reinstalled and loaded up the old config, and all is good so far. Wasca

ok thanks, R to the D

Thank you for your help, I had found the setting late last night which explains a lot i quess we can now consider this thread closed again thanks heiko

Your Cisco client needs to specify a local subnet for his end of the tunnel (from the pfSense point of view this is the remote subnet behind the tunnel). As this is a single client ist should be a /32. I don't know the cisco client so I can't tell you how to set it up.

Don't use IP address, it is dynamic. Try other identifier types.

Try to lower the mtu of the clients that are not working.

Natting through IPSEC iss not possible for versions up to 1.2. Maybe it will be possible for an upcoming version (I think ermal said theoretically it is possible but he has some other features that keep him busy currently, so don't take this as a promise).

Thanks now everything is working well

LOL - OK, total brainfart as that is how it is setup at the my other location.  Oops … like I said at the beginning, mesa confused! :) Thanks as usual guys. -- Phob

O…....thx!!!! when i use my IP address, is ok!!!!!!! thank you very much

The IPSEC Rule Tab controls all incoming ipsec traffic, the LAN Rule Tab controls all outgoing traffic from LAN to WAN/IPSEC or anything else, so if pfsense doesn´t reply your ping request from the netgear vpn you a need a rule at the ipsec tab, allow all for example from "netgears lan" to "pfsense lan"….

@hoba: Please provide more info on your settings for the tunnel.

I ment NAT-T. This is a thing wich ist normally only interessting for Client behind a nating router but that is not the point. I also tried aggressiv mode but the other side (GreenGate VPN) does not support the aggressiv mode. The IP keepalive settings are filled with an IP Address out of the remote network. That works, but i get a lot of errors in the LOG: –- Apr 26 08:59:43 racoon: [ITXTRA]: NOTIFY: the packet is retransmitted by 217.5.211.238[500]. Apr 26 08:59:34 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238 Apr 26 08:59:33 racoon: INFO: received Vendor ID: DPD Apr 26 08:59:33 racoon: INFO: begin Identity Protection mode. Apr 26 08:59:33 racoon: [ITXTRA]: INFO: initiate new phase 1 negotiation: 80.135.97.34[500]<=>217.5.211.238[500] Apr 26 08:59:33 racoon: [ITXTRA]: INFO: IPsec-SA request for 217.5.211.238 queued due to no phase1 found. Apr 26 08:59:33 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.97.34-217.5.211.238 Apr 26 08:59:10 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238 Apr 26 08:59:09 racoon: ERROR: phase1 negotiation failed due to time up. e63213fe82189065:86f78315af7fd679 Apr 26 08:59:09 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Apr 26 08:59:09 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.97.34-217.5.211.238 Apr 26 08:58:48 racoon: [ITXTRA]: NOTIFY: the packet is retransmitted by 217.5.211.238[500]. Apr 26 08:58:45 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238 Apr 26 08:58:44 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Apr 26 08:58:44 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.97.34-217.5.211.238 Apr 26 08:58:28 racoon: [ITXTRA]: NOTIFY: the packet is retransmitted by 217.5.211.238[500]. Apr 26 08:58:20 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238 Apr 26 08:58:19 racoon: INFO: received Vendor ID: DPD Apr 26 08:58:19 racoon: INFO: begin Identity Protection mode. Apr 26 08:58:19 racoon: [ITXTRA]: INFO: initiate new phase 1 negotiation: 80.135.97.34[500]<=>217.5.211.238[500] Apr 26 08:58:19 racoon: [ITXTRA]: INFO: IPsec-SA request for 217.5.211.238 queued due to no phase1 found. Apr 26 08:58:19 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.97.34-217.5.211.238 Apr 26 08:57:57 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238 Apr 26 08:57:57 racoon: ERROR: phase1 negotiation failed due to time up. 8c6ed753b3823d42:86f78315af7fd679 Apr 26 08:57:56 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Apr 26 08:57:56 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.x.x-217.5.x.x Apr 26 08:57:36 racoon: [ITXTRA]: NOTIFY: the packet is retransmitted by 217.5.x.x[500]. Apr 26 08:57:33 racoon: [Self]: INFO: 192.168.13.126[500] used as isakmp port (fd=23) Apr 26 08:57:33 racoon: INFO: fe80::20d:b9ff:fe12:a388%vr0[500] used as isakmp port (fd=22) Apr 26 08:57:33 racoon: INFO: fe80::20d:b9ff:fe12:a389%vr1[500] used as isakmp port (fd=21) Apr 26 08:57:33 racoon: [Self]: INFO: 10.0.0.254[500] used as isakmp port (fd=20) Apr 26 08:57:33 racoon: INFO: fe80::20d:b9ff:fe12:a38a%vr2[500] used as isakmp port (fd=19) Apr 26 08:57:33 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=18) Apr 26 08:57:33 racoon: INFO: ::1[500] used as isakmp port (fd=17) Apr 26 08:57:33 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=16) Apr 26 08:57:33 racoon: INFO: fe80::20d:b9ff:fe12:a388%ng0[500] used as isakmp port (fd=15) Apr 26 08:57:33 racoon: [Self]: INFO: 80.135.x.x[500] used as isakmp port (fd=14) –- the remote log: @80.135.x.x:57306 #612939: probable authentication (preshared secret) failure: malformed payload in packet Apr 26 07:01:50 authpriv.warn Pluto[299]: "94:85" @80.135.x.x:57306 #612939: next payload type of ISAKMP Identification Payload has an unknown value: 215 Apr 26 07:01:50 authpriv.warn Pluto[299]: "94:85" @80.135.x.x:57306 #612939: probable authentication (preshared secret) failure: malformed payload in packet Apr 26 07:01:55 authpriv.warn Pluto[299]: "94:85" @80.135.x.x:57306 #612929: max number of retransmissions (2) reached STATE_MAIN_R2 Apr 26 07:02:00 authpriv.warn Pluto[299]: "94:85" @80.135.x.x:57306 #612939: next payload type of ISAKMP Identification Payload has an unknown value: 215 Apr 26 07:02:00 authpriv.warn Pluto[299]: "94:85" @80.135.x.x:57306 #612939: probable authentication (preshared secret) failure: malformed payload in packet –- As alternativ a little script on the pFsense box would work very well, that would check the WAN ip in a regulary interval an if the IP changes the script only has to change on of my interface to LAN save, apply the settings and switch it directly back to wan save it and apply it. These are the steps i do right know and it works.

Not sure how you test this but make sure that you test the connectivity from behind the pfSense. The pfSense itself can't make use of the tunnel unless you add some fake static route.

Good to hear, thanks  :)

I don't think so. Maybe with the pfflowd package and something external but not with pfSense built in features.