Not sure if this will help – But I had to add an address to ping on the other end to my configs before traffic would pass. Also, if if you have multiple Gateways or a load share of some sort be sure the traffic is going to the right route / gateway. ==============

you really need to post your vpn config for phase 1 and 2.

This is the setup I have with a cisco ASA: Phase 1 PSK Neg Mode: Main My ID My IP Peer ID: Peer IP Key:….etc Policy Gen: Default Proposal: Obey Enc: AES 128 Hash: SHA1 DH: 2 Lifetime: 28800 NAT-T disable DPD Disabled Phase 2: ESP Enc: AES 128 Hash: SHA1 PFS: 2 Lifetime: 3600 Tunnel has been up and solid!

From the reading I've been doing this has to do the way Apple has OS X set up. They require that the IPSec server specify that the client does't need to attempt reauthentication when  rekeying. I'm guessing that a the devs would have to patch racoon to do this, since I don't think it has this functionally by default.

I too would like to restart racoon with cron every day. Since racoon doesn't appear to be able to restart itself once it stops, I need to be able to have a cron job start/restart it at a specific time each day. None of the examples of starting or restarting racoon from the command line that I've searched for seem to actually work on pfSense version 2.0.1 release. Is there a parameter somewhere that will tell racoon to automatically restart if it is stopped?

I had issues with their x64 versions as well, I had planned on including a 2.3 beta x64 build in the exporter (the code is actually all there, and the client binary too) but their installed didn't actually function properly. It would give registry errors and/or fail to import the config. But the 32-bit works great.

Could be an MTU issue. Under System > Advanced on the Misc tab, try setting up MSS clamping for VPNs there, try something low-ish like 1400.

It's quite understandable. Afterall 2.0.2 is finished (apparently it has been for the past 3 months ;-) but sofar some last-minute issues have delayed its official release) whereas the NAT before IPsec functionality is totally new, it has just been introduced and it's not even part of stock FreeBSD.

Answer was two fold – First dump 3cxPhone to  Useragent    : Acrobits Softphone/5.2 Then validate routing for the Route end of the Mobile IPSec which included moving it to a 172.23.0.0 sub net due to a conflict.. ======================

