Good to hear yours is ok. Well I've been running for just over 24 hours and mine has been fine as well, I might try the ping test my self and test how stable it is. The only real difference between now and my last post is that I did have a duplex issue on my WAN that was fixed and have since reinstalled and loaded up the old config, and all is good so far. Wasca

ok thanks, R to the D

Thank you for your help, I had found the setting late last night which explains a lot i quess we can now consider this thread closed again thanks heiko

Your Cisco client needs to specify a local subnet for his end of the tunnel (from the pfSense point of view this is the remote subnet behind the tunnel). As this is a single client ist should be a /32. I don't know the cisco client so I can't tell you how to set it up.

Don't use IP address, it is dynamic. Try other identifier types.

Try to lower the mtu of the clients that are not working.

Natting through IPSEC iss not possible for versions up to 1.2. Maybe it will be possible for an upcoming version (I think ermal said theoretically it is possible but he has some other features that keep him busy currently, so don't take this as a promise).

Thanks now everything is working well

LOL - OK, total brainfart as that is how it is setup at the my other location.  Oops … like I said at the beginning, mesa confused! :) Thanks as usual guys. -- Phob

O…....thx!!!! when i use my IP address, is ok!!!!!!! thank you very much

The IPSEC Rule Tab controls all incoming ipsec traffic, the LAN Rule Tab controls all outgoing traffic from LAN to WAN/IPSEC or anything else, so if pfsense doesn´t reply your ping request from the netgear vpn you a need a rule at the ipsec tab, allow all for example from "netgears lan" to "pfsense lan"….

@hoba: Please provide more info on your settings for the tunnel.

