@nbviegas:

My issue is basically routing then. Wierdly, when I go to "Diagnostics: Routing Tables" I have nothing saying that 192.168.16.0/24 (on pfsense A) should go throuh interface ENC0 (IPSec to pfsense B). As per the default gw of pfsense I have - default 10.0.0.138 UGS 0 682017 1500 fxp0  - which is the IP Address of the ADSL Router.

Is there any issue with this setup?

It's not routing. As I said before, there is no routing involved with IPsec, as far as the routing table is concerned. It's the SPD that encapsulates matching traffic and sends it to the destination.

@nbviegas:

What do you mean by " Is the default gateway of every system involved pfsense?" . From what I get the existing DHCP server gives the default gw as the pfsense LAN IP address.

If you're using pfsense for DHCP for everything and don't have anything statically addressed then you don't have to worry about what the gateways are set to.

Since the traffic is getting logged at the source end, what about at the destination end if you enable logging there?

VPN on OPT1 should work fine provided you are using a 1.2 beta. It was not working on 1.0.1 release.

hi,
finally works with release 1.2-BETA-1… i permited traffic between pc1 and pc2... working cool now..
thanks everybody

thanks Hoba.

I had searched the forum, the advice is having parallel tunnel with unique identifier.

1. In the IPSec Tunnel setting, in phase 1, i choose identifier as My IP address and in pre-shared secret, i put in the entry identifier - IP of the box at remote site and the shared secret. In order to have unique identifier as mention, i will not use My IP address? Sorry I am a bit blur in this Identifier setting.

2. If the tunnel i pair up with a checkpoint firewall, so at the checkpoint side i will need to create multiple tunnel also? In check point i did not see any setting for identified? how i can make the tunnel unique?

okay, I solved it:

its an issue with remote subnet. When you get same errors check the net that is given to you.
If you dont have an IP- Calculator by hand:
go http://jodies.de/ipcalc scroll down and check

cheers :)

stefan

IPSEC filtering is a new feature of 1.2. 1.0.1 was always passing all incoming IPSEC traffic. If you upgrade from an old version we'll installa pass any rule at IPSEC so things will work the way they did like with 1.0.1. However, if you do a fresh install of 1.2 this rule is not present which means everything incoming through a tunnel will be blocked by default. Just create a rule at firewall>rules, IPSEC to allow the desired traffic.

Behavior is different with pfSense-1.2-BETA-1-Embedded-128-MB.img.gz, but still has difficulties.

No problem without the Hi/Fn card.

With the card, the behavior is complicated and, unfortunately, inconsistent.

The data here represents approximately 15 power-cycle iterations.

Sometimes racoon is restarted. Not entirely clear about the timing. Consistently racoon and a working tunnel is available immediately after the console message

Configuring IPsec VPN... done

appears. However, sometimes racoon is restarted a second time. It is not clear under what circumstances but 3 times (out of 15) the console never finished loading. Twice the last message on the console was:

Starting /usr/local/etc/rc.d/*.sh...done.

Once it got a little further but still hung at:

Bootup complete FreeBSD/i386 (staff1.vineyardtransit.com) (console) *** Welcome to pfSense 1.2-BETA-1-embedded on staff1 ***

Once the console finished loading; but shortly after it was done, racoon was restarted. Another time racoon restarted almost 5 minutes after boot was 'complete.'

At all 5 of these occasions racoon reports that it received a signal 15 and a few seconds later it is restarted.  Prior to this second start-up the IPSec tunnel is fine.  After this second start-up phase 2 negotiation fails even tho a phase 1 SA is achieved. As before, if I stop/start racoon manually (ssh works fine), all is well.

Since the Generating RRD Graphs section takes almost 4 minutes to load, this means that the IPSec is established and working for an appreciable period before it breaks.

Interestingly, without the Hi/Fn card, racoon is still restarted; however, it works when it comes back up.

Sorry this report is so chaotic.

This depends on the other vpn-router, not pfSense. I can't say anything about that as I don't know what device you are using there. You have to find a way to transfer the shown configuration on that device or it won't work.

Ok,

now Im really lost. I did my setup with the help of this tutorial two or three times now and I do not see any differences between the tutorial and my two machines.

Only difference is that my static machine has two interfaces with WAN being the dynamic interface with PPPoE and OPT1 being the static interface like I wrote in my other thread where I was told to update my static box to the latest snapshot because of IPSec on OPT1 not being possible.

@mnsmani:

…
Apr 20 09:48:52 racoon: INFO: 192.168.2.99[500] used as isakmp port (fd=17)
…
Apr 20 09:48:52 racoon: INFO: 121.247.124.90[500] used as isakmp port (fd=19)
…
also, as is damn strange enough, I see that this conf connects from one side, and does not connect from other side. but I could not reproduce that scenario myself :(

Is one of the peers behind another NAT with it's WAN in a private IP-Space? Seems to be the case from the logs. In that case you most likely will only be able to connect from the end behind the NAT to the other end as the NAT is preventing one end to be reached from the internet directly. I would try to get the both pfSense to real WAN IPs with nothing but transparent equipement (like modems) in front of them.

Ahh,

I somehow expected an new iso image and was looking for it on the downloads page  ;D

But OK, I downloaded the snapshot and am looking for how to install it, I guess its done via General -> Firmware?

Ah, someone on IRC mentioned google for this and now the snapshot is installed. Now waiting for someone to appear at the other office for a test :)