Heres my working config:

local subnet is the local subnet on the fw your on
remote is the subnet you want to access at the other end
for remote gateway put in a ddns
identifier is my ip address, leave blank
do a pre-shared key, must be the same on both fw's
keep alive-set this to the fw at the other end
all other options: set them the same at both ends

I assume what you are asking is if you can set it up behind the Linksys router and the Linksys router is being NATed. I have done this previously but the device was a Linksys router with VPN capabilities behind a DSL modem that was NATting the traffic. It worked but not reliably. I have used the same Linksys vpn router when not behind a NAT and it does work reliably.

If you can manage the network I would suggest using your pfSense box for the main router and then turn off the routing capabilities of the Linksys router and just let it continue to be an access point.

Sure, just follow the suggestion on this page:

http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

Try using a different encryption method such as AES-128 which would be faster than 3DES.

Are you also monitoring the CPU and such on the ASA? I wouldn't think that little of traffic would tax it though.

It may also be the protocol you are using. Some things might be fast, such as http downloads, while others would be slow (SMBv1 windows shares).

There are two actual possible places to disable the ipsec service from starting  and I am sure there is a reason for this.

The general one disables IPsec completely for all tunnels. The disable checkbox that you had checked in the config for the actual tunnels is to disable one tunnel while leaving others enabled.

Use 1.2.3 everywhere. Many of those issues have been solved over time.

It worked. I made the second IPsec Tunnel added some rules and works grate!

Thank a lot.

Does anyone have any ideas how to stop this multiple tunnel issue.

I change the IP's in the config before posting it, thanks for the tip though.

Solved my problem

PFsense 1 still had his second connection cached (now used for pfsense2) There for expected the wrong ip

Also ran into not being able to ping but that was simple adding ICMP rule. Hope this might help some one else out

Well we need more info then: It doesn't work did you read this ?

http://doc.pfsense.org/index.php/VPN_Capability_IPsec

when checking into my own problems i saw this remembered it

http://doc.pfsense.org/index.php/IPsec_Troubleshooting

ERROR: pfkey DELETE received

You might see this message repeatedly as Phase 2 is renegotiated between two endpoints (for multiple subnets). The tunnels still work, but traffic may be delayed while the tunnel is switched/reestablished. (more research needed for possible solutions)

Try some of the suggestions here:

http://doc.pfsense.org/index.php/IPsec_Troubleshooting

And also you might double check the firewall rules on the pfSense side, and the Netscreen side if it is capable of filtering IPsec traffic.

It works from behind the pfsense box also now, esp protocol was still blocked.

thanks for the help and have a nice weekend !!!

I will check it out ..

thanks

@saxd40:

It appears that this issue still exists in 1.2.3-RELEASE.  I never had issues with IPsec tunnels in old versions of pfSense, but ever since I upgraded to 1.2-3-RELEASE 6 months or so ago I've been having intermittent issues with tunnels hanging.  In the last few days this has started being 3-5 outages per day (or more).

Are you using carp on the master site (two firewalls) ?

I'have a lot of ipsec tunnels, towards pfsense boxes and cisco routers (837,857 and 877).
I am using 'Prefer old IPsec SAs', and when A remote routers reboot (like AC loss) I must reboot the Firewall Master Node.
When 'Prefer old IPsec SAs' is off, the tunnel goes down after the phase1 lifetime.
From Ipsec status I always see green icons.

PS:I suggest to use openvpn (when you have firewalls on both sides :P )

Giacomo

Using the physical NIC directly and a VLAN on the same NIC is rarely a good idea.

Are you sure what you are trying to do with WAN/vlan1 actually makes sense?

Yes, it means WAN IP Address.