Re: [pfSense] looking for perfect pfsense box for home?
I can only second what everyone else has said... If cheap is 'best', grab any old box and throw some NICs in it. Downsides of this approach are power consumption and the associated 'mostly works' weirdness of used hardware. I've found a 4 port j1900 board in a case with rack mount brackets that I put an MSATA SSD and 4 GB of memory in. It lives in my 7U office/lab rack and may be the best PFsense box I've ever built. It has a VGA and USB port on the front if I ever need to get at it that way, and while I am unsure of the power consumption, at $250ish, I'm very happy with it (I recently installed the NUT package and now the PFsense box is even talking to my UPS–thanks to this list!). When it comes to work (or if I weren't inclined to assemble the system mentioned above), I always specify products from netgate or pfsense, because they 'just work' and the support is awesome. On Wed, Aug 3, 2016 at 6:13 AM, Karl Fifewrote: > Honestly that j1900 looks like a really great choice. > > I think the right questions would be whether you can tolerate the VGA > console, whether it will cost more in terms of power consumption, whether > you need the AES-NI instructions. I was going to mention ECC ram, but the > netgate box appears to be Non-ECC :-( > > Given the role and quantity of RAM, ECC would be a sensible choice IMO. > > > On 8/3/2016 11:00 AM, Ryan Coleman wrote: > >> And there are many people on the list here who have vouched for the J1900 >> box mentioned earlier. >> >> I am pretty sure we’ve vetted it; I know I have and I am going to start >> deploying it at customer sites over NetGate hardware. >> >> >> On Aug 3, 2016, at 10:58 AM, Karl Fife wrote: >>> >>> +1 >>> >>> You can buy the 'blessed' hardware alone (e.g. CentOS) from netgate for >>> $300 (2-port) and $350 (4-port). Cheaper than if you buy a preconfigured >>> pfSense appliance with support. Seems like REALLY inexpensive insurance to >>> be using vetted hardware that others are also using. In general, I >>> consider cheap networking gear to be a false economy. >>> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup
David, I am by no means an expert, but am piping up to speak to the quality of the documentation. Just follow the OpenVPN site to site docs, and you should be good. The tricky bit for me was realizing that the OpenVPN tunnels rely on their own IP space, independent of whatever your regular network addressing scheme is. In your case, if site A is 10.0.0.X and site B is 10.1.0.X, in the setup of the OpenVPN server, your IPV4 tunnel network will be a completely different address space–192.168.1.X/30 or something... When I setup a site to site IPSEC, it didn't require that, so that is what tripped me up. pfSense (or openVPN) uses that separate subnet for all traffic between those 2 sites. When you setup the tunnel for Site A to C, you'll use another subnet (192.168.2.X/30). Once I wrapped my head around that, everything went pretty smoothly. (On another project, I had a unit that I'd purchased from the pfSense store, and got to work with their support to get me over the final hump, so if you do have a supported product, don't hesitate to give them a shout... they were awesome). Aloha, Jeremy On Tue, Jun 7, 2016 at 9:03 AM, David Whitewrote: > I have a question about setting up persistent OpenVPN connections between a > corporate office and several branch offices. > > I know that this can be done, but I've never actually done it. Are there > some good resources I can review, besides > https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site? For branch > offices, > I do NOT want to route public internet traffic through the VPN at > Corporate. Instead, their internet needs to just use their local ISP > connection (so I do not want this: > > https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1 > ). > >- We'll have pfSense running both in Corporate as well as in each branch >office >- We want branch office internet traffic to use local ISP, but for >traffic hitting the 10.0.0.0/8 network to route through the VPN (I plan >on giving each office it's own /16 network > - i.e. managed network for the network equipment will get > 10.1.0.0/16, > Corp will get 10.2.0.0/16 and branch office 1 will get 10.3.0.0/16, > and so on. > > > Any pointers would be great. > > Thanks, > David > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] serial port sadness
