Hi ermal,

Some feedback: The 2.2-ALPHA runs smoothly on a two-ether eBox just out of the box. I made tests with nanoBSD's 2GB VGA version.

Until now, I have noticed no issues with this version. Thanks for the info about the RDC 6040 (if_vte.ko) driver.

I will keep you devs informed.

Just to let everybody know, reinstalled and upgraded to latest alpha, now it works perfectly!

Should be fixed with next coming snapshot.

Looks like that happens if you have no aliases defined. I just pushed a fix, new snapshots later should be OK.

That's great thanks. At least it wasn't a noob mistake from me for a change ;-)

I'll try again over the weekend…

For most, OpenVPN is much less of a pain than IPsec when it comes to mobile access. It's a lot more flexible and more likely to work from remote locations.

@vindenesen:

Probably a copy&paste error. It's the bottom rule you want.

Thanks!
Hopefully developers will see this post and fix it.

Edit: Reported at https://redmine.pfsense.org/projects/pfsense/issues

After looking around further creating an Alias of URLS in a URL_table(IPs) then creating Floating rules based on these aliases the rules do not populate the pf tables after saving them, you can see this by the command "pfctl -s labels".

After executing the command "pfctl -t -T replace -f /PATH/TO/

" manually the tables then load and function as expected per "pfctl -s labels".

Also with these rules in place it takes 13 minutes for pfSense to boot at the first instance of "loading firewall" with 99.8 to 100% idle per Top during this idle time.

From what I see the alias tables do not get populated and the floating rules based on these aliases do not function without manual intervention using the pfctl command. I am resorting to set up a cron job to reload the tables manually.

Guys, am I missing something here?

This seems to be fixed now, thanks!

Thanks mgsmith - I've just tried setting rekey=yes and restarting ipsec using "ipsec restart" on the command line and I can verify that the correct lifetime is used and IKE is successfully established. Hurrah!

From the PA-200's logs;

2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:384:get_ph1approvalx(): Compared: DB:Peer 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:385:get_ph1approvalx(): (lifetime = 28800:28800) 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:387:get_ph1approvalx(): (lifebyte = 0:0) 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:389:get_ph1approvalx(): enctype = AES:3DES 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:394:get_ph1approvalx(): (encklen = 128:0) 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:396:get_ph1approvalx(): hashtype = SHA1:SHA1 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:401:get_ph1approvalx(): authmethod = PSK:PSK 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:406:get_ph1approvalx(): dh_group = DH2:DH2 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:384:get_ph1approvalx(): Compared: DB:Peer 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:385:get_ph1approvalx(): (lifetime = 28800:28800) 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:387:get_ph1approvalx(): (lifebyte = 0:0) 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:389:get_ph1approvalx(): enctype = 3DES:3DES 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:394:get_ph1approvalx(): (encklen = 0:0) 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:396:get_ph1approvalx(): hashtype = SHA1:SHA1 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:401:get_ph1approvalx(): authmethod = PSK:PSK 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:406:get_ph1approvalx(): dh_group = DH2:DH2 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:283:get_ph1approval(): an acceptable proposal found. admin@firewall> show vpn ike-sa gateway FirewallVM phase-1 SAs GwID/client IP  Peer-Address          Gateway Name          Role Mode Algorithm          Established    Expiration      V  ST Xt Phase2 --------------- ------------          ------------          ---- ---- ---------          -----------    ----------      -  -- -- ------               1 pf.sense.ip.address:4500    FirewallVM            Resp Main PSK/DH2/3DES/SHA1 Aug.07 15:03:23 Aug.07 23:03:23 v1 12  2      0

Exactly what I was missing then, worked like a charm.  Thanks!

@mais_um:

Hi

Delete your browser cache.

Thanks.  I only just had time to test it again and it fixed itself over time.  Probably because of cache expiration or something.

Yes I assigned it when I did the installer. I'll do it again on Monday to see what if anything happens.

very good info…havent have a hand on ip fire yet but i need to see this working..thanks a lot

I was able to solve my issue:

The D-Link DUB-E100 Ethernet USB adapters I've used seems to be not fully supported in the C1 hardware version. The fact that I did use two of those adapters and both of them work properly with an PPPoE DSL modem mislead me to search in the firewalls configuration.

So with the current 2.2-ALPHA ICMP, PPPoE and assumable other layer 3 traffic works with the DUB-E100 C1 adapter but any layer 4 traffic like TCP, UDP is lost somewhere. I'm now using a Delock 61969 USB Ethernet adapter for my OPT1 network which works like a charm..

Note #4 of this bug seems to cover this:
  https://redmine.pfsense.org/issues/3747#note-4

Duh… Thanks Jiimp for hitting me in the head... Working.