I'm new to this list and relatively new to pfSense, so please bear with me. (I have been a FreeBSD user since FreeBSD 3, though.)
Recently, I decided to deploy pfSense, and, in accordance with the 2.0-RC announcement, decided to use pfSense 2.0-RC for my new installation. Unfortunately, I have been having problems getting IPsec to work. My IPsec configuration apparently works when clients are behind a NAT but doesn't when they are not. My pfSense LAN consists of a 172.23.23.0/24 subnet. One of the systems on this LAN is also acts as a gateway to a 10.0.0.0/24 subnet. My goal is to be able to allow mobile clients to access both the 172.23.23.0/24 and 10.0.0.0/24 networks via an IPsec VPN. I configured VPN : IPsec : Mobile to use a virtual address pool of 172.23.5.0/24. I have configured a VPN : IPsec Phase 1 tunnel for Mobile Client to use Mutual PSK + Xauth. I have also defined two Phase 2 tunnels under this Phase 1 configuration: one for the 172.23.23.0/24 subnet and the other for the 10.0.0.0/24 subnet. The Phase 2 definitions are the same except one has "Local Network" defined as "Type: Network", "Address: 172.23.23.0/24" and the other "Type: Network", "Address: 10.0.0.0/24". It was my understanding that to have SPDs created to route traffic from the client to the two pfSense local subnets I'd need two Phase 2 tunnels---one for each local subnet. (Is this a correct assumption? Is there another way of achieving the same end?) Finally, I created a "pass all traffic" rule for the IPsec interface in Firewall : Rules, so as not to block VPN traffic. On the client side, my target audience is all Mac OS X users. I am using the built-in VPN "Cisco IPSec" client of Mac OS X 10.6---chosen for minimal configuration impact on the client end. When I connect from a system that is behind a NAT, the IPsec VPN is created and SPDs inserted on the Mac and pfSense side to route traffic successfully over the VPN. Everything works: traffic from the client to 172.23.23.0/24 and 10.0.0.0/24 is sent over the IPsec VPN, and clients even resolve hostnames correctly that apply to the private local domain name used on the remote end of the VPN. This is great! :-) Unfortunately, when I use the same configuration on a client that is NOT behind a NAT, the VPN is established but doesn't work. It seems that the client receives IP and DNS information correctly, and that SAD and SPD entries are installed correctly on the client side, but no SPD entries are created on the pfSense server (the remote end of the VPN). Oddly, too, for non NAT-T connections, I get three SAD entries created, whereas only two SAD entries are created for NAT-T VPN connections. For a successful VPN connection, the pfSense GUI shows something like this: Status : IPsec : SAD: Source Destination Protocol SPI Enc. alg. Auth. alg. S.S.S.S[4500] N.N.N.N[4500] ESP-UDP 01a4b04e aes-cbc hmac-sha1 N.N.N.N[4500] S.S.S.S[4500] ESP-UDP 0a72a812 aes-cbc hmac-sha1 Status : IPsec : SPD: Source Destination Direction Protocol Tunnel endpoints 172.23.5.1 172.23.23.0/24 |> ESP N.N.N.N -> S.S.S.S 172.23.23.0/24 172.23.5.1 <| ESP S.S.S.S -> N.N.N.N where S.S.S.S is the IP address of the pfSense system and N.N.N.N is the IP address of the NAT gateway the client is behind. For an unsuccessful VPN connection, I see something like this: Status : IPsec : SAD: Source Destination Protocol SPI Enc. alg. Auth. alg. S.S.S.S C.C.C.C ESP 03105658 