Problem ist the default MTU Setting from D-Link DFL-1100. after change the MTU from 1424 to 1472 Filetransfer and also intranet websites will work now. http://forum.pfsense.org/index.php?topic=927.msg5562#msg5562 Why MTU 1472 ? I try on a workstation behind pfsense to ping a workstation behind the D-Link. ping 172.16.170.8 -f -l 1472 Ping wird ausgeführt für 172.16.170.8 mit 1472 Bytes Daten: Antwort von 172.16.170.8: Bytes=1472 Zeit=47ms TTL=126 Antwort von 172.16.170.8: Bytes=1472 Zeit=48ms TTL=126 ping 172.16.180.8 -f -l 1473 Ping wird ausgeführt für 172.16.180.8 mit 1473 Bytes Daten: Paket müsste fragmentiert werden, DF-Flag ist jedoch gesetzt. Paket müsste fragmentiert werden, DF-Flag ist jedoch gesetzt. Ping-Statistik für 172.16.180.8:     Pakete: Gesendet = 2, Empfangen = 0, Verloren = 2 (100% Verlust),

Looks like user error was to blame as I was able to get my IPSec tunnel up with my workplace's NetScreen firewall. Thanks, – Phob

Thanks CMB, it's possible my client is out of date on the machine so I'll upgrade it over the next or two and post my findings back.

@kph: Does anyone know a working (free?) vpn client for Windows 2000/XP? that can connect to a PFsense (beat2) machine, without having to open any external ports (500 UDP) without having to open ports?  No.  I've never heard of any VPN client, commercial or otherwise, that lets you connect without any open ports.  You could combine something like port knocking with a VPN client to accomplish this. @kph: ps. does anyone know why they Cisco VPN client does'nt work with PFsense (beta2)? Because it's not a normal, standard IPsec VPN client.  It requires xauth, which isn't going to be supported in 1.0.

ok thanks, will work now also with static tunnel. I have changed my lan IPs so routing is easyer..

I'm happy to report that two IPSec passthrough connections work just fine from two different hosts into two different servers. One is Sonicwall GVPN client to my employer's Sonciwall server.  The other is Contivity client to a customer's server. In fact I should be able to test a third simultaneous connection tonight.  It'll also be Contivity, but into a third server.  I have other client software, but don't think I have any other currently active accounts to test with. I'm tickled – this was always somewhat problematic with previous firewall/NAT devices.

I don't know if I understand you but PPTP has nothing to do with IPSEC. There are fields for specifying the subnetmask for each network when editing the tunnels. Maybe http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/ will get you started though this handles some kind of "special" configuration.

Re-read what hoba said carefully.

are you using wraps running pfsense or anything else?

Again, its an issue with the client.

@djno: I will check the GreenBow settings. And I'm connecting to the CARP IP. The failover IPsec settings look good, well at least when I switch off the main fw, the backup fw creates also the IPsec tunnel (VPN always up) Thank you for the hint concerning "prefer older SAs" I know that the IPsec traffic cannot be filtered but  I still don't understand the following line in the IPsec logs racoon: INFO: Update the generated policy : 192.168.1.34/32[0] 192.168.2.0/24[0] proto=any dir=in I am also getting this problem, it would seem that the rules are not being generated and applied properly for on the fly (road warrior) connections.  Since "static" vpn's have the subnets etc setup from the get go I'm not surprised that they work with no error. I have tried :- TauVPN 0.36 0.36 0.40 The Green Bow 2.5.1.008 and all result in the same error in the ipsec logs. Sadly I'm poking arround on the cmd line is my limit (and i could not find ipsec.conf to "setkey" it).

beta1 is more than 1 month old. though I don't recall problems with ipsec and beta1 I would suggest trying the latest snapshot embedded build found here: http://pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-2-06/pfSense.img

Ah, that makes sense… and actually that sounds pretty excellent :)

do you have a how to of how i did this?

Phase one fails for some reason. I guess you have static IPs on WAN so just try the IP-Adresses as identifier. fqdn only works if they are configured on the other end correctly. I can confirm that m0n0-pfsense-tunnels are working without issues. Already tested that.

@ZGamer: What I am thinking of attempting to do is setup pfsense as the vpn-client to a remote network, but not running in a site-to-site link in the traditional sense where I could like to be able to enter a username/password combination to establish the vpn-tunnel instead of a RSA sig or pre-shared key. Anyway that this could be possible? not at this time.

you need to setup a site-to-site vpn connection on the nokia box with a pre-shared key for it to work.

It would be appreciated if you record a tutorial for our tutorials section. It's nearly the same like shooting screenshots with wink but you add some descriptions on top of it instead placing them between the shots in the text. You find examples and info about wink at our tutorials section: http://pfsense.com/index.php?id=36

Have a look at the Links section of the main website, then look for the How-to link on  details about TauVPN.