Add a firewall rule like this at the loadbalancing pfSense (top of the firewallrules): pass, protocol any, source lan subnet, destination network 10.0.0.0/24, gateway default This will fix it.

I found a solution to my problem, I do not think it is a good solution but it works good for the moment. on the pfsense (1.0.1) I just activated the "Enable advanced outbound NAT".

Thear hoba: Plz need help, cant resolve this problem.I will become crazy My config is the next. LAN       |   (PfSense 1)   |              | ISP1 (WAN)    ISP2 (OPT-WAN)   |              |   |              | (  Internet )       |          |          ISP3       |          |        pfSense2 (waiting for mobile clients)       |       LAN Both pfsense have static ip. pfsense-1 have load-balancer & squid The tunnel is stablish with ISP1 and ISP3 using in pfsense3 mobile clients. At less ISP1 is down then Switch to ISP2 The nexts problem happend when ISP1 is down: A) I change manually the IPSEC VPN Start Point to ISP2, (Now Tunnel is between ISP2 and                ISP), but not connection is stablish at less add the next static route :                        <opt1>      <destination 32="" end="" point="">      <opt1-gw>B) PFSENSE Can't resolve DNS at less add the next statis route:                       <opt1>      <destination 32="" dns="" server="">      <opt1-gw>C) Squid (Running in pfsense 1) don't work any form. Problems A & B resolve with staric route, C can't but when ISP1 is up again, i need change again the IPSEC VPN Start Point (because isp1 is better)  and delete all static route. The really problem is write and delete a static continuously with time I criticize of production that this uses. My Idea is only change the ISP START POINT MANUALLY (ONLY CHANGE COMBO IN IPS-VPN) and all work fine. It is there possible? Is not, know u other solution. Any solution for squid when WAN is DOWN?</opt1-gw></destination></opt1></opt1-gw></destination></opt1>

@morbus: I tested the failover yesterday and it all worked fine except that the CARP copying (XML-RPC I guess) didnt copy the 'Failover IPSEC IP' to the slave so the slave was trying to use its own IP and the remote end was using the CARP one. I just had to fill in the 'Failover IPSEC IP' on the slave and it worked fine Yep.  Sorry, I forgot that step.  Glad that it is working now.

@J.Borg: @hoba: Guess because it's a gif/ipsec tunnel? You can run it with one tunnel like 192.168.200.0/24 <-> 192.168.0.0/16. Ask the admin of the other box to change his tunneldefinition this way and change it at your end and you should be fine. Thank you, after I edited spdadd as per your advice things start to look better now (have not edited gif on FreeBSD client 1 side however). I can reach Client 2 phone system. Some more work is needed… dear all I want to make connection between pfSense and FreeBSD 6.2RC vis IPSec But no works. could any one establish successfully?

I am using OpenVPN for now because I have two DHCP endpoints.

@moffl: for your info. Don't know what i am missing Tried it no go. just set up a ipsec tunnel on 2 different computers over a completely different network and it is responding exactly the same can't receive email, can not download files, cannot remote. it may be my imagineation running away right now but it seems when you first start email program or download their is the first initial indtall then stops hope this helps Are you sure routing is setup correctly back and forth? Besides that it somehow sounds like a mtu issue. Lower mtu's at both WANs (m0n0 and pfSense) to 1300. If that helps raise the values step by step until it breaks again and go back one step. I had a m0n0-pfSense tunnel from work to home for several month and was able to use my outlook at home connecting to the exchange server at the office without issues. Oh, wait… "Routes are in place"??? You don't need static routes. Only setup the tunnels. The routing is determined by the local and remote LAN of the tunneldefinition.

It is my understanding that we support everything that the freebsd kernel + racoon supports.  Feel free to supply diff's in unified format if this is not the case.

I have not seen a netopia vpn configuration screen yet but if you paste some screenshots I might be able to help you. Some vendors call some options different or break up the oprions into several screens that reference each other. Also logs of a connectionattempt could be useful.

Yepp I got the same problem and have anyone any clue to solve it??? Greetings, Marcel

i can see it on my keyboard, so I use them :-)

What happens if you increase the PFS key group setting to 2 on the second layer. I had this problem also, renewed the setup several times and now its gone (now using ESP-3DES-SHA1-PFS Key 2).

pfSense has openvpn.  I would imagine this would work fine with the push routes features?  Not sure, I don't even run OpenVPN but don't see why it wouldn't work.

Personally I would give OpenVPN a try over PPTP.

I would like to know that as well. My clients are using sim/smartcards to store an identifier and I'm wondering if I can read from those sims some sort of a key rather than a cert.

I was able to work around this by creating a port forward nat rule on the lan interface with the ip as ANY with the external port as http and internal ip/port as 192.168.0.12:8080 then i disabled the local squid proxy.