Here are some mor informations: PFSense on 192.168.51.0/24 side: pfctl -s all TRANSLATION RULES: no nat proto carp all nat-anchor "natearly/" all nat-anchor "natrules/" all nat on le1 inet from 10.0.0.0/25 port = isakmp to any port = isakmp -> 194.97.90.69 port 500 nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 194.97.90.69 port 500 nat on le1 inet from 192.168.51.0 port = isakmp to any port = isakmp -> 194.97.90.69 port 500 nat on le1 inet from 192.168.51.0/24 port = isakmp to any port = isakmp -> 194.97.90.69 port 500 nat on le1 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 194.97.90.69 port 500 nat on le1 inet from 10.0.0.0/25 to any -> 194.97.90.69 port 1024:65535 nat on le1 inet from 10.0.0.128/25 to any -> 194.97.90.69 port 1024:65535 nat on le1 inet from 192.168.51.0 to any -> 194.97.90.69 port 1024:65535 nat on le1 inet from 192.168.51.0/24 to any -> 194.97.90.69 port 1024:65535 nat on le1 inet from 127.0.0.0/8 to any -> 194.97.90.69 port 1024:65535 no rdr proto carp all rdr-anchor "relayd/" all rdr-anchor "tftp-proxy/" all rdr-anchor "miniupnpd" all FILTER RULES: scrub on le0 all fragment reassemble scrub on le1 all fragment reassemble anchor "relayd/" all anchor "openvpn/" all block drop in log inet all label "Default deny rule IPv4" block drop out log inet all label "Default deny rule IPv4" block drop in log inet6 all label "Default deny rule IPv6" block drop out log inet6 all label "Default deny rule IPv6" pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state block drop quick inet proto tcp from any port = 0 to any block drop quick inet proto tcp from any to any port = 0 block drop quick inet proto udp from any port = 0 to any block drop quick inet proto udp from any to any port = 0 block drop quick inet6 proto tcp from any port = 0 to any block drop quick inet6 proto tcp from any to any port = 0 block drop quick inet6 proto udp from any port = 0 to any block drop quick inet6 proto udp from any to any port = 0 block drop quick from <snort2c>to any label "Block snort2c hosts" block drop quick from any to <snort2c>label "Block snort2c hosts" block drop in log quick proto tcp from <sshlockout>to any port = mpm-flags label "sshlockout" block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout" block drop in quick from <virusprot>to any label "virusprot overload table" block drop in on ! le0 inet from 192.168.51.0/24 to any block drop in inet from 192.168.51.248 to any block drop in on ! le1 inet from 194.97.90.64/27 to any block drop in inet from 194.97.90.69 to any block drop in on le0 inet6 from fe80::250:56ff:fe97:4d8c to any block drop in on le1 inet6 from fe80::250:56ff:fe97:5e2a to any pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" pass out route-to (le1 194.97.90.94) inet from 194.97.90.69 to ! 194.97.90.64/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass out on enc0 all flags S/SA keep state label "IPsec internal host to host" pass in quick on le0 proto tcp from any to (le0) port = http flags S/SA keep state label "anti-lockout rule" pass in quick on le0 proto tcp from any to (le0) port = mpm-flags flags S/SA keep state label "anti-lockout rule" anchor "userrules/" all pass in quick on le1 reply-to (le1 194.97.90.94) inet all flags S/SA keep state label "USER_RULE: Allow all on VM WAN" pass in log quick on le0 inet from 192.168.51.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any" pass in log quick on enc0 inet all flags S/SA keep state label "USER_RULE" pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 212.25.8.11 port = isakmp keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound isakmp" pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 212.25.8.11 to any port = isakmp keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound isakmp" pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 212.25.8.11 port = sae-urn keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound nat-t" pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 212.25.8.11 to any port = sae-urn keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound nat-t" pass out on le1 route-to (le1 194.97.90.94) inet proto esp from any to 212.25.8.11 keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound esp proto" pass in on le1 reply-to (le1 194.97.90.94) inet proto esp from 212.25.8.11 to any keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound esp proto" pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 195.30.94.149 port = isakmp keep state label "IPsec: Office FGN Munich - outbound isakmp" pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 195.30.94.149 to any port = isakmp keep state label "IPsec: Office FGN Munich - inbound isakmp" pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 195.30.94.149 port = sae-urn keep state label "IPsec: Office FGN Munich - outbound nat-t" pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 195.30.94.149 to any port = sae-urn keep state