Resolution: Never did figure out what I was doing wrong, and another client needed a new pfsense box, so I just ended up buying the USB to serial adapter and gender changer from Netgate. Was affordable, isn't the prolific chipset, and it totally works. Big thanks to everyone! Mahalo, Jeremy On Fri, Feb 27, 2015 at 12:24 PM, Sean m...@thegeekclub.net wrote: Although... you reminded me of a good story. Once upon a time I worked for this startup company trying to develop a device that was programmed over serial. Some argument between owner and guy who did original dev work left us with a device and a crappy 16 bit dos executable to reverse engineer. Called a genius friend of mine and we actually rigged up a serial cable with two heads and many twisted wires and electrical tape that allowed us to sniff the data traversing it. So we figured out the entire command set of the device and were able to write a better app... On Fri, Feb 27, 2015 at 4:18 PM, Sean m...@thegeekclub.net wrote: LOL. This guy gets it. When I get in trouble there's an almost retired telephony tech in my office who speaks this arcane serial language. I send him mfg pinouts and they'll make me a custom cable in a pinch. To me it's all just voodoo. On Fri, Feb 27, 2015 at 2:16 PM, Jim Thompson j...@netgate.com wrote: Let me know when you want to hear the story of a paper tape reader, a pick and place machine, and speed select (pin 23 on a DB-25 wired for EIA RS-232-C) On Feb 27, 2015, at 1:55 PM, Sean m...@thegeekclub.net wrote: You also need a real NULL modem cable. Actually there's probably nothing wrong with your USB to Serial. The blue Cisco cables are rollover cables. They are not NULL modem cables. Welcome to serial cable pinout hell. ;-) Some of us have been here a long time. I'm no expert but i've got 3 different serial cables and converters in my toolbag having learned the hard way the variety of devices and requirements. On Wed, Feb 25, 2015 at 2:30 PM, Jeremy Bennett jbenn...@hikitechnology.com wrote: Thank you all for the suggestions. I put my own alix router in place for my client, and now that I have a little time, will go ahead and purchase a non-prolific USB to serial adapter, and the associated accessories. I have gotten into the habit of buying prebuilt Alix systems, and that has spoiled me. On Wed, Feb 25, 2015 at 10:12 AM, Volker Kuhlmann hid...@paradise.net.nz wrote: On Thu 26 Feb 2015 07:19:04 NZDT +1300, Jim Pingle wrote: http://www.amazon.com/gp/product/B00AHYJWWG Yes useful for many occasions. However as a first step having a two bucks gender bender and trying with and without will put the straight/null issue to rest. You'll still need if if the flashing gadget indicates as such. Smaller/cheaper than having two different cables too. FTDI chip, too. Or what the Chinese make of that ;-) Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Console is in cyrillic
Here is what I'm seeing: http://imgur.com/bh3hBwt I reloaded a new 2.2.1 image and I get the same thing. If I put a 4 gb card with a new 2.2 image in it it works fine. If I put a different 4 GB card with an older 2.0.3 version it works fine. Is there an issue with the 2g image? On Tue, Mar 17, 2015 at 11:49 AM, Jim Thompson j...@netgate.com wrote: Unless you've changed it, the baud rate on an Alix is 38400 https://doc.pfsense.org/index.php/Console_Types Jim On Mar 17, 2015, at 4:45 PM, Jeremy Bennett jbenn...@hikitechnology.com wrote: So I recently resolved my serial port issue and was able to start reviving this Alix box. Made sure that the firmware was .99h Wrote the new pfsense 2.2 2 GB image to a CF card. Slotted it into the Alix - terminal set to 115200 Baud rate, data was 8 bit, parity is none and stop is 1 bit - all per the documentation. (for reference I'd just done this on another unit and everything worked great) On this particular unit, the console text appears to be in a cyrillic or greek typeface... is that a problem? I can login to the normal GUI and all appears fine. Any ideas on why the console is looking this way? Will this be an issue down the road, or should I just leave well enough alone? Mahalo, Jeremy ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Console is in cyrillic
Haven't changed it... This is a netgate branded Alix that came complete from the factory. The 2.2 update bricked it. I rewrote the latest 2.2 image to its 2 gb flash card. Tried 38400 but that spits out true gibberish. The greek/cyrillic that I get at 115200 shows me the actual proper menu... it is just in a funny font. On Tue, Mar 17, 2015 at 11:49 AM, Jim Thompson j...@netgate.com wrote: Unless you've changed it, the baud rate on an Alix is 38400 https://doc.pfsense.org/index.php/Console_Types Jim On Mar 17, 2015, at 4:45 PM, Jeremy Bennett jbenn...@hikitechnology.com wrote: So I recently resolved my serial port issue and was able to start reviving this Alix box. Made sure that the firmware was .99h Wrote the new pfsense 2.2 2 GB image to a CF card. Slotted it into the Alix - terminal set to 115200 Baud rate, data was 8 bit, parity is none and stop is 1 bit - all per the documentation. (for reference I'd just done this on another unit and everything worked great) On this particular unit, the console text appears to be in a cyrillic or greek typeface... is that a problem? I can login to the normal GUI and all appears fine. Any ideas on why the console is looking this way? Will this be an issue down the road, or should I just leave well enough alone? Mahalo, Jeremy ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] serial port sadness
