Thanks Vick for your response, I should have posted more information, so here it goes: - IPSEC Client: Shrew VPN Client 2.1.7 for Windows; - The tunnel goes up but i can´t ping the pfSense box (i have a rule for that on ipsec tab firewall); - pfSense doesn't log anything from and to IPSEC VPN; - I'm using single hosts now, but i've tried with networks (on IPSEC firewall rules in pfSense) and a IP from that network on the client side config.
My pfSense box is behind a ISP modem router, which forwards ports UDP 500 and UDP 4500 (just in case) to the WAN interface of my box (which is on the LAN interface of the router). I use DynDns (on the ISP router) to access my pfSense from internet. On the client side i use the virtual adapter and gave it an IP 192.168.13.1 (doesn't overlap the LAN on the pfSense side). ISP Modem router WAN (DHCP) pfSense WAN IP 192.168.1.65 (connected on the LAN interface of the ISP router) pfSense LAN 192.168.5.0/24 IPSEC VPN client IP 192.168.13.1 Here are some logs from the VPN connection: NOTE: I replaced the public IP with xxx.xxx.xxx.x racoon: *[Self]*: INFO: 192.168.5.1[500] used as isakmp port (fd=17) racoon: *[Self]*: INFO: 192.168.1.65[500] used as isakmp port (fd=16) racoon: * [Self]*: INFO: 127.0.0.1[500] used as isakmp port (fd=15) racoon: *[Self]*: INFO: 192.168.0.1[500] used as isakmp port (fd=14) racoon: *[Self]*: INFO: 192.168.5.1[500] used as isakmp port (fd=17) racoon: *[Self]*: INFO: 192.168.1.65[500] used as isakmp port (fd=16) racoon: *[Self]*: INFO: 127.0.0.1[500] used as isakmp port (fd=15) racoon: *[Self]*: INFO: 192.168.0.1[500] used as isakmp port (fd=14) racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.13.1/32[0] proto=any dir=out" racoon: ERROR: such policy does not already exist: "192.168.13.1/32[0] 0.0.0.0/0[0]proto=any dir=in" racoon: INFO: IPsec-SA established: ESP 192.168.1.65[0]->xxx.xxx.xxx.x[0] spi=1491121(0x16c0b1) racoon: INFO: IPsec-SA established: ESP xxx.xxx.xxx.x[0]->192.168.1.65[0] spi=115113049(0x6dc7c59) racoon: INFO: no policy found, try to generate the policy : 192.168.13.1/32[0] 0.0.0.0/0[0]proto=any dir=in racoon: INFO: respond new phase 2 negotiation: 192.168.1.65[0]<=>xxx.xxx.xxx.x[0] racoon: INFO: ISAKMP-SA established 192.168.1.65[500]-xxx.xxx.xxx.x[10177] spi:af896a91dc59d1dc:a6d17e37deb7e875 racoon: INFO: received Vendor ID: CISCO-UNITY racoon: INFO: received Vendor ID: DPD racoon: INFO: received broken Microsoft ID: FRAGMENTATION racoon: INFO: received Vendor ID: RFC 3947 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 racoon: INFO: begin Aggressive mode. racoon: INFO: respond new phase 1 negotiation: 192.168.1.65[500]<=>xxx.xxx.xxx.x[10177] I hope this is all understandable... Thanks again, Carlos On Wed, Jun 1, 2011 at 3:54 PM, Vick Khera <[email protected]> wrote: > On Wed, Jun 1, 2011 at 6:42 AM, Carlos Vicente <[email protected]> > wrote: > > I have pfSense 1.2.3 with OpenVPN working. I want IPSEC for mobile > clients > > on the same box, so I configured it and I can bring the tunnel up, but I > > can´t ping, or access the lan address of the box. > > The firewall rules on ipsec tab are correct, but i can´t see any traffic > on > > the firewall log from ipsec interface. > > > > On 1.2.3 mobile clients work really well. What is your mobile client > software? Does it show the tunnel up as well? Does pfSense log > anything when you ping it via the vpn? > > If your mobile clients are not LANs but just single hosts, then I'd > really suggest sticking with OpenVPN. It is much more robust at > dealing with any sort of intermediate network hops. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > -- ******* *http://www.sebastiaoguerra.com* <http://www.sebastiaoguerra.com> *http://www.atelierdamoto.com* <http://www.atelierdamoto.com> *http://www.blocoa3.com* <http://www.blocoa3.com/> ------------------------------------------------------------------------------ Este e-mail e quaisquer ficheiros a ele anexados são confidenciais e destinados, exclusivamente, à pessoa ou entidade a quem foi endereçado. Se recebeu este e-mail por erro, por favor, contacte-nos. Obrigado. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify us. Antes de imprimir este e-mail pense se necessita mesmo de o fazer