aes-cbc hmac-sha1 C.C.C.C S.S.S.S ESP 0627fa1d aes-cbc hmac-sha1 C.C.C.C S.S.S.S ESP 0765239c aes-cbc hmac-sha1 Status : IPsec : SPD: No IPsec security policies. where S.S.S.S is the IP address of the pfSense system and C.C.C.C is the IP address of the client. Can anyone explain why this is working for NAT-T but not otherwise? Or, alternatively, can anyone point out what I am doing that is blatantly wrong? Is anyone successfully using the built-in VPN "Cisco IPSec" client with Mac OS X and pfSense 2.0? (Is this a problem on the pfSense side or the Mac OS X side?) (I'm appending more detailed information at the end of this message, in case that helps.) Cheers, Paul. More details: This is what happens during a successful VPN establishment: C.C.C.C = Client's IP address S.S.S.S = pfSense server N.N.N.N = NAT gateway behind which client lies Status: System logs: IPsec VPN Mar 29 11:49:28 racoon: [Self]: INFO: respond new phase 1 negotiation: S.S.S.S[500]<=>N.N.N.N[500] Mar 29 11:49:28 racoon: INFO: begin Aggressive mode. Mar 29 11:49:28 racoon: INFO: received Vendor ID: RFC 3947 Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Mar 29 11:49:28 racoon: INFO: received Vendor ID: CISCO-UNITY Mar 29 11:49:28 racoon: INFO: received Vendor ID: DPD Mar 29 11:49:28 racoon: [N.N.N.N] INFO: Selected NAT-T version: RFC 3947 Mar 29 11:49:28 racoon: INFO: Adding remote and local NAT-D payloads. Mar 29 11:49:28 racoon: [N.N.N.N] INFO: Hashing N.N.N.N[500] with algo #2 Mar 29 11:49:28 racoon: [Self]: [S.S.S.S] INFO: Hashing S.S.S.S[500] with algo #2 Mar 29 11:49:28 racoon: INFO: Adding xauth VID payload. Mar 29 11:49:28 racoon: [Self]: INFO: NAT-T: ports changed to: N.N.N.N[4500]<->S.S.S.S[4500] Mar 29 11:49:28 racoon: [Self]: [S.S.S.S] INFO: Hashing S.S.S.S[4500] with algo #2 Mar 29 11:49:28 racoon: INFO: NAT-D payload #0 verified Mar 29 11:49:28 racoon: [N.N.N.N] INFO: Hashing N.N.N.N[4500] with algo #2 Mar 29 11:49:28 racoon: INFO: NAT-D payload #1 doesn't match Mar 29 11:49:28 racoon: [N.N.N.N] ERROR: notification INITIAL-CONTACT received in aggressive exchange. Mar 29 11:49:28 racoon: INFO: NAT detected: PEER Mar 29 11:49:28 racoon: INFO: Sending Xauth request Mar 29 11:49:28 racoon: [Self]: INFO: ISAKMP-SA established S.S.S.S[4500]-N.N.N.N[4500] spi:81e617d2c7b9b303:10b842b4abd5fc5c Mar 29 11:49:34 racoon: INFO: Using port 0 Mar 29 11:49:34 racoon: INFO: login succeeded for user "user" Mar 29 11:49:34 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Mar 29 11:49:34 racoon: ERROR: Cannot open "/etc/motd" Mar 29 11:49:34 racoon: WARNING: Ignored attribute 28683 Mar 29 11:49:34 racoon: [Self]: INFO: respond new phase 2 negotiation: S.S.S.S[4500]<=>N.N.N.N[4500] Mar 29 11:49:34 racoon: INFO: no policy found, try to generate the policy : 172.23.5.1/32[0] 172.23.23.0/24[0] proto=any dir=in Mar 29 11:49:34 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Mar 29 11:49:34 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Mar 29 11:49:34 racoon: [Self]: INFO: IPsec-SA established: ESP S.S.S.S[500]->N.N.N.N[500] spi=175286290(0xa72a812) Mar 29 11:49:34 racoon: [Self]: INFO: IPsec-SA established: ESP S.S.S.S[500]->N.N.N.N[500] spi=27570254(0x1a4b04e) On client: bash-3.2# setkey -D C.C.C.C S.S.S.S esp mode=tunnel spi=175286290(0x0a72a812) reqid=16389(0x00004005) E: aes-cbc f28072ff f5029cf3 2a70eedc 2a2b0ad9 2c28e74b a414498c 9291e311 cccf8af0 A: hmac-sha1 f29f43d9 