Thanks for that. I have to say I agree that hidden rules are bad. Maybe you could do the same as with NAT and auto create a rule if the check box is checked. Either way it needs to be consistent between creating a rule for a carp and a wan. Especially given that the carp address/interface is now selected from the same dropdown as the WAN interface Thanks for a great firewall

I'm not a Linux guru, and never heard of strongswan until you mentioned it. From a quick Google, it's IPsec for remote access. The issue with IPsec is, unless you have a commercial solution that comes with a client (Cisco, probably others), there are issues getting client software on Windows machines (and I assume that's the majority of what you'll need to support). There is the Shrew Soft client, and I know the author hangs out on our mailing list and people do use it with pfsense. http://www.shrew.net/ OpenVPN is more convenient, IMO, because you can use a single client across every platform you need to support (Windows, OS X, BSD, Linux). With IPsec, you would have a different client from a different source for every platform (again, unless you had a commercial solution). If I was going with a large scale open source deployment, I would go with OpenVPN in most environments. For around 100 simultaneous connections, I would go with a Pentium 4 or better box. That should leave you plenty of power to spare.

Fixed recently: http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/vpn.inc?rev=1.89.2.29.2.8;content-type=text%2Fplain

There were some issues with IPsec and snapshots up until earlier today. Try a new snapshot.

@nbviegas: My issue is basically routing then. Wierdly, when I go to "Diagnostics: Routing Tables" I have nothing saying that 192.168.16.0/24 (on pfsense A) should go throuh interface ENC0 (IPSec to pfsense B). As per the default gw of pfsense I have - default 10.0.0.138 UGS 0 682017 1500 fxp0  - which is the IP Address of the ADSL Router. Is there any issue with this setup? It's not routing. As I said before, there is no routing involved with IPsec, as far as the routing table is concerned. It's the SPD that encapsulates matching traffic and sends it to the destination. @nbviegas: What do you mean by " Is the default gateway of every system involved pfsense?" . From what I get the existing DHCP server gives the default gw as the pfsense LAN IP address. If you're using pfsense for DHCP for everything and don't have anything statically addressed then you don't have to worry about what the gateways are set to. Since the traffic is getting logged at the source end, what about at the destination end if you enable logging there?

VPN on OPT1 should work fine provided you are using a 1.2 beta. It was not working on 1.0.1 release.

hi, finally works with release 1.2-BETA-1… i permited traffic between pc1 and pc2... working cool now.. thanks everybody

thanks Hoba. I had searched the forum, the advice is having parallel tunnel with unique identifier. 1. In the IPSec Tunnel setting, in phase 1, i choose identifier as My IP address and in pre-shared secret, i put in the entry identifier - IP of the box at remote site and the shared secret. In order to have unique identifier as mention, i will not use My IP address? Sorry I am a bit blur in this Identifier setting. 2. If the tunnel i pair up with a checkpoint firewall, so at the checkpoint side i will need to create multiple tunnel also? In check point i did not see any setting for identified? how i can make the tunnel unique?

okay, I solved it: its an issue with remote subnet. When you get same errors check the net that is given to you. If you dont have an IP- Calculator by hand: go http://jodies.de/ipcalc scroll down and check cheers :) stefan

IPSEC filtering is a new feature of 1.2. 1.0.1 was always passing all incoming IPSEC traffic. If you upgrade from an old version we'll installa pass any rule at IPSEC so things will work the way they did like with 1.0.1. However, if you do a fresh install of 1.2 this rule is not present which means everything incoming through a tunnel will be blocked by default. Just create a rule at firewall>rules, IPSEC to allow the desired traffic.