[pfSense Support] Problems with dual wan and policy based routing
Hi all, I've posted that on forums but I'll try here too with new info. We've 1 soekris 4501 + lan1621 (Two ethernet ports) We've 2 ADSL lines (static ip's both) one working with dhcp and the other with static. And we want to have 1 Lan (192.168.50.0/24) 1 Wan (DHCP adsl line) (aaa.bbb.ccc.ddd) 1 OPT1 (The other adsl line, static) (xxx.xxx.xxx.xxx) 1 DMZ (OPT2) (192.168.2.0/24) We just want all lan traffic across the wan dsl, and the DMZ traffic across the OPT1 dsl. I'll will explain what I've done and let's see if someone can find what I'm missing. First I go to Services - Load Balancer and add a new pool. That will be the pool for the OPT1 dsl line. (Type gateway, ip of OPT1 interface adsl. Here I tried with the dsl gateway and it does the same.) I'll call the pool GW_JAZZ Then I go to Firewall - NAT - Outbound and enable advanced outbound nat. Here I do : Interface:Wan Source:192.168.50.0/24 Interface:Wan Source: 192.168.2.0/24 Interface: OPT1 Source:192.168.2.0/24 Then on Firewall - Nat - Incoming I've the next services (smtp,pop,http,imap) going to 192.168.2.2 (My server on DMZ) and the autofirewall rules created. I've some services for the Wan (smtp,rdp,ftp) going to my internal lan server (sucky exchange, 192.168.50.1) Some day it till stay at dmz or in trash :-) Then, Firewall - Rules On the DMZ (OPT2) I've the next rule. Proto: any source:any destination:any and gateway:GW_JAZZ On the OPT1 I've the traffic for the nated services and nothing more. On the LAN the default rule for traffic going throught default gateway (wan) On the wan the rules for the nated traffic. And now, What works and what doesn't?¿ Well Internet traffic from LAn to Wan works perfect. Nated services from WAN to LAN work too. But OPT1 OPT2 isn't working. Can someone see what I'm missing?¿ Or how can I bring more info for the problem. And to update that. I've tried to first make all Lan and DMZ go across WLAN and it works well.Then I tried to make all the DMZ traffic to port 25 go on the OPT1 dsl line but no luck. The connection goes across the OPT1 but it seems it can return back. DMZ --- Internet SMTP Server (Here i can see an incoming conection from the OPT1 IP) Any idea?¿ Thx - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] vlans and altq
Will await the next release and test again. Thanks for your comments -Original Message- From: Dan Swartzendruber [mailto:[EMAIL PROTECTED] Sent: Thursday, November 17, 2005 11:51 PM To: support@pfsense.com Subject: RE: [pfSense Support] vlans and altq At 06:04 PM 11/17/2005, you wrote: Tried on 0.90 through to non released 0.93.2 With the same troubles. I have vlans on both of the pfsense wan and lan interfaces. Might try again tomorrow. To see if I can isolate it a bit Hmm, I remember an issue where the vlans didn't have a bandwidth, so the shaper got ticked off. Have you manually set one? Even if not, there's a change I sent in where it would default to 10mb if nothing was detected. Scott also committed a change where vlan was accepted as a valid shaper interface. On Thu, 17 Nov 2005, alan walters wrote: I was under the impression that altq has support for vlans. Is this enabled in pfsense at the moment. Have tried a couple of time but get unsupported interfaces. I know that my fxp and sis cards support it So I guess it must be the vlans that are the issue what release are you running? i'm using this with fxp and it works fine. i remember it was dodgy for a bit, but bill and scott made some changes... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] aliases and firewall rules
This is now fixed. Scott On 11/18/05, alan walters [EMAIL PROTECTED] wrote: I have noticed that the firewall rules are not updated when aliases are changed. Is this design When an alais is edited the new rule does not seem to take effect. If you go into firewall rules and resave a rule then the edited alias will be updated in the rules - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPsec Does Auto Establish work?
On bootup or after initial setup of the tunnel, pfSense will ping across the tunnel to bring it up. Scott On 11/17/05, John Cianfarani [EMAIL PROTECTED] wrote: Does anyone have IPSec tunnels auto establish working? I can only seem to get the tunnels to come up when traffic is passing over them. Also wondering if there is anything special that needs to be done to do traffic shapping through an IPSec tunnel? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPsec Does Auto Establish work?
