May I suggest you read here: http://en.wikipedia.org/wiki/Broadcast_%28disambiguation%29 Follow the links under section "In computer networking"

1.2 is frozen.

No, that will arrive in 1.3.

I tried setting up an aggressive tunnel with sha1, des, email address identifier, and shared key all matching… setup the subnets correctly on both sides. (same settings worked perfectly on my netscreen) I then tried main mode with the same settings as above. I tried aggressive with 3des, md5, as well as main mode with 3des, md5 all the other settings are the same. I get the same thing every time I save the ipsec information in the log file. Last 50 IPSEC log entries Jan 21 11:28:29 racoon: ERROR: configuration read failed Jan 21 11:28:29 racoon: ERROR: fatal parse failure (1 errors) Jan 21 11:28:29 racoon: ERROR: /var/etc/racoon.conf:5: "on" syntax error Jan 21 11:28:29 racoon: ERROR: not acceptable Identity Protection mode Jan 21 11:28:26 racoon: ERROR: failed to process packet. Jan 21 11:28:26 racoon: ERROR: failed to get valid proposal. Jan 21 11:28:26 racoon: ERROR: no suitable proposal found. Jan 21 11:28:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5 Jan 21 11:28:26 racoon: WARNING: No ID match. Jan 21 11:28:26 racoon: INFO: begin Aggressive mode. Jan 21 11:28:26 racoon: [Marc Avila]: INFO: respond new phase 1 negotiation: 68.127.230.124[500]<=>71.243.199.124[500] Jan 21 11:28:25 racoon: ERROR: failed to process packet. Jan 21 11:28:25 racoon: ERROR: failed to get valid proposal. Jan 21 11:28:25 racoon: ERROR: no suitable proposal found. Jan 21 11:28:25 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5 Jan 21 11:28:25 racoon: INFO: begin Aggressive mode. Jan 21 11:28:25 racoon: INFO: respond new phase 1 negotiation: 68.127.230.124[500]<=>75.6.178.20[500] Jan 21 11:28:22 racoon: ERROR: not acceptable Identity Protection mode Jan 21 11:28:20 racoon: ERROR: failed to process packet. Jan 21 11:28:20 racoon: ERROR: failed to get valid proposal. Jan 21 11:28:20 racoon: ERROR: no suitable proposal found. Jan 21 11:28:20 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5 Jan 21 11:28:20 racoon: INFO: begin Aggressive mode. Jan 21 11:28:20 racoon: INFO: respond new phase 1 negotiation: 68.127.230.124[500]<=>68.238.74.36[500] Jan 21 11:28:18 racoon: ERROR: failed to process packet. Jan 21 11:28:18 racoon: ERROR: failed to get valid proposal. Jan 21 11:28:18 racoon: ERROR: no suitable proposal found. Jan 21 11:28:18 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5 Jan 21 11:28:18 racoon: INFO: begin Aggressive mode. Jan 21 11:28:18 racoon: INFO: respond new phase 1 negotiation: 68.127.230.124[500]<=>66.189.169.99[500] Jan 21 11:28:14 racoon: ERROR: not acceptable Identity Protection mode Jan 21 11:28:10 racoon: ERROR: failed to process packet. Jan 21 11:28:10 racoon: ERROR: failed to get valid proposal. Jan 21 11:28:10 racoon: ERROR: no suitable proposal found. Jan 21 11:28:10 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5 Jan 21 11:28:10 racoon: INFO: begin Aggressive mode. Jan 21 11:28:10 racoon: INFO: respond new phase 1 negotiation: 68.127.230.124[500]<=>75.6.178.20[500] Jan 21 11:28:07 racoon: ERROR: not acceptable Identity Protection mode Jan 21 11:28:07 racoon: INFO: unsupported PF_KEY message REGISTER Jan 21 11:28:05 racoon: ERROR: failed to process packet. Jan 21 11:28:05 racoon: ERROR: failed to get valid proposal. Jan 21 11:28:05 racoon: ERROR: no suitable proposal found. Jan 21 11:28:05 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5 Jan 21 11:28:05 racoon: INFO: begin Aggressive mode. Jan 21 11:28:05 racoon: INFO: respond new phase 1 negotiation: 68.127.230.124[500]<=>68.238.74.36[500] Jan 21 11:28:05 racoon: INFO: unsupported PF_KEY message REGISTER Jan 21 11:28:03 racoon: ERROR: failed to process packet. Jan 21 11:28:03 racoon: ERROR: failed to get valid proposal. Jan 21 11:28:03 racoon: ERROR: no suitable proposal found. Jan 21 11:28:03 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5

Set protocol to any. In your posted rule you have as protocol TCP.