I ment NAT-T. This is a thing wich ist normally only interessting for Client behind a nating router but that is not the point. I also tried aggressiv mode but the other side (GreenGate VPN) does not support the aggressiv mode. The IP keepalive settings are filled with an IP Address out of the remote network. That works, but i get a lot of errors in the LOG: –- Apr 26 08:59:43 racoon: [ITXTRA]: NOTIFY: the packet is retransmitted by 217.5.211.238[500]. Apr 26 08:59:34 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238 Apr 26 08:59:33 racoon: INFO: received Vendor ID: DPD Apr 26 08:59:33 racoon: INFO: begin Identity Protection mode. Apr 26 08:59:33 racoon: [ITXTRA]: INFO: initiate new phase 1 negotiation: 80.135.97.34[500]<=>217.5.211.238[500] Apr 26 08:59:33 racoon: [ITXTRA]: INFO: IPsec-SA request for 217.5.211.238 queued due to no phase1 found. Apr 26 08:59:33 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.97.34-217.5.211.238 Apr 26 08:59:10 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238 Apr 26 08:59:09 racoon: ERROR: phase1 negotiation failed due to time up. e63213fe82189065:86f78315af7fd679 Apr 26 08:59:09 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Apr 26 08:59:09 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.97.34-217.5.211.238 Apr 26 08:58:48 racoon: [ITXTRA]: NOTIFY: the packet is retransmitted by 217.5.211.238[500]. Apr 26 08:58:45 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238 Apr 26 08:58:44 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Apr 26 08:58:44 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.97.34-217.5.211.238 Apr 26 08:58:28 racoon: [ITXTRA]: NOTIFY: the packet is retransmitted by 217.5.211.238[500]. Apr 26 08:58:20 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238 Apr 26 08:58:19 racoon: INFO: received Vendor ID: DPD Apr 26 08:58:19 racoon: INFO: begin Identity Protection mode. Apr 26 08:58:19 racoon: [ITXTRA]: INFO: initiate new phase 1 negotiation: 80.135.97.34[500]<=>217.5.211.238[500] Apr 26 08:58:19 racoon: [ITXTRA]: INFO: IPsec-SA request for 217.5.211.238 queued due to no phase1 found. Apr 26 08:58:19 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.97.34-217.5.211.238 Apr 26 08:57:57 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238 Apr 26 08:57:57 racoon: ERROR: phase1 negotiation failed due to time up. 8c6ed753b3823d42:86f78315af7fd679 Apr 26 08:57:56 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Apr 26 08:57:56 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.x.x-217.5.x.x Apr 26 08:57:36 racoon: [ITXTRA]: NOTIFY: the packet is retransmitted by 217.5.x.x[500]. Apr 26 08:57:33 racoon: [Self]: INFO: 192.168.13.126[500] used as isakmp port (fd=23) Apr 26 08:57:33 racoon: INFO: fe80::20d:b9ff:fe12:a388%vr0[500] used as isakmp port (fd=22) Apr 26 08:57:33 racoon: INFO: fe80::20d:b9ff:fe12:a389%vr1[500] used as isakmp port (fd=21) Apr 26 08:57:33 racoon: [Self]: INFO: 10.0.0.254[500] used as isakmp port (fd=20) Apr 26 08:57:33 racoon: INFO: fe80::20d:b9ff:fe12:a38a%vr2[500] used as isakmp port (fd=19) Apr 26 08:57:33 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=18) Apr 26 08:57:33 racoon: INFO: ::1[500] used as isakmp port (fd=17) Apr 26 08:57:33 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=16) Apr 26 08:57:33 racoon: INFO: fe80::20d:b9ff:fe12:a388%ng0[500] used as isakmp port (fd=15) Apr 26 08:57:33 racoon: [Self]: INFO: 80.135.x.x[500] used as isakmp port (fd=14) –- the remote log: @80.135.x.x:57306 #612939: probable authentication (preshared secret) failure: malformed payload in packet Apr 26 07:01:50 authpriv.warn Pluto[299]: "94:85" @80.135.x.x:57306 #612939: next payload type of ISAKMP Identification Payload has an unknown value: 215 Apr 26 07:01:50 authpriv.warn Pluto[299]: "94:85" @80.135.x.x:57306 #612939: probable authentication (preshared secret) failure: malformed payload in packet Apr 26 07:01:55 authpriv.warn Pluto[299]: "94:85" @80.135.x.x:57306 #612929: max number of retransmissions (2) reached STATE_MAIN_R2 Apr 26 07:02:00 authpriv.warn Pluto[299]: "94:85" @80.135.x.x:57306 #612939: next payload type of ISAKMP Identification Payload has an unknown value: 215 Apr 26 07:02:00 authpriv.warn Pluto[299]: "94:85" @80.135.x.x:57306 #612939: probable authentication (preshared secret) failure: malformed payload in packet –- As alternativ a little script on the pFsense box would work very well, that would check the WAN ip in a regulary interval an if the IP changes the script only has to change on of my interface to LAN save, apply the settings and switch it directly back to wan save it and apply it. These are the steps i do right know and it works.

Not sure how you test this but make sure that you test the connectivity from behind the pfSense. The pfSense itself can't make use of the tunnel unless you add some fake static route.

Good to hear, thanks  :)

I don't think so. Maybe with the pfflowd package and something external but not with pfSense built in features.

I have an update on this.  it seems that my remote subnet entry was /16, while the actual remote subnet was /22… the debugging on the cisco was way more helpful in determining the problem at the end of the day.  for those in a similar situation you will need to run the following on a PIX/ASA to see what you need. debug crypto isakmp THEN.  i got a ping ready on pfsene, to ping the inside address of the remote endpoint (after creating firewall rules) and did the following terminal monitor -execute ping on pfsense now. -after you see the Group = xxxx  entry in the logs and think you have what you need terminal no monitor this will keep it from scrolling off your buffer until you can figure our what it going on.

damned you are right, so blind I am. Thanks a lot Hoba, I was looking for somehting more difficult than it is…

Hello, The service is up and running after I setup the WAN interfaces. Was my mistake. It was for the first time when I had to setup a VPN. Noe I know what I did wrong!  ;) The VPN now is running. Thank you! Lucian