Ah okay I was figuring it would always try to keep it up. Any thing I can do from within the pfsense box itself to keep the tunnel up? Is traffic shapping over Ipsec out of the question at the moment? Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 11:57 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPsec Does Auto Establish work? On bootup or after initial setup of the tunnel, pfSense will ping across the tunnel to bring it up. Scott On 11/17/05, John Cianfarani [EMAIL PROTECTED] wrote: Does anyone have IPSec tunnels auto establish working? I can only seem to get the tunnels to come up when traffic is passing over them. Also wondering if there is anything special that needs to be done to do traffic shapping through an IPSec tunnel? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPsec Does Auto Establish work?
Ah okay I was figuring it would always try to keep it up. Any thing I can do from within the pfsense box itself to keep the tunnel up? As long as traffic is going through the tunnel, it should stay up. In my case I have a IP phone and never notice an issue. Does pfsense have cron? If so, could make a cronjob to ping once a minute or something. -- Jesse Norell - [EMAIL PROTECTED] Kentec Communications, Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPsec Does Auto Establish work?
Yeah, we have cron. Scott On 11/18/05, Jesse Norell [EMAIL PROTECTED] wrote: Ah okay I was figuring it would always try to keep it up. Any thing I can do from within the pfsense box itself to keep the tunnel up? As long as traffic is going through the tunnel, it should stay up. In my case I have a IP phone and never notice an issue. Does pfsense have cron? If so, could make a cronjob to ping once a minute or something. -- Jesse Norell - [EMAIL PROTECTED] Kentec Communications, Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPsec Does Auto Establish work?
I've tried pinging from the shell/console to a remote ipsec endpoint but it doesn't cause the tunnel to come up. (a local machine will cause the tunnel to come up though). I though I read in an earlier message or the faq that freebsd kludges together ipsec tunnels so some routes aren't properly in place. Is this still true? Or is it possible to run the same command/script that pfsense does to bring up the tunnel? Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 1:08 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPsec Does Auto Establish work? Yeah, we have cron. Scott On 11/18/05, Jesse Norell [EMAIL PROTECTED] wrote: Ah okay I was figuring it would always try to keep it up. Any thing I can do from within the pfsense box itself to keep the tunnel up? As long as traffic is going through the tunnel, it should stay up. In my case I have a IP phone and never notice an issue. Does pfsense have cron? If so, could make a cronjob to ping once a minute or something. -- Jesse Norell - [EMAIL PROTECTED] Kentec Communications, Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPsec Does Auto Establish work?
Great!!! On 11/18/05, John Cianfarani [EMAIL PROTECTED] wrote: Awesome! You da man! Fixes up my issue :) Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 1:30 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPsec Does Auto Establish work? You need to ping with -S (source address) of your lanip. ping -S 192.168.1.1 192.168.2.1 On 11/18/05, John Cianfarani [EMAIL PROTECTED] wrote: I've tried pinging from the shell/console to a remote ipsec endpoint but it doesn't cause the tunnel to come up. (a local machine will cause the tunnel to come up though). I though I read in an earlier message or the faq that freebsd kludges together ipsec tunnels so some routes aren't properly in place. Is this still true? Or is it possible to run the same command/script that pfsense does to bring up the tunnel? Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 1:08 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPsec Does Auto Establish work? Yeah, we have cron. Scott On 11/18/05, Jesse Norell [EMAIL PROTECTED] wrote: Ah okay I was figuring it would always try to keep it up. Any thing I can do from within the pfsense box itself to keep the tunnel up? As long as traffic is going through the tunnel, it should stay up. In my case I have a IP phone and never notice an issue. Does pfsense have cron? If so, could make a cronjob to ping once a minute or something. -- Jesse Norell - [EMAIL PROTECTED] Kentec Communications, Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPsec Does Auto Establish work?
No, we do not want to invoke a php binary every minute. On 11/18/05, Holger Bauer [EMAIL PROTECTED] wrote: maybe we should make this a checkbox for a tunnel (pinging once in a minute to not let the tunnel go down)? Holger -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 18. November 2005 19:38 An: support@pfsense.com Betreff: Re: [pfSense Support] IPsec Does Auto Establish work? Great!!! On 11/18/05, John Cianfarani [EMAIL PROTECTED] wrote: Awesome! You da man! Fixes up my issue :) Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 1:30 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPsec Does Auto Establish work? You need to ping with -S (source address) of your lanip. ping -S 192.168.1.1 192.168.2.1 On 11/18/05, John Cianfarani [EMAIL PROTECTED] wrote: I've tried pinging from the shell/console to a remote ipsec endpoint but it doesn't cause the tunnel to come up. (a local machine will cause the tunnel to come up though). I though I read in an earlier message or the faq that freebsd kludges together ipsec tunnels so some routes aren't properly in place. Is this still true? Or is it possible to run the same command/script that pfsense does to bring up the tunnel? Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 1:08 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPsec Does Auto Establish work? Yeah, we have cron. Scott On 11/18/05, Jesse Norell [EMAIL PROTECTED] wrote: Ah okay I was figuring it would always try to keep it up. Any thing I can do from within the pfsense box itself to keep the tunnel up? As long as traffic is going through the tunnel, it should stay up. In my case I have a IP phone and never notice an issue. Does pfsense have cron? If so, could make a cronjob to ping once a minute or something. -- Jesse Norell - [EMAIL PROTECTED] Kentec Communications, Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPsec Does Auto Establish work?