I'm using a cable that came with a Cisco router, I googled the part number and I'm pretty sure it came back with a Null modem cable. The strangest thing is that I'm pretty sure I had this working at one point. I'll post back when I find the solution. On Mon, Feb 23, 2015 at 6:24 PM, Oliver Hansen oliver.han...@gmail.com wrote: Walter mentioned it. And that's the same problem I've had before. On Feb 23, 2015 8:15 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: No one has mentioned that you haven't stated if you had a Null Modem cable. Do you have a Null Modem cable or a simple Pass-through one? On Feb 23, 2015, at 7:08 PM, Jeremy Bennett jbenn...@hikitechnology.com wrote: I'm trying to get a couple of bricked Alix boards back. I've got a USB to serial adapter (which has worked in the past), a Windows 7 computer and Teraterm, but whenever I connect everything up I just get the cursor blinking at me. Set the port to 9600, N, 1 as instructions indicate (usb to serial usually is showing up on COM7). I've replaced the serial cable with a new one. I've replaced the USB to serial adapter with a new one (both are prolific 2303s) I've tried w/ a WIndows 8 machine as well, but the results are the same... blinking cursor. I connected the same stuff to a known good Alix box, and I got the same result, so I know it isn't the Alixes. What else can I try? Mahalo, Jeremy ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] serial port sadness
I'm trying to get a couple of bricked Alix boards back. I've got a USB to serial adapter (which has worked in the past), a Windows 7 computer and Teraterm, but whenever I connect everything up I just get the cursor blinking at me. Set the port to 9600, N, 1 as instructions indicate (usb to serial usually is showing up on COM7). I've replaced the serial cable with a new one. I've replaced the USB to serial adapter with a new one (both are prolific 2303s) I've tried w/ a WIndows 8 machine as well, but the results are the same... blinking cursor. I connected the same stuff to a known good Alix box, and I got the same result, so I know it isn't the Alixes. What else can I try? Mahalo, Jeremy ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Firewall Hardware/Setup for Datacenter...
Jason is correct. Those Supermicro boxes are awesome. Be careful when ordering though... they want ECC memory. The APUs from Netgate are nice too-the year of bundled support has already saved my bacon a number of times. Well worth the cost. On Thu, Feb 5, 2015 at 9:19 AM, Jason Whitt jason.wh...@gmail.com wrote: Ive ran as vm's using vmxnet3's as well as physical on these http://m.newegg.com/Product/index?itemnumber=16-101-837 Both are viable options. Jason Sent from my iPhone On Feb 5, 2015, at 11:11 AM, Walter Parker walt...@gmail.com wrote: I've used pfSense in a VM on my ESXi application server. This is mostly to firewall the Windows VMs from the Internet. If you want fail-over, I'd suggest getting one of the new Netgate ( http://store.netgate.com/NetgateAPU2.aspx or http://store.netgate.com/1U-Rack-Mount-Systems-C84.aspx) or pfSense ( https://www.pfsense.org/hardware/#pfsense-store) embedded systems with an SSD. Then you can run a full install that supports package installs with a power budget of ~10-15 Watts for the APU units. Then you have a choice of getting a second HW unit for an additional $400 to $1000, or setting up pfSense in a VM (not on a separate VMware server, on an existing VM server). The higher end HW systems on those pages are 8 core Atom systems built for run pfSense (of course, the power requirements will be in the 100W range). With an SSD, these systems should last for a long time with no issues. How much firewall horsepower do you need? What are your constrains (time, money, space)? P.S. You can run packages on embedded in 2.2, you just want to be careful not to run packages that would trash the SD card with too many writes. Walter On Thu, Feb 5, 2015 at 9:40 AM, Chuck Mariotti cmario...