How about is there a simple netopia ipsec to pfsense how to? I have read on forums about people getting it working with monowall so it should be about the same situation right? Has anyone else gotten a netopia to Pfsense ipsec tunnel working?

1.2-RC4 has this problem fixed. Please upgrade.

Well… I've seen a note, but i couldnt find any 3des encryption cards in Russia unfortunately.... :-( Actually i just installed rc3, and will check speed up. UUUUFFF, you are so lucky having hifn card  >:(

I had a similiar problem with a IPSEC VPN tunnel.  I enabled the keep alive on both ends of the tunnel and have not had any trouble at all.  Also I had to make sure that the ICMP port was open so that the ping could pass throught the tunnel. RC

Configure ipsec tunnel by this tutorial. http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/ Everything worked just fine for me(i have two shops connected)! Tunnel is very stable(not like ovpn between same points for example). Anton

I had the same trouble, but after i pinged opposite side of tunnel, everything went ok. Last message before i pinged was racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument After racoon: INFO: IPsec-SA established: ESP/Tunnel 10.7.3.115[0]->192.170.1.2[0] spi=236667421(0xe1b421d) racoon: INFO: IPsec-SA established: ESP/Tunnel 192.170.1.2[0]->10.7.3.115[0] spi=53599917(0x331dead) And it works fine.

@tacfit: L2TP and IPSec are not the same, so I don't think it should work. I've tried similar with the Windows L2TP client and it wouldn't work. Thanks - that was not present that I can have IPsec without L2TP - I thought if you have IPsec you always have L2TP. Bye, eweri

OK, given your wording I'm still not entirely sure your problem. It sounds like you're asking this: 1. You have your pfsense server setup "normally", with a static IP. 2. You want to connect to it via IPSEC, from other places, like home or an internet cafe. As I said, the configuration issue is with the router you are behind, when you're at home or at the cafe. It's not a question of the router's IP, it's the IPSEC NAT settings. If the router has been configured to pass IPSEC through the NAT, then it will work fine. Otherwise, no luck. That's a limitation with IPSEC, it's not NAT friendly, so the router your laptop is behind must be configured to pass IPSEC through NAT unhindered. Most routers have this option, some older ones won't.

We've got an 'allow anything' on the LAN interface (VLAN 10) and an 'allow anything' rule on the IPSEC interface on pfSense. If I do a tcpdump on enc0 and ping a host on the LAN subnet from the other end of the ipsec tunnell (10.1.1.0/24), I see the incoming ping request, and the outgoing ping response, but the remote network never receives the packet. I've also checked the filters on the remote linksys router, and I'm not having much luck. We've even tried dropping the filters on the remote end entirely, and still no response. In my initial look at the state table I wasn't quick enough. An initial attempt to go directly to the host w/o involving NAT happens, and then after some time, NAT gets involved. I also have the system logging all blocked packets, and I don't see any blocks of my ICMP packets being logged. If I see the incoming request, and the pinged host's response on enc0, that seems to indicate that the filters on pfSense aren't in play, unless the outbound ping response is getting filtered out somewhere and I'm just not finding it. I've got the exact same setup working on v1.0.1, so I'm really not sure why this isn't working on the new version. Has the handling of packets destined to IPSEC tunnels changed in 1.2 beyond the IPSEC interface filters? I'm really baffled by this one…. Thanks again for any insight you can offer on this one.

http://forum.m0n0.ch/ ?

search the forum there is a solution around

my client has a static address on his end and i have one two on my side.  I have no issues.  It was a pain to get just right but I am finding everyvendor has slightly different terms for the same thing and it will drive you nuts. In my case it was a typo.  I had the wrong IP set up.  changed it and up it came.  it's been working fine. RC