label "IPsec: Office FGN Munich - inbound nat-t" pass out on le1 route-to (le1 194.97.90.94) inet proto esp from any to 195.30.94.149 keep state label "IPsec: Office FGN Munich - outbound esp proto" pass in on le1 reply-to (le1 194.97.90.94) inet proto esp from 195.30.94.149 to any keep state label "IPsec: Office FGN Munich - inbound esp proto" anchor "tftp-proxy/" all No queue in use STATES: all icmp 194.97.90.69:65334 -> 212.25.8.2      0:0 all icmp 192.168.51.248:65334 -> 192.168.51.12      0:0 all udp 194.97.90.69:500 -> 212.25.8.11:500      MULTIPLE:MULTIPLE all esp 194.97.90.69 <- 212.25.8.11      MULTIPLE:MULTIPLE all tcp 192.168.51.16:57603 <- 10.0.0.130:55420      ESTABLISHED:ESTABLISHED all tcp 10.0.0.130:55420 -> 192.168.51.16:57603      ESTABLISHED:ESTABLISHED all tcp 10.0.0.130:65119 <- 192.168.51.16:50661      ESTABLISHED:ESTABLISHED all tcp 192.168.51.16:50661 -> 10.0.0.130:65119      ESTABLISHED:ESTABLISHED all udp 194.97.90.69:500 -> 195.30.94.149:500      MULTIPLE:MULTIPLE all tcp 192.168.51.16:8443 <- 10.0.0.130:61331      FIN_WAIT_2:ESTABLISHED all tcp 10.0.0.130:61331 -> 192.168.51.16:8443      ESTABLISHED:FIN_WAIT_2 all tcp 192.168.51.20:10051 <- 10.0.0.254:22576      FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.254:22576 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.51.20:10051 <- 10.0.0.254:48475      FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.254:48475 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.51.20:10051 <- 10.0.0.254:30376      FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.254:30376 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.51.20:10051 <- 10.0.0.254:22875      FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.254:22875 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.51.20:10051 <- 10.0.0.254:6412      FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.254:6412 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.130:61383 -> 192.168.51.15:9084      SYN_SENT:CLOSED all tcp 192.168.51.20:10051 <- 10.0.0.254:4796      FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.254:4796 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.51.248:44 <- 192.168.51.20:55212      ESTABLISHED:ESTABLISHED all tcp 192.168.51.20:10051 <- 10.0.0.254:27192      FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.254:27192 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.51.15:9084 <- 10.0.0.130:61397      CLOSED:SYN_SENT all tcp 10.0.0.130:61397 -> 192.168.51.15:9084      SYN_SENT:CLOSED all udp 192.168.51.255:138 <- 192.168.51.149:138      NO_TRAFFIC:SINGLE INFO: Status: Enabled for 1 days 13:54:06          Debug: Urgent Interface Stats for le0              IPv4            IPv6   Bytes In                      614602893            4032   Bytes Out                      201370476              292   Packets In     Passed                        3017844              56     Blocked                          2576                0   Packets Out     Passed                        3102562                4     Blocked                              0                0 State Table                          Total            Rate   current entries                      30   searches                        17825509          130.6/s   inserts                          978951            7.2/s   removals                          978921            7.2/s Counters   match                            981606            7.2/s   bad-offset                            0            0.0/s   fragment                              0            0.0/s   short                                  0            0.0/s   normalize                              0            0.0/s   memory                                0            0.0/s   bad-timestamp                          0            0.0/s   congestion                            0            0.0/s   ip-option                              4            0.0/s   proto-cksum                            8            0.0/s   state-mismatch                        0            0.0/s   state-insert                          0            0.0/s   state-limit                            0            0.0/s   src-limit                              0            0.0/s   synproxy                              0            0.0/s   divert                                0            0.0/s LABEL COUNTERS: Default deny rule IPv4 581824 1572 227481 1572 227481 0 0 Default deny rule IPv4 580462 0 0 0 0 0 0 Default deny rule IPv6 581824 0 0 0 0 0 0 Default deny rule IPv6 290262 0 0 0 0 0 0 Block snort2c hosts 580462 0 0 0 0 0 0 Block snort2c hosts 580462 0 0 0 0 0 0 sshlockout 580462 0 0 0 0 0 0 webConfiguratorlockout 284694 0 0 0 0 0 0 virusprot overload table 291562 0 0 0 0 0 0 pass IPv4 loopback 291562 0 0 0 0 0 0 pass IPv4 loopback 288900 0 0 0 0 0 0 pass IPv6 loopback 0 0 0 0 0 0 0 pass IPv6 loopback 0 0 0 0 0 0 0 let out anything IPv4 from firewall host itself 580462 468378 