@xunity.com wrote: Have been using pfSense for years at our datacenter, very happy with it running on old dedicate hardware with failover. The hardware is overdue to be retired and I'm wondering what people are doing/recommending for a datacenter setup. We want to use OpenVPN Server, IDS, dBandwidth, etc... so need to keep out option open for the ability to run packages... behind it we are running multiple servers and vCenter/ESXI servers. What's the go-to setup for a datacenter these days? Do we stick with two dedicated boxes? Since we pay for power, nice to have lower power... So do we go as low as using embedded hardware? It used to not be recommended for packages... still the case I assume? So I'm leaning towards some of the newer SuperMicro Atom boxes (quad core, or 8 core!!??! etc...). But then I see so many people running pfSense in VMWare and I wonder if we should consider this. Then I think about the hardware needs and VMWare Licensing (would like to avoid)... and what else can I run on the hardware along side without hurting pfSense from running properly, etc... If pfSense is setup to failover, that means the hardware can be cheap No RAID needed. If dedicated, do I go with Hard Drives/SSD drives? USB? We need packages... can I run it off of USB stick then or do I still need HDD/SSD? If setting up new hardware so can run pfSense as Virtual Machines... I would need two VM Hosts running pfSense as VM's so would have the failover... What should we consider for the hardware in this case... should I go with RAID w/HDD/SSD on ESXI? If pfSense is setup for failover, do I really need RAID? But I assume I would need something reliable if I'm going to run other non-pfsense VMs on the same hardware... so I would need RAID w/HDD/SSD and it would need to be larger... what are other people running in datacenter setups along side the pfSense? I don't want to put it onto our existing vCenter infrastructure, licensing/costs and isolation needed. Do I setup one hardware as basic, no RAID running ESXI and pfSense, and the other more robust setup (RAID, more memory). I'm really interested in what people are using in production environments/datacenters. Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Wifi/WAN issues
Hello, I recently purchased and installed a *DCMA-82 IT miniPCI http://store.netgate.com/DCMA-82-Industrial-Temp-80211abg-High-Power-mPCI-Card-FCC-P1073C26.aspx (*Atheros Chipset) wireless card for my Alix 2D3. I was running an older 1.2 era version of PFsense, but decided that I may as well upgrade to the latest 2.1 build. Doing so prompted me to upgrade the BIOS of the Alix from .99 to .99h. All of that worked smoothly and I can boot and run pfSense. The system sees the wireless card and can see wireless networks. I'm trying to setup my a wireless connection as the WAN, so in interfaces I've selected the wireless card (ath0) as the WAN. In configuring the WAN interface, I set the card to infrastructure mode (BSS) and fill in the network I'm trying to join's name (wireless_network). There is no encryption running on the wireless network, so I haven't changed any of that. For whatever reason the WAN network will never come up. If I go to status interfaces, I see that the status says no carrier I setup an open network off of my cell phone and submitted the SSID of my phone's network and I get the same status : no carrier result. What am I doing wrong? As always, all help is very much appreciated, Jeremy ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Wifi/WAN issues
I spoke to the good folks at Netgate, and they assured me that the card was indeed compatible with 2.1. From what I've seen, they've always been very responsible with the products they sell and they were very helpful when I raised the issue with them. So, that said, any other ideas? On Mar 6, 2014 6:39 AM, Moshe Katz mo...@ymkatz.net wrote: On Thu, Mar 6, 2014 at 8:36 AM, Jim Thompson j...@netgate.com wrote: You're running a more modern card than supported in pfSense 2.1, which is based on FreeBSD 8.3. Perhaps 2.2 will fix the issue. Jim Jim, The product page on the Netgate site that Jeremy linkedhttp://store.netgate.com/DCMA-82-Industrial-Temp-80211abg-High-Power-mPCI-Card-FCC-P1073C26.aspxto does say Compatible with pfSense. If that's not correct as of right now, shouldn't it be removed, or at least qualified with a version number? Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. Does anyone here have a strong opinion one way or the other? In principle, perhaps, in practice probably not. I've been using pfSense for awhile now, and buying hardware from Netgate for about as long. I realize that letting someone else load the software is a potentially huge security hole (I certainly don't reimage all of the PCs I buy from major manufacturers). The impression I get is that Netgate wants to succeed as a business and pfSense wants to succeed as well, so while possible, it is unlikely that anything fishy is going on. If anyone is up to no good, someone else can uncover the conspiracy–I have neither the time nor ability. Ultimately I started buying the Alix hardware with the preloaded images to save time. The other benefit is that someone else assembles the box, and tests overall function before it leaves the