Found that this is NAT-T enabled and then disabled again. during the change there is something weird going on, but the tunnel still does not get established. Please look at the second log I sent. This is looking at a similar problem. http://forum.pfsense.org/index.php/topic,5473.0.html But I am using the IPSEC on the WAN interface so probably not a routing problem - problem with CARP? -I don't think so because I have a different site with a m0n0wall connecting perfectly, only the Zyxel is bugging me! I set the MTU on the zyxel to 1400 just to make sure it is not ADSL that is eliminating the reply and thus the timeout, but no result. Any ideas? Thanks!

if the server needs to be identified as well, peers_identifier asn1dn option is also necessary

You will need to add rules to allow UDP 500 and ESP on your pfsenses wan interfaces

Per default there are no rules and thus block everything.

I found out that the secret word was too long.  I made it shorter.  I got it working.  I have this tunnel working one way as well.  I can go to their end but can't come back.

go to Firewall -> Rules the select the wan tab then click the little square with a plus icon. then create a rule to allow the ESP protocol and another to allow UDP port 500

No matter of priority between IPSEC and local atached network (it seems that IPSEC gets over locals). I think U have to play more with subneting/superneting techniques. The problem is that 10/8 on A you have to use eg 10.2.0.0/15 which includes 10.2/24 and 10.3/24 networks: (10.2/15)       box A <–-(tun A-C)---> ipsec to other networks, works fine         A         |     (tun A-B)         |         V       box B                          (10.1/16)                      ----|----                      |        |   LAN    OPT1 10.1/24  10.1.1/24

Solved - for those who are interested: I made my Certs with XCA (very good Opensource CA solution) … and there i defined inside the Certificate no Subject Alternative Name ... after i created new certs with IP:123.123.123.123 (same as CN) as a alternative name, all works as it should!

Like i said i use this on M0n0wall. Could it be the type of tunnel? this is the rest of my ipsec tunnel config Interface            WAN Local Subnet        Type Network                     192.168.0.0 /24 Remote Subnet    192.168.1.0 /24 Remote Gateway    244.244.244.244 Description test Phase 1 proposal (Authentication) Negotiation mode  Aggressive My identifier        My ipadress Encryption algorithm    3Des Hash algorithm    SHA1 DH key group    2 Authentication method    pre shared key Pre-Shared Key      your preshared key  (i use different ones for each tunnel.) Phase 2 proposal (SA/Key Exchange) Protocol    ESP Encryption algorithms    3Des Hash algorithm    SHA1 PFS key group    off that is the rest of my config. I am not able to test pfsense for the tunnel at the moment. regards, Johan

Hello, thank you very much for your advice. Unfortunately I cannot rely on "I assume they are not going to change IPs". In my first post, I said that firewall rules on IPSEC port are not an option. I don't know all of these guys well and some are quite savvy. - This is about highest possible security and not having to spend a dedicated hardware each. I guess OpenVPN would be the better choice, but some of the users are connecting their IPSec capable DSL routers and of course those don't do OpenVPN. :-( Maybe there is a more advanced option? Do you know of any options I could feed directly into the config (non-GUI)? Thanks!

I have started to see this problem now as well on a previously working (not changed IPSec) tunnel after testing the 1.2 beta / RC versions. I will do a test with an older version to see if it works again. ///Dan Lundqvist

That's normal and if you search the forum you'll find many posts asking the same question  ;)

Not all guis have all settings at one page. Some vendors prefer to have multiple pages for that and reference one of the settings from another screen. Other vendors hardcode some of the settings and you have to know what they have set them to on the other end. I have pfSense systems connected to several other products via ipsec. It's sometimes hard to find out how to configure them but in the end it always worked for me.

This was discussed yesterday.  Please search before blindly opening forum topics.

It must be at least natting which can cause problems as you have a private IP behind it.