291462249 226730 270976461 241648 20485788 let out anything IPv6 from firewall host itself 288900 0 0 0 0 0 0 let out anything from firewall host itself 288900 336 25536 168 12768 168 12768 IPsec internal host to host 288900 2767605 162093472 1375851 80128734 1391754 81964738 anti-lockout rule 580462 0 0 0 0 0 0 anti-lockout rule 3 633 81468 219 15035 414 66433 USER_RULE: Allow all on VM WAN 580461 1253 210217 1148 116626 105 93591 USER_RULE: Default LAN -> any 579423 2769913 162655791 1394063 82527141 1375850 80128650 USER_RULE 290017 468378 291462249 241648 20485788 226730 270976461 IPsec: IPSEC-Tunnel-FG-CH - outbound isakmp 290472 0 0 0 0 0 0 IPsec: IPSEC-Tunnel-FG-CH - inbound isakmp 209 0 0 0 0 0 0 IPsec: IPSEC-Tunnel-FG-CH - outbound nat-t 172 0 0 0 0 0 0 IPsec: IPSEC-Tunnel-FG-CH - inbound nat-t 172 0 0 0 0 0 0 IPsec: IPSEC-Tunnel-FG-CH - outbound esp proto 492 0 0 0 0 0 0 IPsec: IPSEC-Tunnel-FG-CH - inbound esp proto 320 0 0 0 0 0 0 IPsec: Office FGN Munich - outbound isakmp 492 14842 1801228 7417 892976 7425 908252 IPsec: Office FGN Munich - inbound isakmp 209 0 0 0 0 0 0 IPsec: Office FGN Munich - outbound nat-t 172 0 0 0 0 0 0 IPsec: Office FGN Munich - inbound nat-t 168 0 0 0 0 0 0 IPsec: Office FGN Munich - outbound esp proto 492 1126 171152 0 0 1126 171152 IPsec: Office FGN Munich - inbound esp proto 320 0 0 0 0 0 0 TIMEOUTS: tcp.first                  120s tcp.opening                  30s tcp.established          86400s tcp.closing                900s tcp.finwait                  45s tcp.closed                  90s tcp.tsdiff                  30s udp.first                    60s udp.single                  30s udp.multiple                60s icmp.first                  20s icmp.error                  10s other.first                  60s other.single                30s other.multiple              60s frag                        30s interval                    10s adaptive.start            5400 states adaptive.end              10800 states src.track                    0s LIMITS: states        hard limit    9000 src-nodes    hard limit    9000 frags        hard limit    5000 tables        hard limit    3000 table-entries hard limit  200000 TABLES: snort2c sshlockout virusprot webConfiguratorlockout OS FINGERPRINTS: 700 fingerprints loaded PFSense on 10.0.0.128/25 side: pfctl -s all TRANSLATION RULES: no nat proto carp all nat-anchor "natearly/" all nat-anchor "natrules/" all nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 212.25.8.11 port 500 nat on le1 inet from 192.168.51.0/24 port = isakmp to any port = isakmp -> 212.25.8.11 port 500 nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 212.25.8.11 port 500 nat on le1 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 212.25.8.11 port 500 nat on le1 inet from 10.0.0.128/25 to any -> 212.25.8.11 port 1024:65535 nat on le1 inet from 192.168.51.0/24 to any -> 212.25.8.11 port 1024:65535 nat on le1 inet from 10.0.0.128/25 to any -> 212.25.8.11 port 1024:65535 nat on le1 inet from 127.0.0.0/8 to any -> 212.25.8.11 port 1024:65535 no rdr proto carp all rdr-anchor "relayd/" all rdr-anchor "tftp-proxy/" all rdr-anchor "miniupnpd" all FILTER RULES: scrub on le0 all fragment reassemble scrub on le1 all fragment reassemble anchor "relayd/" all anchor "openvpn/" all block drop in log inet all label "Default deny rule IPv4" block drop out log inet all label "Default deny rule IPv4" block drop in log inet6 all label "Default deny rule IPv6" block drop out log inet6 all label "Default deny rule IPv6" pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state block drop quick inet proto tcp from any port = 0 to any block drop quick inet proto tcp from any to any port = 0 block drop quick inet proto udp from any port = 0 to any block drop quick inet proto udp from any to any port = 0 block drop quick inet6 proto tcp from any port = 0 to any block drop quick inet6 proto tcp from any to any port = 0 block drop quick inet6 proto udp from any port = 0 to any block drop quick inet6 proto udp from any to any port = 0 block drop quick from <snort2c>to any label "Block snort2c hosts" block drop quick from any to <snort2c>label "Block snort2c hosts" block drop in log quick proto tcp from <sshlockout>to any port = mpm-flags label "sshlockout" block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout" block drop in quick from <virusprot>to any label "virusprot overload table" block drop in on ! le0 inet from 10.0.0.128/25 to any block drop in inet from 10.0.0.254 to any block drop in on ! le1 inet from 212.25.8.0/25 to any block drop in inet from 212.25.8.11 to any block drop in on le0 inet6 from fe80::20c:29ff:fe3c:4258 to any block drop in on le1 inet6 from fe80::20c:29ff:fe3c:4262 to any pass in quick on le1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" pass in quick on le1 inet proto udp from any port = bootpc to 212.25.8.11 port = bootps keep state label "allow access to DHCP server" pass out quick on le1 inet proto udp from 212.25.8.11 port = bootps to any port = bootpc keep state label "allow access to DHCP server" pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" pass out route-to (le1 212.25.8.1) inet from 212.25.8.11 to ! 