Yes, it will be present in the upcoming version 1.1 of pfsense, not in 1.0.

Already exists in -HEAD.

LAN A–-----------------LAN/pfSenseA/IPSEC-----------------------IPSEC/pfSenseB/LAN---------------LAN B

Don't get confused that it looks like a seperate Interface up there. IPSEC is completely transparent between the two pfSenses once established, it doesn't cross the WAN interfaces even (seen from the packetfilters view).

As I said you only can control incoming connections on an interface. So the rules at the LAN interface of pfSenseA determines what can move over the IPSEC to pfSenseB. pfSenseB can't block connections incoming over IPSEC as it's not an interface seen by the packet filter. The same applies for the other direction. Rules at LAN interface of pfSenseB can pass/block traffic going through the IPSEC to pfSenseA only.

I hope this makes it a bit more clear.

check the ipsec logs of both sides (client and pfsense). You might find a hint there.

can i create rules in open vpn ?

@hoba:

That's actually not a real error. it just tells you that there already was a policy for this connection but it got replaced when you edited the tunnel. It should simply work. I have the exactly same config using a pfsense with static IP and another pfsense and a m0n0 joininng with dynamic IPs. It's working for more than a month already without any glitches.

It´s working. Just like the tutorial show. I´ve solved some bugs in my configuration and that´s all.
Thanks everyone.
Diego

@diegote:

I´ve tried to connect 2 PC using IPSEC tunnel. This is correct? or one has to be Mobile client?? Somebody could create a tunnel?? I`ve tried so many configurations and nothing (in SAD nothing, in SPD always show 2 records, for incoming and outgoing policy).

It works!!!! in a private LAN.
Im trying to connect an ADSL (mobile client) to a Static IP. I´m using the configuration show in the tutorial with the FQDN (email & secret key) but doesn´t work. Ive copied LAN private configuration (for de phases, not the Network config).

The funny thing is, I could create a tunnel using ADSL IP like static IP, and the real static IP on the other side.

THANKS A LOT FOR EVERYTHING!!!!

I answered that at the m0n0 list a long time ago in a galaxy far far away: http://www.m0n0.ch/wall/list/showmsg.php?id=160/29
It's the same situation with pfSense atm. Using static routes across VPN-Tunnels doesn't work yet.

Problem ist the default MTU Setting from D-Link DFL-1100.

after change the MTU from 1424 to 1472 Filetransfer and also intranet websites will work now.

http://forum.pfsense.org/index.php?topic=927.msg5562#msg5562

Why MTU 1472 ? I try on a workstation behind pfsense to ping a workstation behind the D-Link.

ping 172.16.170.8 -f -l 1472

Ping wird ausgeführt für 172.16.170.8 mit 1472 Bytes Daten:

Antwort von 172.16.170.8: Bytes=1472 Zeit=47ms TTL=126
Antwort von 172.16.170.8: Bytes=1472 Zeit=48ms TTL=126

ping 172.16.180.8 -f -l 1473

Ping wird ausgeführt für 172.16.180.8 mit 1473 Bytes Daten:

Paket müsste fragmentiert werden, DF-Flag ist jedoch gesetzt.
Paket müsste fragmentiert werden, DF-Flag ist jedoch gesetzt.

Ping-Statistik für 172.16.180.8:
    Pakete: Gesendet = 2, Empfangen = 0, Verloren = 2 (100% Verlust),

Looks like user error was to blame as I was able to get my IPSec tunnel up with my workplace's NetScreen firewall.

Thanks,

– Phob

Thanks CMB, it's possible my client is out of date on the machine so I'll upgrade it over the next or two and post my findings back.

@kph:

Does anyone know a working (free?) vpn client for Windows 2000/XP? that can connect to a PFsense (beat2) machine, without having to open any external ports (500 UDP)

without having to open ports?  No.  I've never heard of any VPN client, commercial or otherwise, that lets you connect without any open ports.  You could combine something like port knocking with a VPN client to accomplish this.

@kph:

ps. does anyone know why they Cisco VPN client does'nt work with PFsense (beta2)?

Because it's not a normal, standard IPsec VPN client.  It requires xauth, which isn't going to be supported in 1.0.

ok thanks,
will work now also with static tunnel.
I have changed my lan IPs so routing is easyer..

I'm happy to report that two IPSec passthrough connections work just fine from two different hosts into two different servers.

One is Sonicwall GVPN client to my employer's Sonciwall server.  The other is Contivity client to a customer's server.

In fact I should be able to test a third simultaneous connection tonight.  It'll also be Contivity, but into a third server.  I have other client software, but don't think I have any other currently active accounts to test with.

I'm tickled – this was always somewhat problematic with previous firewall/NAT devices.

I don't know if I understand you but PPTP has nothing to do with IPSEC. There are fields for specifying the subnetmask for each network when editing the tunnels. Maybe http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/ will get you started though this handles some kind of "special" configuration.

Re-read what hoba said carefully.

are you using wraps running pfsense or anything else?

Again, its an issue with the client.

@djno:

I will check the GreenBow settings. And I'm connecting to the CARP IP.
The failover IPsec settings look good, well at least when I switch off the main fw, the backup fw creates also the IPsec tunnel (VPN always up)
Thank you for the hint concerning "prefer older SAs"

I know that the IPsec traffic cannot be filtered but  I still don't understand the following line in the IPsec logs

racoon: INFO: Update the generated policy : 192.168.1.34/32[0] 192.168.2.0/24[0] proto=any dir=in

I am also getting this problem, it would seem that the rules are not being generated and applied properly for on the fly (road warrior) connections.  Since "static" vpn's have the subnets etc setup from the get go I'm not surprised that they work with no error.

I have tried :-
TauVPN 0.36 0.36 0.40
The Green Bow 2.5.1.008

and all result in the same error in the ipsec logs.

Sadly I'm poking arround on the cmd line is my limit (and i could not find ipsec.conf to "setkey" it).