what's the point of keeping the tunnel up? won't either endpoint force it to re-establish on demand anyhow? i know my mobile user IPsec vpn does so from my mac to pfSense. i'm fairly certain our remote office VPN also does so, but it is a LNG haul over an unreliable network, so it is up and down all the time anyway. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] IPsec Does Auto Establish work?
Just a real-life example: I have an IPSEC-Mesh between several locations. Each location has it's own VoIP PBX. The PBXs don't talk to each other unless there is a call. If the tunnel is down and you try to call a phone at the distant PBX you get a busy before the tunnel is up (tunnel needs longer to establish than the timeout of the VOIP). The second call then is working as the tunnel was brought up because of the first try which failed. There is other traffic from sublocations to main location only (keeping tunnels from sublocations to mainlocation up, no mesh traffic) but VOIP is going directly from one location to the other through a different tunnel between the two locations (which goes down if there are not calls from time to time). Solutions: - adding cronjobs manually (but they don't get backed up with config.xml, so exchanging/restoring the router needs recalling this settings) - using a server in sublocations subnets doing the ping Holger -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 18. November 2005 21:22 An: support@pfsense.com Betreff: Re: [pfSense Support] IPsec Does Auto Establish work? Exactly. I really don't see any reason to constantly babysit the tunnels. If its mission critical to keep the tunnels up, there is cron. There are situations where something can be over-engineered and this smells exactly of it. Scott On 11/18/05, Vivek Khera [EMAIL PROTECTED] wrote: what's the point of keeping the tunnel up? won't either endpoint force it to re-establish on demand anyhow? i know my mobile user IPsec vpn does so from my mac to pfSense. i'm fairly certain our remote office VPN also does so, but it is a LNG haul over an unreliable network, so it is up and down all the time anyway. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPsec Does Auto Establish work?
Here is my somewhat potential setup for why I needed to keep the tunnel up. Lets say you have voip phones at a small remote site (1-2 users) which has a dynamic ip address. (Which uses the mobile ipsec client setup) Lets also assume the phones don't register with the call server (static configuration or they register every 30min/60min). Call server is at the host site. Call comes in for one of the remote phones but because the tunnel is down and the ip is dynamic it can't bring up ipsec session, hence unable to ring the phone. Now you might say if a user isn't there who cares. But the phone might be set to do call forwarding or the user doesn't have their machine on. On this note it could be resolved if it was possible to put in a dynamicdns name instead of ip so the host site would always be able to find the remote site? Thanks John -Original Message- From: Vivek Khera [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 3:19 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPsec Does Auto Establish work? what's the point of keeping the tunnel up? won't either endpoint force it to re-establish on demand anyhow? i know my mobile user IPsec vpn does so from my mac to pfSense. i'm fairly certain our remote office VPN also does so, but it is a LNG haul over an unreliable network, so it is up and down all the time anyway. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPsec Does Auto Establish work?
LOL same example. In my potential setup there will be no server at the remote location. That's why I was looking for a way for pfsense to keep it up. John -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 3:39 PM To: support@pfsense.com Subject: AW: [pfSense Support] IPsec Does Auto Establish work? Just a real-life example: I have an IPSEC-Mesh between several locations. Each location has it's own VoIP PBX. The PBXs don't talk to each other unless there is a call. If the tunnel is down and you try to call a phone at the distant PBX you get a busy before the tunnel is up (tunnel needs longer to establish than the timeout of the VOIP). The second call then is working as the tunnel was brought up because of the first try which failed. There is other traffic from sublocations to main location only (keeping tunnels from sublocations to mainlocation up, no mesh traffic) but VOIP is going directly from one location to the other through a different tunnel between the two locations (which goes down if there are not calls from time to time). Solutions: - adding cronjobs manually (but they don't get backed up with config.xml, so exchanging/restoring the router needs recalling this settings) - using a server in sublocations subnets doing the ping Holger -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 18. November 2005 21:22 An: support@pfsense.com Betreff: Re: [pfSense Support] IPsec Does Auto Establish work? Exactly. I really don't see any reason to constantly babysit the tunnels. If its mission critical to keep the tunnels up, there is cron. There are situations where something can be over-engineered and this smells exactly of it. Scott On 11/18/05, Vivek Khera [EMAIL PROTECTED] wrote: what's the point of keeping the tunnel up? won't either endpoint force it to re-establish on demand anyhow? i know my mobile user IPsec vpn does so from my mac to pfSense. i'm fairly certain our remote office VPN also does so, but it is a LNG haul over an unreliable network, so it is up and down all the time anyway. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] IPsec Does Auto Establish work?