212.25.8.0/25 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass out on enc0 all flags S/SA keep state label "IPsec internal host to host" pass in quick on le0 proto tcp from any to (le0) port = http flags S/SA keep state label "anti-lockout rule" pass in quick on le0 proto tcp from any to (le0) port = mpm-flags flags S/SA keep state label "anti-lockout rule" anchor "userrules/" all pass in log quick on le1 reply-to (le1 212.25.8.1) inet all flags S/SA keep state label "USER_RULE: Allow all on VM WAN" pass in log quick on le0 inet from 10.0.0.128/25 to any flags S/SA keep state label "USER_RULE: Default LAN -> any" pass in log quick on enc0 inet all flags S/SA keep state label "USER_RULE" pass out on le1 route-to (le1 212.25.8.1) inet proto udp from any to 194.97.90.69 port = isakmp keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound isakmp" pass in on le1 reply-to (le1 212.25.8.1) inet proto udp from 194.97.90.69 to any port = isakmp keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound isakmp" pass out on le1 route-to (le1 212.25.8.1) inet proto udp from any to 194.97.90.69 port = sae-urn keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound nat-t" pass in on le1 reply-to (le1 212.25.8.1) inet proto udp from 194.97.90.69 to any port = sae-urn keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound nat-t" pass out on le1 route-to (le1 212.25.8.1) inet proto esp from any to 194.97.90.69 keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound esp proto" pass in on le1 reply-to (le1 212.25.8.1) inet proto esp from 194.97.90.69 to any keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound esp proto" anchor "tftp-proxy/" all No queue in use STATES: all icmp 10.0.0.254:28658 <- 10.0.0.253      0:0 all icmp 10.0.0.254:50354 <- 10.0.0.252      0:0 all carp 224.0.0.18 <- 212.25.8.26      NO_TRAFFIC:SINGLE all icmp 212.25.8.11:48441 -> 212.25.8.1      0:0 all icmp 10.0.0.254:48441 -> 10.0.0.254      0:0 all udp 212.25.8.11:500 <- 194.97.90.69:500      MULTIPLE:MULTIPLE all tcp 212.25.8.11:44 <- 195.30.94.149:29036      ESTABLISHED:ESTABLISHED all tcp 212.25.8.11:44 <- 195.30.94.149:30734      ESTABLISHED:ESTABLISHED all esp 212.25.8.11 -> 194.97.90.69      MULTIPLE:MULTIPLE all tcp 192.168.51.16:57603 <- 10.0.0.130:55420      ESTABLISHED:ESTABLISHED all tcp 10.0.0.130:55420 -> 192.168.51.16:57603      ESTABLISHED:ESTABLISHED all tcp 10.0.0.130:65119 <- 192.168.51.16:50661      ESTABLISHED:ESTABLISHED all tcp 192.168.51.16:50661 -> 10.0.0.130:65119      ESTABLISHED:ESTABLISHED all tcp 192.168.51.16:8443 <- 10.0.0.130:61186      TIME_WAIT:TIME_WAIT all tcp 10.0.0.130:61186 -> 192.168.51.16:8443      TIME_WAIT:TIME_WAIT all tcp 10.0.0.254:51664 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.254:32911 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all tcp 212.25.8.11:44 <- 195.30.94.149:52536      ESTABLISHED:ESTABLISHED all tcp 10.0.0.254:31106 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all tcp 192.168.51.15:9084 <- 10.0.0.130:61306      CLOSED:SYN_SENT all tcp 10.0.0.254:14321 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.254:19233 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.254:10051 <- 10.0.0.129:55623      FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.254:38917 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2 all igmp 224.0.0.1 <- 212.25.3.137      NO_TRAFFIC:SINGLE all pfsync 10.0.0.252 <- 10.0.0.253      SINGLE:MULTIPLE all pfsync 10.0.0.253 -> 10.0.0.252      MULTIPLE:SINGLE all tcp 10.0.0.254:45545 -> 192.168.51.20:10051      ESTABLISHED:ESTABLISHED INFO: Status: Enabled for 2 days 18:33:13          Debug: Urgent Interface Stats for le0              IPv4            IPv6   Bytes In                      400694979          398592   Bytes Out                      615563169              256   Packets In     Passed                        6346568            1180     Blocked                          1960            3832   Packets Out     Passed                        8598800                3     Blocked                            270                0 State Table                          Total            Rate   current entries                      28   searches                        37303419          155.7/s   inserts                          1665570            7.0/s   removals                        1665542            7.0/s Counters   match                            1675756            7.0/s   bad-offset                            0            0.0/s   fragment                              0            0.0/s   short                                  0            0.0/s   normalize                              0            