There is a racoon configuration directive called 'log info|debug|debug2'. I added it manually to /var/etc/racoon.conf, killed racoon and started it manually using /usr/local/sbin/racoon -f /var/etc/racoon.conf. Too bad there isn't a GUI option for it somewhere (or is there?)

Anyway, more specifically, by setting it to debug2, I get this:

Jun 29 17:30:58 racoon: DEBUG: 32953411 3a24b070 00000000 00000000 01100400 00000000 0000010c 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c7080 80010007 800e0100 80030001 80020002 80040002 0a000084 8239ea94 e4bf1ad1 3c9a02d3 6103ba0b 50b669b5 8ca55b22 79f90a6f 62d4f840 85632dcb cfa7e7c5 ea5601da 724aa79e 5a8b6997 15739a07 79330d88 948ffa4c 20a19ce6 442538f0 d0182aaa caf80d76 9c47049f 11cd3c72 471e475a c6d675bc ca4a1f7d b1271636 52c30de3 2ac6ea4c bc945bd3 e9683a82 fc5b0d0a 236f2ef8 05000014 99e5be30 5910045b b768c0a6 89ef8c57 0d00000c 011101f4 40936165 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Jun 29 17:30:58 racoon: DEBUG: resend phase1 packet 329534113a24b070:0000000000000000
Jun 29 17:30:58 racoon: DEBUG: ===
Jun 29 17:30:58 racoon: DEBUG: 40 bytes message received from 62.x.y.z[500] to 64.a.b.c[500]
Jun 29 17:30:58 racoon: DEBUG: 00000000 00000000 00000000 00000000 0b100500 f37b30ee 00000028 0000000c 00000000 0100001d
Jun 29 17:30:58 racoon: ERROR: malformed cookie received.

Any idea what might be causing the malformed cookie?

– james

Okay now the sites are working.  ???
Now I`m going to try and add a
adtran netvanta 2300,and a
cisco 2600 into the mix.
Looks like the adtran will not support blowfish encryption.

@hoba:

The static routes are still needed. Autocreation of this is a bit tricky currently. Maybe we'll implement this later (after 1.2 is out).

Where do the static routes point to?

other question: does it work with one PFsense box on the WAN IPSEC port/tunnel and one PFsense box on the OPT IPSEC port/tunnel?

I answer myself. Is posible. The problem was the two diferents versions of pfsense.

Cheers

Hi, now I cam stablish a VPN with a Vlan on WAN interface but i cam only ping fron the pfsense itself.

Any sugestion on how i cam make a route, nat or a rule from the LAN 192.168.0.0/24 to a VLAN 78.0.10.96/28.

I've got some WRAP boards that are very similar to the Soekris 4801. 128MB RAM and 266 MHz. I had a problem with 3DES VPN rebooting them if I sustained VPN traffic for more that about 10 seconds if the other side was capable of handling more than about 4 mb/s. With a VPN1411 card in each, I sustained almost 9 mb/s with no reboots between 2 of them. This was not with the new beta version though. I haven't run it on an embedded platform yet. Here's the thread on my throughput testing.

http://forum.pfsense.org/index.php/topic,1869.0.html

What's the exact version you're running? Can you replicate it with the latest snapshot from
http://snapshots.pfsense.org/FreeBSD6/RELENG_1_2/

I tested it with pfSense-Full-And-Embedded-Update-1.2-BETA-1-TESTING-SNAPSHOT-06-06-2007.tgz today. But the parallel tunnel is not available with the latest update too.

Pls Pls fix this problem. I think parallel tunnel is a very usful ipsec function.

Thank you.

@covex:

well… i have about 40 linksys befvp41 and 10 netgear fvs318v3 connected to pfsense box. besides minor missconfiguration problems everything work fine.

Wow, so they're actually stable? I cringe at the thought of supporting 40 Linksys VPN boxes.  ;D  I've tried the BEFVP41, granted it was probably 5 years ago, but at the time it didn't work reliably at all no matter what I connected it to.

I think I still have it on a shelf around here somewhere, maybe it's time to give it another shot if for nothing other than the sake of documenting the proper way to configure one to connect to pfsense.

after 24 hours this message went away by itself  :-
i hate when things fix by themselves

Thanks for that. I have to say I agree that hidden rules are bad. Maybe you could do the same as with NAT and auto create a rule if the check box is checked.

Either way it needs to be consistent between creating a rule for a carp and a wan. Especially given that the carp address/interface is now selected from the same dropdown as the WAN interface

Thanks for a great firewall

I'm not a Linux guru, and never heard of strongswan until you mentioned it. From a quick Google, it's IPsec for remote access.

The issue with IPsec is, unless you have a commercial solution that comes with a client (Cisco, probably others), there are issues getting client software on Windows machines (and I assume that's the majority of what you'll need to support). There is the Shrew Soft client, and I know the author hangs out on our mailing list and people do use it with pfsense. http://www.shrew.net/

OpenVPN is more convenient, IMO, because you can use a single client across every platform you need to support (Windows, OS X, BSD, Linux). With IPsec, you would have a different client from a different source for every platform (again, unless you had a commercial solution).

If I was going with a large scale open source deployment, I would go with OpenVPN in most environments.

For around 100 simultaneous connections, I would go with a Pentium 4 or better box. That should leave you plenty of power to spare.

Fixed recently:

http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/vpn.inc?rev=1.89.2.29.2.8;content-type=text%2Fplain

There were some issues with IPsec and snapshots up until earlier today. Try a new snapshot.