Heh, looks like this option should be called make voip happy [X] -Ursprüngliche Nachricht- Von: John Cianfarani [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 18. November 2005 22:18 An: support@pfsense.com Betreff: RE: [pfSense Support] IPsec Does Auto Establish work? Here is my somewhat potential setup for why I needed to keep the tunnel up. Lets say you have voip phones at a small remote site (1-2 users) which has a dynamic ip address. (Which uses the mobile ipsec client setup) Lets also assume the phones don't register with the call server (static configuration or they register every 30min/60min). Call server is at the host site. Call comes in for one of the remote phones but because the tunnel is down and the ip is dynamic it can't bring up ipsec session, hence unable to ring the phone. Now you might say if a user isn't there who cares. But the phone might be set to do call forwarding or the user doesn't have their machine on. On this note it could be resolved if it was possible to put in a dynamicdns name instead of ip so the host site would always be able to find the remote site? Thanks John -Original Message- From: Vivek Khera [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 3:19 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPsec Does Auto Establish work? what's the point of keeping the tunnel up? won't either endpoint force it to re-establish on demand anyhow? i know my mobile user IPsec vpn does so from my mac to pfSense. i'm fairly certain our remote office VPN also does so, but it is a LNG haul over an unreliable network, so it is up and down all the time anyway. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)
I banged my head on this for a while before I realized our network admin probably had the Cisco PIX VPN config to only work with UDP, not TCP. Our default config is to use UDP, but that didn't work for me on pfsense v.86. After I read the e-mail below I stopped trying to connect over UDP. (Stupid me. I'm a sysadmin, not a netadmin.) While I was typing up the please help me e-mail I realized that TCP was not configured at the endpoint in the office, and for giggles I tried UDP. I was amazed at how fast it connected. It worked with IPSec Passthrough disabled and enabled. This was killing me because pfsense was noticeably faster than my old LinkSys, but VPN had to work so I could connect to my office. Thanks for a fast and easy firewall! Chris stephan schneider wrote: i am trying to get a (NATed) connection to an external VPN using the cisco vpn client. Unfortunately it just doesn't work - no connection. I added the port 500 (isakmp) and allowed ESP to pass the firewall. But I think there's more to do to get NAT-Traversal to work :-( Got the solution. In the vpn client connection configuration you have to choose IPSec over TCP and of course Enable Transparent Tunnel. No custom rules, no IPSec passthru (that's a different approach), no custom nat rules (only the default: nat all lan) are needed. Thanks Bill! Have a nice day. Stefan. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)
It did not work with IPSec Passthrough disabled. I must have tested too quickly after disabling it. I tried again an hour later and I could not connect to the office. I enabled passthrough and I was fine. Sorry for any confusion. Chris wrote: I banged my head on this for a while before I realized our network admin probably had the Cisco PIX VPN config to only work with UDP, not TCP. Our default config is to use UDP, but that didn't work for me on pfsense v.86. After I read the e-mail below I stopped trying to connect over UDP. (Stupid me. I'm a sysadmin, not a netadmin.) While I was typing up the please help me e-mail I realized that TCP was not configured at the endpoint in the office, and for giggles I tried UDP. I was amazed at how fast it connected. It worked with IPSec Passthrough disabled and enabled. This was killing me because pfsense was noticeably faster than my old LinkSys, but VPN had to work so I could connect to my office. Thanks for a fast and easy firewall! Chris stephan schneider wrote: i am trying to get a (NATed) connection to an external VPN using the cisco vpn client. Unfortunately it just doesn't work - no connection. I added the port 500 (isakmp) and allowed ESP to pass the firewall. But I think there's more to do to get NAT-Traversal to work :-( Got the solution. In the vpn client connection configuration you have to choose IPSec over TCP and of course Enable Transparent Tunnel. No custom rules, no IPSec passthru (that's a different approach), no custom nat rules (only the default: nat all lan) are needed. Thanks Bill! Have a nice day. Stefan. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]