There were some major IPsec problems in some snapshots around that timeframe. They should all be cleared up now, try a snap from today.

You will need a static route for the traffic to be directed out the proper WAN interface.

I´m not sure what i´m doing wrong here, but i dont get the dhcp-relay working of ipsec, is that possible in the first place? Also Trying to trunk 2 vlans from a cisco without success, i have setup the vlan and correct tagging(as they come from the cisco), but i cant get the inside(remote vpn) cisco working, cant even see info with cdp. How should i set up the trunkport?. Should the lan interface be bridged with the native vlan from the cisco and then the second vlan bridged with lan? I´d be one happy pfsense user if i could get any of those to scenarios working ;) regards /F

Found that this is NAT-T enabled and then disabled again. during the change there is something weird going on, but the tunnel still does not get established. Please look at the second log I sent. This is looking at a similar problem. http://forum.pfsense.org/index.php/topic,5473.0.html But I am using the IPSEC on the WAN interface so probably not a routing problem - problem with CARP? -I don't think so because I have a different site with a m0n0wall connecting perfectly, only the Zyxel is bugging me! I set the MTU on the zyxel to 1400 just to make sure it is not ADSL that is eliminating the reply and thus the timeout, but no result. Any ideas? Thanks!

if the server needs to be identified as well, peers_identifier asn1dn option is also necessary

You will need to add rules to allow UDP 500 and ESP on your pfsenses wan interfaces

Per default there are no rules and thus block everything.

I found out that the secret word was too long.  I made it shorter.  I got it working.  I have this tunnel working one way as well.  I can go to their end but can't come back.

go to Firewall -> Rules the select the wan tab then click the little square with a plus icon. then create a rule to allow the ESP protocol and another to allow UDP port 500

No matter of priority between IPSEC and local atached network (it seems that IPSEC gets over locals). I think U have to play more with subneting/superneting techniques. The problem is that 10/8 on A you have to use eg 10.2.0.0/15 which includes 10.2/24 and 10.3/24 networks: (10.2/15)       box A <–-(tun A-C)---> ipsec to other networks, works fine         A         |     (tun A-B)         |         V       box B                          (10.1/16)                      ----|----                      |        |   LAN    OPT1 10.1/24  10.1.1/24

Solved - for those who are interested: I made my Certs with XCA (very good Opensource CA solution) … and there i defined inside the Certificate no Subject Alternative Name ... after i created new certs with IP:123.123.123.123 (same as CN) as a alternative name, all works as it should!

Like i said i use this on M0n0wall. Could it be the type of tunnel? this is the rest of my ipsec tunnel config Interface            WAN Local Subnet        Type Network                     192.168.0.0 /24 Remote Subnet    192.168.1.0 /24 Remote Gateway    244.244.244.244 Description test Phase 1 proposal (Authentication) Negotiation mode  Aggressive My identifier        My ipadress Encryption algorithm    3Des Hash algorithm    SHA1 DH key group    2 Authentication method    pre shared key Pre-Shared Key      your preshared key  (i use different ones for each tunnel.) Phase 2 proposal (SA/Key Exchange) Protocol    ESP Encryption algorithms    3Des Hash algorithm    SHA1 PFS key group    off that is the rest of my config. I am not able to test pfsense for the tunnel at the moment. regards, Johan

Hello, thank you very much for your advice. Unfortunately I cannot rely on "I assume they are not going to change IPs". In my first post, I said that firewall rules on IPSEC port are not an option. I don't know all of these guys well and some are quite savvy. - This is about highest possible security and not having to spend a dedicated hardware each. I guess OpenVPN would be the better choice, but some of the users are connecting their IPSec capable DSL routers and of course those don't do OpenVPN. :-( Maybe there is a more advanced option? Do you know of any options I could feed directly into the config (non-GUI)? Thanks!

I have started to see this problem now as well on a previously working (not changed IPSec) tunnel after testing the 1.2 beta / RC versions. I will do a test with an older version to see if it works again. ///Dan Lundqvist