7bacceb2 13b50280 208f69da ff2811a7 seq=0x00000009 replay=4 flags=0x00000006 state=mature created: Mar 29 11:49:34 2011 current: Mar 29 11:49:50 2011 diff: 16(s) hard: 3600(s) soft: 2880(s) last: Mar 29 11:49:38 2011 hard: 0(s) soft: 0(s) current: 1440(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 9 hard: 0 soft: 0 sadb_seq=1 pid=593 refcnt=2 S.S.S.S C.C.C.C esp mode=tunnel spi=27570254(0x01a4b04e) reqid=16390(0x00004006) E: aes-cbc 142d151d 796b20a0 860ace1f 09f0d700 1f3ec969 c1ae1590 ce966a4b f1057e26 A: hmac-sha1 b6592fa3 a12a3833 6b395351 73ffe3f0 cc20106b seq=0x00000006 replay=4 flags=0x00000006 state=mature created: Mar 29 11:49:34 2011 current: Mar 29 11:49:50 2011 diff: 16(s) hard: 3600(s) soft: 2880(s) last: Mar 29 11:49:38 2011 hard: 0(s) soft: 0(s) current: 802(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 6 hard: 0 soft: 0 sadb_seq=0 pid=593 refcnt=2 bash-3.2# setkey -D -P 172.23.23.0/24[any] 172.23.5.1[any] any in ipsec esp/tunnel/S.S.S.S-C.C.C.C/unique#16390 spid=6 seq=3 pid=594 refcnt=2 10.0.0.0/24[any] 172.23.5.1[any] any in ipsec esp/tunnel/S.S.S.S-C.C.C.C/unique#16392 spid=8 seq=2 pid=594 refcnt=2 172.23.5.1[any] 172.23.23.0/24[any] any out ipsec esp/tunnel/C.C.C.C-S.S.S.S/unique#16389 spid=5 seq=1 pid=594 refcnt=2 172.23.5.1[any] 10.0.0.0/24[any] any out ipsec esp/tunnel/C.C.C.C-S.S.S.S/unique#16391 spid=7 seq=0 pid=594 refcnt=2 pfSense GUI: Status : IPsec : SAD: Source Destination Protocol SPI Enc. alg. Auth. alg. S.S.S.S[4500] N.N.N.N[4500] ESP-UDP 01a4b04e aes-cbc hmac-sha1 N.N.N.N[4500] S.S.S.S[4500] ESP-UDP 0a72a812 aes-cbc hmac-sha1 Status : IPsec : SPD: Source Destination Direction Protocol Tunnel endpoints 172.23.5.1 172.23.23.0/24 > ESP N.N.N.N -> S.S.S.S 172.23.23.0/24 172.23.5.1 < ESP S.S.S.S -> N.N.N.N On pfSense server: Diagnostics : Execute command: $ setkey -D -P 172.23.23.0/24[any] 172.23.23.1[any] 255 in none spid=2 seq=3 pid=41190 refcnt=1 172.23.5.1[any] 172.23.23.0/24[any] 255 in ipsec esp/tunnel/N.N.N.N-S.S.S.S/unique:5 created: Mar 29 11:49:34 2011 lastused: Mar 29 11:57:37 2011 lifetime: 3600(s) validtime: 0(s) spid=11 seq=2 pid=41190 refcnt=1 172.23.23.1[any] 172.23.23.0/24[any] 255 out none spid=1 seq=1 pid=41190 refcnt=1 172.23.23.0/24[any] 172.23.5.1[any] 255 out ipsec esp/tunnel/S.S.S.S-N.N.N.N/unique:5 created: Mar 29 11:49:34 2011 lastused: Mar 29 11:57:37 2011 lifetime: 3600(s) validtime: 0(s) spid=12 seq=0 pid=41190 refcnt=1 Diagnostics : Execute command: $ setkey -D S.S.S.S[4500] N.N.N.N[4500] esp-udp mode=any spi=27570254(0x01a4b04e) reqid=5(0x00000005) E: aes-cbc 142d151d 796b20a0 860ace1f 09f0d700 1f3ec969 c1ae1590 ce966a4b f1057e26 A: hmac-sha1 b6592fa3 a12a3833 6b395351 73ffe3f0 cc20106b seq=0x000004b0 replay=4 flags=0x00000000 state=mature created: Mar 29 11:49:34 2011 current: Mar 29 11:58:32 2011 diff: 538(s) hard: 3600(s) soft: 2880(s) last: Mar 29 11:58:31 2011 hard: 0(s) soft: 0(s) current: 916368(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1200 hard: 0 soft: 0 sadb_seq=1 pid=62101 refcnt=2 N.N.N.N[4500] S.S.S.S[4500] esp-udp mode=tunnel spi=175286290(0x0a72a812) reqid=5(0x00000005) E: aes-cbc f28072ff f5029cf3 2a70eedc 2a2b0ad9 2c28e74b a414498c 9291e311 cccf8af0 A: hmac-sha1 f29f43d9 7bacceb2 13b50280 208f69da ff2811a7 seq=0x00000391 replay=4 flags=0x00000000 state=mature created: Mar 29 11:49:34 2011 current: Mar 29 11:58:32 2011 diff: 538(s) hard: 3600(s) soft: 