Hi again. I basically found the solution myself: https://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN Sometimes its hard to get the search-criteria right. Cheers.

Perfect. Looks like "Diff" should be the inverse of "Rekey Left". Thanks!

Okay.  Figured this one out.  When I access my local F/W, I can just type in the host name (without the http(s):// part) and it automatically redirects to https://.  However, when I type the host name of the F/W on the other site, it does not redirect, so it's trying to hit http://host.name.com.  As soon as I type the whole thing (i.e. https://host.name.com) it works.  Not sure why I'm getting the redirect going from site B to site A and not from site A to site B, but I can live with it.

To add to Jimp's thought: You may also need to allow ping traffic on your firewall. Under Firewall, Rules, IPSec, you may need a rule that states Allow, IPSec, ICMP (echoreq), Source (Remote network), Destination (LAN Address). Hope this helps!

felipe2k2: It seems to me that the nature of IPSec VPN tunnels are that if Site A has traffic for Site B, the firewall at Site A is going to try to establish a tunnel with Site B to pass that traffic across. If you are at Site B (with pfSense) and you disable the Phase 2's and Phase 1 for the tunnel to Site A (that has the Cisco ASA), no traffic will be able to pass from Site A to Site B, which is the goal. Site A (which you have stated you do not have access to) is going to continue to try to establish a tunnel to Site B as it has traffic. As long as the tunnel config at Site B is disabled, though, you have nothing to worry about. If the traffic from Site A is bothering you, you might consider creating a Block rule on the firewall where the source is Site A's IP address and the Destination is your WAN address. You can set the protocol to Any and block all the traffic, not just the IPSec traffic. Hope this helps!

Thanks jimp for your reply. I will double check and try again.

SOLVED i needed to create a static route in each firewall. 13.4.4. pfSense-initiated Traffic and IPsec To access the remote end of IPsec connections from pfSense itself, you will need to "fake" the system by adding a static route pointing the remote network to the system's LAN IP. Note this example presumes the VPN is connecting the LAN interface on both sides. If your IPsec connection is connecting an OPT interface, replace Interface and IP address of the interface accordingly. Because of the way IPsec is tied into the FreeBSD kernel, without the static route the traffic will follow the system's routing table, which will likely send this traffic out your WAN interface rather than over the IPsec tunnel. once i did that, i was able to ping from within pfsense on both sides via diagnostic, ping.  i was able to ping the remote pfsense box and get replies as well as network devices, all within pfsense.

Without knowing exactly how your IPsec Phase 1 is configured it's impossible to offer any advice. Please show your current mobile and phase 1 settings (you can redact/hide the keys of course)

On WAN interface tab, have you already entered your cable modem IP into the 'Reject Leases From' box?  Most likely would be 192.168.100.1 Not sure that will help IPSEC though.  It means IPSEC is requesting a DHCP address before the pfSense DHCP server is up, while the cable modem interim DHCP server is up.  You may be able to turn off that interim DHCP server on your cable modem, but there's no way to do that on the motorola units I've seen.

I have a static port nat rule in place, but this does not seem to help. Do i need to create a specific rule when using ipsec in transport mode? I have a rule in place on the WAN interface for the LAN network.

@cmb: https://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN Hi, thanks CMB .. Thats what I did as I think I explained .. :) So it doesnt really work because when I create the static routes, it works for my pfsense box and the Active Directory interfacing i want but the machines on the distant network  side cant use the VPN anymore

Derelict, thank you for replying to my post! The reason I want to have pfSense connect to the VPN server is that I want to be able to connect my mobile devices to my WiFi network and have access to the remote site through the VPN tunnel. As a workaround, I can use a Mac to connect to the VPN and create a hotspot (I thins to be more reliable on a Mac than on Windows), but I consider this option as the last option. Another solution is to buy another AccessPoint that offers Cisco IPSec with authentication, but my searches on the internet have not been very productive. If any of you know of an example, please let me know. (I have a Tomato AP, but that doesn't support IPSec out of the box) Thanks, Alex

Also you should be able to restore changes from the backup/Restore???

Thank you very much jimp. I chose the first option and its working well, just as I wanted. Wasn't so hard after all. I had to add the "-4" flag in the nrpe check too. One problem less :)