RE: [pfSense Support] Problem with ipsec tunnel

[John Cianfarani]

1. Even though you need to NAT for your inside hosts IPSec is listening on the WAN interface. 2. Not sure but my guess would be no (without a lot of easy configuration changes) One think that was reversed in previous builds (not sure if is changed in 2-20) is the “Prefer old IPSec Sa” checkbox under System-Advnced.  Bill found that in the code pfsense already tries old sa’s first, so when you check this box it will make it prefer NEW Sa’s.  That was the heart of a lot of my Ipsec troubles.   Do you have the WAN as the local endpoint and LAN Subnet as the Local subnet on each side? As I believe there still is an issue with ipsec-tools if you are trying to do host to host setup. (/32s)   What are you using as your local identified IP or FQDN?   Once you get a session up can you do a “ping –c 5 –S <your pfsense lan ip> <remote pfsense lan ip>” from the Diag -> Command Prompt tab?   Thanks John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Sent: Thursday, March 02, 2006 2:38 AM To: support@pfsense.com Subject: [pfSense Support] Problem with ipsec tunnel   Hi guys! Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given by the provider, and setting upt the tunnel with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte both NATed.. I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile (following the marvellous tutorial), using dyndns record, etc. But I had problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic passing. NO traffic dropped un firewall logs.... On the routers, we redirected only port 500/UDP from the router to the pfsense boxes... So, my question are: 1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive mode, PSK)? In early ipsec-over-udp implementation, I can remember there were some problems in such a configuration 2) if it is possible, have I to redirect other ports? In linux ipsec implementation, when I use NAT-T I had to rdr port 4500/upd, but on my pfsense box I cannot see such a port open.... 3) ..and in the end.. am I missing something? I do not have my box with me now, but I can recall the settings very well.. I'm using 02-20 SNAPSHOT. Thank you, guys.. very much. Tom