2880(s) last: Mar 29 11:58:31 2011 hard: 0(s) soft: 0(s) current: 116654(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 913 hard: 0 soft: 0 sadb_seq=0 pid=62101 refcnt=1 This is what happens during an unsuccessful VPN establishment: C.C.C.C = Client's IP address S.S.S.S = pfSense server Status: System logs: IPsec VPN Mar 29 12:04:36 racoon: [Self]: INFO: respond new phase 1 negotiation: S.S.S.S[500]<=>C.C.C.C[500] Mar 29 12:04:36 racoon: INFO: begin Aggressive mode. Mar 29 12:04:36 racoon: INFO: received Vendor ID: RFC 3947 Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Mar 29 12:04:36 racoon: INFO: received Vendor ID: CISCO-UNITY Mar 29 12:04:36 racoon: INFO: received Vendor ID: DPD Mar 29 12:04:36 racoon: [C.C.C.C] INFO: Selected NAT-T version: RFC 3947 Mar 29 12:04:36 racoon: INFO: Adding remote and local NAT-D payloads. Mar 29 12:04:36 racoon: [C.C.C.C] INFO: Hashing C.C.C.C[500] with algo #2 Mar 29 12:04:36 racoon: [Self]: [S.S.S.S] INFO: Hashing S.S.S.S[500] with algo #2 Mar 29 12:04:36 racoon: INFO: Adding xauth VID payload. Mar 29 12:04:36 racoon: [Self]: [S.S.S.S] INFO: Hashing S.S.S.S[500] with algo #2 Mar 29 12:04:36 racoon: INFO: NAT-D payload #0 verified Mar 29 12:04:36 racoon: [C.C.C.C] INFO: Hashing C.C.C.C[500] with algo #2 Mar 29 12:04:36 racoon: INFO: NAT-D payload #1 verified Mar 29 12:04:36 racoon: [C.C.C.C] ERROR: notification INITIAL-CONTACT received in aggressive exchange. Mar 29 12:04:36 racoon: INFO: NAT not detected Mar 29 12:04:36 racoon: INFO: Sending Xauth request Mar 29 12:04:36 racoon: [Self]: INFO: ISAKMP-SA established S.S.S.S[500]-C.C.C.C[500] spi:95619fb9ac088afe:0e5b27157aa153b8 Mar 29 12:04:41 racoon: INFO: Using port 0 Mar 29 12:04:41 racoon: INFO: login succeeded for user "user" Mar 29 12:04:41 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Mar 29 12:04:41 racoon: ERROR: Cannot open "/etc/motd" Mar 29 12:04:41 racoon: WARNING: Ignored attribute 28683 Mar 29 12:04:41 racoon: [Self]: INFO: respond new phase 2 negotiation: S.S.S.S[500]<=>C.C.C.C[500] Mar 29 12:04:41 racoon: INFO: no policy found, try to generate the policy : 172.23.5.1/32[0] 172.23.23.0/24[0] proto=any dir=in Mar 29 12:04:41 racoon: [Self]: INFO: IPsec-SA established: ESP S.S.S.S[500]->C.C.C.C[500] spi=124068764(0x765239c) Mar 29 12:04:41 racoon: [Self]: INFO: IPsec-SA established: ESP S.S.S.S[500]->C.C.C.C[500] spi=258506082(0xf687d62) Mar 29 12:04:42 racoon: [Self]: INFO: initiate new phase 2 negotiation: S.S.S.S[500]<=>C.C.C.C[500] Mar 29 12:04:42 racoon: [Self]: INFO: IPsec-SA established: ESP S.S.S.S[500]->C.C.C.C[500] spi=103283229(0x627fa1d) Mar 29 12:04:42 racoon: [Self]: INFO: IPsec-SA established: ESP S.S.S.S[500]->C.C.C.C[500] spi=51402328(0x3105658) Mar 29 12:04:45 racoon: INFO: deleting a generated policy. Mar 29 12:04:45 racoon: INFO: purged IPsec-SA proto_id=ESP spi=258506082. On client: bash-3.2# setkey -D C.C.C.C S.S.S.S esp mode=tunnel spi=103283229(0x0627fa1d) reqid=16393(0x00004009) E: aes-cbc 0de27614 46793c61 c78adf40 1ff0229c 984613fe b6052278 babd13a1 a1960ef2 A: hmac-sha1 fb8e725d e31b1634 0d4abad4 c3103d1a 50718c86 seq=0x00000018 replay=4 flags=0x00000000 state=mature created: Mar 29 12:04:42 2011 current: Mar 29 12:08:50 2011 diff: 248(s) hard: 3600(s) soft: 2880(s) last: Mar 29 12:06:42 2011 hard: 0(s) soft: 0(s) current: 3648(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 24 hard: 0 soft: 0 sadb_seq=2 