0.0/s   memory                                0            0.0/s   bad-timestamp                          0            0.0/s   congestion                            0            0.0/s   ip-option                          3838            0.0/s   proto-cksum                          21            0.0/s   state-mismatch                        6            0.0/s   state-insert                          0            0.0/s   state-limit                            0            0.0/s   src-limit                              0            0.0/s   synproxy                              0            0.0/s   divert                                0            0.0/s LABEL COUNTERS: Default deny rule IPv4 1013104 55 2464 55 2464 0 0 Default deny rule IPv4 1006863 0 0 0 0 0 0 Default deny rule IPv6 1013104 5575 401400 5575 401400 0 0 Default deny rule IPv6 513470 0 0 0 0 0 0 Block snort2c hosts 1012438 0 0 0 0 0 0 Block snort2c hosts 1012438 0 0 0 0 0 0 sshlockout 1012438 0 0 0 0 0 0 webConfiguratorlockout 484573 0 0 0 0 0 0 virusprot overload table 505209 0 0 0 0 0 0 allow access to DHCP server 22308 0 0 0 0 0 0 allow access to DHCP server 194 388 176190 194 111744 194 64446 allow access to DHCP server 514896 0 0 0 0 0 0 pass IPv4 loopback 1008899 22059 1317735 11610 682668 10449 635067 pass IPv4 loopback 2322 0 0 0 0 0 0 pass IPv6 loopback 5667 0 0 0 0 0 0 pass IPv6 loopback 1161 0 0 0 0 0 0 let out anything IPv4 from firewall host itself 1012244 7232351 487832654 2400612 147667655 4831739 340164999 let out anything IPv6 from firewall host itself 507229 0 0 0 0 0 0 let out anything from firewall host itself 507229 8642 796952 4244 443326 4398 353626 IPsec internal host to host 507229 795805 495094348 384978 459432413 410827 35661935 anti-lockout rule 1012244 0 0 0 0 0 0 anti-lockout rule 2309 0 0 0 0 0 0 USER_RULE: Allow all on VM WAN 1012244 37420 17180593 18024 1765745 19396 15414848 USER_RULE: Default LAN -> any 990970 154652 30724591 62193 16620611 92459 14103980 USER_RULE 499094 4802251 290029335 2420598 144153657 2381653 145875678 IPsec: IPSEC-tunnel-Far-Galaxy - outbound isakmp 508445 0 0 0 0 0 0 IPsec: IPSEC-tunnel-Far-Galaxy - inbound isakmp 8409 0 0 0 0 0 0 IPsec: IPSEC-tunnel-Far-Galaxy - outbound nat-t 8357 0 0 0 0 0 0 IPsec: IPSEC-tunnel-Far-Galaxy - inbound nat-t 8357 0 0 0 0 0 0 IPsec: IPSEC-tunnel-Far-Galaxy - outbound esp proto 8409 0 0 0 0 0 0 IPsec: IPSEC-tunnel-Far-Galaxy - inbound esp proto 52 0 0 0 0 0 0 TIMEOUTS: tcp.first                  120s tcp.opening                  30s tcp.established          86400s tcp.closing                900s tcp.finwait                  45s tcp.closed                  90s tcp.tsdiff                  30s udp.first                    60s udp.single                  30s udp.multiple                60s icmp.first                  20s icmp.error                  10s other.first                  60s other.single                30s other.multiple              60s frag                        30s interval                    10s adaptive.start            6000 states adaptive.end              12000 states src.track                    0s LIMITS: states        hard limit    10000 src-nodes    hard limit    10000 frags        hard limit    5000 tables        hard limit    3000 table-entries hard limit  200000 TABLES: snort2c sshlockout virusprot webConfiguratorlockout OS FINGERPRINTS: 700 fingerprints loaded Traceroutes from 10.0.0.165 and 10.0.0.166 to 192.168.51.20: traceroute 192.168.51.20     traceroute to 192.168.51.20 (192.168.51.20), 30 hops max, 60 byte packets     1  10.0.0.165 (10.0.0.165)  3009.797 ms !H  3009.797 ms !H  3009.795 ms !H traceroute 192.168.51.20     traceroute to 192.168.51.20 (192.168.51.20), 30 hops max, 60 byte packets     1  10.0.0.166 (10.0.0.166)  3018.811 ms !H  3018.809 ms !H  3018.806 ms !H</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

Hi Jimp, Okay that makes sense and you were correct. The keepalive didn't do anything, but pinging a system on the remote network did initiate the tunnel.

Setting NAT Traversal to Force in Phase 1 seems to have fixed the issue for now.

From memory, 3DES is more reliable than AES when connecting to a sonic. It may also help to disable DPD and NAT-T.

No, IPSec matches the traffic before it hits the routing table.

IT WORKS!, Thanks for your help Podilarius. After re-saving the Phase II entries something clicked, so I can now ping remote hosts. Which I of course would not have been able to without that rule change :)

Ben, US network - 192.168.11.0/24 UK network - 192.168.10.0/24 have tried setting network address to 192.168.10.0/23 for phase 2 which didnot work. thanks

Hi You need to set the "Local network" to the opposite remote network… ie on the A-C phase2  you set the local subnet to the B subnet and the remote one to the C subnet, and on the A-B one you set the local network to C subnet and the remote one to the B subnet. Hope that makes sense Ben