factory. I don't have to discover failed equipment at the last minute. The one practical thing that I have found is that the Netgate skin does make it harder to configure VPN tunnels… something to do with the way the skin was built. Switching to the pfSense default resolves the issue. This may have been fixed already. At the end of the day, I like Netgate as a vendor and spend money with them when I can. I trust them as much as anyone can trust a business, and will continue to buy their pre-imaged PF boxes. I have no affiliation with Netgate or the pfSense organization beyond being a happy customer. Jeremy On Feb 13, 2014, at 8:24 AM, Jim Pingle wrote: On 2/13/2014 11:54 AM, Andrew Hull wrote: Having purchased several pfSense devices assembled by Netgate (m1n1wall and FW-7541), I've noticed that the pfSense pre-install image was customized with Netgate branding and the firmware auto-update mechanism was set to a Netgate URL. Has this been discussed on the list before? I believe it's been discussed before. My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. Does anyone here have a strong opinion one way or the other? It's actually a really good thing in this case. We build the images for them, and they are tailored to work well on their hardware. It's best to use the images for the specific model of hardware to ensure you get the best performance/experience. Part of this is the pfSense Certified program, and currently Netgate is the only hardware supplier with any devices that can state that qualification. Some other companies build their own images and such but don't give back to the project (or do so minimally, if at all) so there are some to watch out for. Netgate supports ESF/pfSense significantly, so if you want to support the project, support them. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] SOHO Router for VPN to pfSense
I can’t speak to the advanced routing and traffic shaping stuff, but Alix + PFsense have been great for me. IPSec VPNs between multiple locations have been very reliable. On Apr 30, 2013, at 9:23 PM, Seth Mos wrote: On 29-4-2013 16:01, j...@millican.us wrote: On 4/29/2013 9:35 AM, j...@millican.us wrote: Hello, Thank You, JohnM Forgot to add that I have been looking at the Buffalo WZR-300HP. Any opinions? We almost exclusively use Draytek Vigor routers with IPsec tunnels and pfSense. We use Dell PowerEdge R310 servers as the endpoint. We have about 300 tunnels, we always had the Draytek Vigor 2800VGI model, but are now moving forward with the Draytek Vigor 2850 model, it is a ADSL/VSDL combo modem, supports 3G/4G via USB stick (We use the Huawei E392) and also Ethernet WAN using port 4 of the gigabit LAN ports. It's a very versatile model. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Problem with IPsec VPN
Brian, You hit the nail on the head. PFS key group at site one was set to ‘Off’. Needed to be ‘2’ Thank you everyone. Mahalo, Jeremy On Jan 8, 2012, at 4:15 PM, Marc R. Meshurle Jr. wrote: PFS 2.0 has a new location for phase 2 setups. Make sure that you click the + sign and setup the phase 2 and make sure the check box is enabled. Marc R. Meshurle, Jr. Owner/Senior Engineer Kato Technology Solutions, Inc. -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Brian Franklin Sent: Sunday, January 08, 2012 00:03 To: pfSense support and discussion Subject: Re: [pfSense] Problem with IPsec VPN pfs group mismatched: my:2 peer:0 Check your PFS key group settings in Phase 2. Make sure they match on both sides. Brian www.ntginc.net -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jeremy Bennett Sent: Saturday, January 07, 2012 2:57 AM To: list@lists.pfsense.org Subject: [pfSense] Problem with IPsec VPN I have a site to site IPsec VPN setup. This is probably the 3rd or 4th set of these that I've done, and all the other setups seem to work fine-I've double-checked the setup, and if it is a config error, I am overlooking it. PFSense 2.0 final on Alix hardware. Site 2 always reports that the ipsec is down. I can restart it from services, and it works for a few hours, but ultimately shuts down. This is the error: Jan 5 15:02:21racoon: [Site1]: [00.000.00.00 site1 address] ERROR: no proposal chosen [Check Phase 2 settings, algorithm]. Jan 5 15:02:21racoon: [Site1]: [00.000.00.00 site1 address] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1). Jan 5 15:46:24racoon: [Site1]: INFO: respond new phase 2 negotiation: 00.000.00.00 site2 address[500]=00.000.00.00 site1 address[500] Jan 5 15:46:24racoon: ERROR: pfs group mismatched: my:2 peer:0 Jan 5 15:46:24racoon: ERROR: not matched Jan 5 15:46:24racoon: ERROR: no suitable policy found. This error repeats continuously in the log of site 2. How do I start troubleshooting this? Thank you, Jeremy ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list