pfSense

Running 2.0-BEAT5 (i386) built on Tue Feb 15 16:36:07 EST 2011.
WAN is an xl0 ethernet card, LAN is a sge0 ethernet card trunked with vlanZ (so sge0_vlanZ), OPT1 is an xl1 ethernet card for pfsync CARP.
CARP work properly for Virtual IP on WAN and LAN.

VPN IPSEC in tunnel mode on WAN VIP interface without NAT-T. Remote network X.X.X.0/24, Local network 0.0.0.0/0.
This VPN work properly, for example no problem with proxy HTTP traffic from X.X.X.X client.

We have a VPN IPSEC RoadWarrior endpoint on LAN side (Y.Y.Y.Y) for remote client of X.X.X.0/24 network.
So we try to activate a double IPSEC tunnel.

With the following firewall rules on pfSense the RoadWarrior VPN doesn't works:

LAN interface:

• ESP Y.Y.Y.Y -> X.X.X.0/24

IPSEC interface:

• ESP X.X.X.0/24 -> Y.Y.Y.Y
• ISAKMP X.X.X.0/24 -> Y.Y.Y.Y

On pflog0 we find this log:

IP (tos 0x0, ttl 63, id 7501, offset 0, flags [+], proto UDP (17), length 1444)
X.X.X.X.500 > Y.Y.Y.Y.500: isakmp 1.0 msgid : phase 1 ? ident[E]: [encrypted id] (len mismatch: isakmp 1828/ip 1416)
IP (tos 0x0, ttl 63, id 7501, offset 1424, flags [+], proto UDP (17), length 76)
X.X.X.X > Y.Y.Y.Y: udp
IP (tos 0x0, ttl 63, id 7501, offset 1480, flags [none], proto UDP (17), length 376)
X.X.X.X > Y.Y.Y.Y: udp

So one big ISAKMP packet (fragmented in three packet) is dropped by firewall.

If we modify the firewall rules like this one

LAN interface:

• Any protocol X.X.X.0/24 -> Y.Y.Y.Y
• Any protocol Y.Y.Y.Y -> X.X.X.0/24

IPSEC interface:

• Any protocol X.X.X.0/24 -> Y.Y.Y.Y
• Any protocol Y.Y.Y.Y -> X.X.X.0/24

there are no more packet dropped in pflog0, but RoadWarrior VPN doesn't still works

Disabling "Firewall Scrub", on "System->Advanced->Firewall/NAT", RoadWarrior VPN work!

Re-establishing the first Firwall rules and Disabling "Firewall Scrub" the RoadWarrior VPN doesn't work again.