pid=658 refcnt=2 S.S.S.S C.C.C.C esp mode=tunnel spi=51402328(0x03105658) reqid=16394(0x0000400a) E: aes-cbc c297b416 ac035e21 b7613566 d353a0b8 9c31353e e7a6c986 1ce950fd 32d80f49 A: hmac-sha1 576ad258 6417daf8 492defa5 32c885b7 156009f8 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Mar 29 12:04:42 2011 current: Mar 29 12:08:50 2011 diff: 248(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=658 refcnt=2 S.S.S.S C.C.C.C esp mode=tunnel spi=258506082(0x0f687d62) reqid=16394(0x0000400a) E: aes-cbc 366e13f5 16c238ea 0cbcecae 5fbc0685 fc24d042 ab9ec6cf 28752d2e 108ff7cf A: hmac-sha1 a2b201a1 641f5f34 d873c7fb cda8d279 abc5893a seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Mar 29 12:04:41 2011 current: Mar 29 12:08:50 2011 diff: 249(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=658 refcnt=2 bash-3.2# setkey -D -P 172.23.23.0/24[any] 172.23.5.1[any] any in ipsec esp/tunnel/S.S.S.S-C.C.C.C/unique#16394 spid=10 seq=3 pid=659 refcnt=2 10.0.0.0/24[any] 172.23.5.1[any] any in ipsec esp/tunnel/S.S.S.S-C.C.C.C/unique#16396 spid=12 seq=2 pid=659 refcnt=2 172.23.5.1[any] 172.23.23.0/24[any] any out ipsec esp/tunnel/C.C.C.C-S.S.S.S/unique#16393 spid=9 seq=1 pid=659 refcnt=2 172.23.5.1[any] 10.0.0.0/24[any] any out ipsec esp/tunnel/C.C.C.C-S.S.S.S/unique#16395 spid=11 seq=0 pid=659 refcnt=2 bash-3.2# pfSense GUI: Status : IPsec : SAD: Source Destination Protocol SPI Enc. alg. Auth. alg. S.S.S.S C.C.C.C ESP 03105658 aes-cbc hmac-sha1 C.C.C.C S.S.S.S ESP 0627fa1d aes-cbc hmac-sha1 C.C.C.C S.S.S.S ESP 0765239c aes-cbc hmac-sha1 Status : IPsec : SPD: No IPsec security policies. On pfSense server: Diagnostics : Execute command: $ setkey -D S.S.S.S C.C.C.C esp mode=any spi=51402328(0x03105658) reqid=7(0x00000007) E: aes-cbc c297b416 ac035e21 b7613566 d353a0b8 9c31353e e7a6c986 1ce950fd 32d80f49 A: hmac-sha1 576ad258 6417daf8 492defa5 32c885b7 156009f8 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Mar 29 12:04:42 2011 current: Mar 29 12:10:28 2011 diff: 346(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=41539 refcnt=1 C.C.C.C S.S.S.S esp mode=tunnel spi=103283229(0x0627fa1d) reqid=7(0x00000007) E: aes-cbc 0de27614 46793c61 c78adf40 1ff0229c 984613fe b6052278 babd13a1 a1960ef2 A: hmac-sha1 fb8e725d e31b1634 0d4abad4 c3103d1a 50718c86 seq=0x00000018 replay=4 flags=0x00000000 state=mature created: Mar 29 12:04:42 2011 current: Mar 29 12:10:28 2011 diff: 346(s) hard: 3600(s) soft: 2880(s) last: Mar 29 12:06:42 2011 hard: 0(s) soft: 0(s) current: 2392(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 24 hard: 0 soft: 0 sadb_seq=1 pid=41539 refcnt=1 C.C.C.C S.S.S.S esp mode=tunnel spi=124068764(0x0765239c) reqid=7(0x00000007) E: aes-cbc 87d83d3d 7f5522d5 ffd81080 fdb63f67 9702ffff a33b59bc 40be260f 598213d9 A: hmac-sha1 53fad134 9d09f9fa 063240e3 8bf364d1 3e7b8927 seq=0x00000006 replay=4 flags=0x00000000 state=mature created: Mar 29 12:04:41 2011 current: Mar 29 12:10:28 2011 diff: 347(s) hard: 3600(s) soft: 2880(s) last: Mar 29 12:04:42 2011 hard: 0(s) soft: 0(s) current: 598(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 6 hard: 0 soft: 0 sadb_seq=0 pid=41539 refcnt=1 Diagnostics : Execute command: $ setkey -D -P 172.23.23.0/24[any] 172.23.23.1[any] 255 in none spid=2 seq=1 pid=61858 refcnt=1 172.23.23.1[any] 172.23.23.0/24[any] 255 out none spid=1 seq=0 pid=61858 refcnt=1 --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org