It seems this might be the answer.
https://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN
Did you allow traffic in on Firewall > Rules, IPsec tab?
When it comes to NAT, the sonicwall doesn't know about your actual internal network. So their tunnel P2 is built to the NAT network and on the sonicwall side when they try to ping the pfSense side, they ping the NAT network addresses instead.
When you are making a change to a server with dozens of tunnels in production, stopping and restarting IPsec because of a change made to one tunnel can be a real downer.
"Encryption domain" in Cisco-speak is a Phase 2 entry. Something in there must not match their side exactly.
Set your IPsec logging as shown under https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29 and see what shows up when the Cisco side tries to initiate the tunnel.