IPsec and NAT do not work together. There have been a couple attempts to make it work, the closest one being a bounty that was proposed last year sometime, but the person putting up the money pulled it out before someone with the knowledge to fix it could take the job.

I have added a few and I could go to their router, but could not ping from their side to my side.  I working with a major issue.  It looks like I lost my domain.  I trying to get that fixed and then I can work on my rules.  I get back up with you when I get it straight.
RC

i will assume that at the other end of the vpn, the vpn device there is working, heres what i do when i know a vpn should be up but isnt(i usually get errors similar to yours in the ipsec log):

1. go to vpn->ipsec
2. click the edit button
3. click save
4. it takes you back to the main ipsec screen, click apply, then click save on that same screen.

if that doesnt fix it delete and redo (i did this and it fixed my problem)

by removing ips, focalguy meant to edit your pictures that you posted (they have the actual ips) and remove the ips.

To JIMP,

Sorry for make trouble to you^^
i'll try ask for help in GAMING zone there.
thanks

changed mobile warrior to use 192.168 network and now it works fine.

What do you mean? Many tunnels can have the same PSK.

I have a similar problem, but in my case I have two wan connections each with its own WAN IP going back to the same remote site, configured with two different tunnels. I setup FQDN's as the identifiers but with no results. I can establish the the first Tunnel without a problem, but the second tunnel always fails phase 2 because phase 1 is incorrect. Oddly enough if I enable the second tunnel first then start the first tunnel and everything is great until the timetolive expires then I have the same problem.

For Example

Tunnel 1
Local IP : 1.1.1.1
Remote IP : 2.3.4.5

Tunnel 2
Local IP : 2.2.2.2
Remote IP : 2.3.4.5

Remote Site Settings
Local IP : 2.3.4.5
Remote IP 1: 1.1.1.1
Remote IP 2: 2.2.2.2

I get this for tunnel 1 and it works

racoon: [Tunnel 1]: INFO: initiate new phase 1 negotiation: 1.1.1.1[500]<=>2.3.4.5[500]

then tunnel 2 initiates and I get this, which never establishes unless I enabled it first.

racoon: [Tunnel 1]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>2.3.4.5[500]
racoon: [Tunnel 1]: INFO: IPsec-SA request for 2.3.4.5 queued due to no phase1 found.
racoon: ERROR: none message must be encrypted
racoon: ERROR: phase1 negotiation failed due to time up. 750d4b65cf70f0f1:07e5cb35030fb0fd
racoon: INFO: delete phase 2 handler.
racoon: [Tunnel 1]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 2.3.4.5[0]->2.2.2.2[0]
racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
racoon: [Tunnel 1]: NOTIFY: the packet is retransmitted by 2.3.4.5[500] (1).
racoon: [Tunnel 1]: WARNING: the packet retransmitted in a short time from 2.3.4.5[500]
racoon: [Tunnel 1]: NOTIFY: the packet is retransmitted by 2.3.4.5[500] (1).
racoon: [Tunnel 1]: WARNING: the packet retransmitted in a short time from 2.3.4.5[500]
racoon: [Tunnel 1]: NOTIFY: the packet is retransmitted by 2.3.4.5[500] (1).

Shouldn't I receive this?

racoon: [Tunnel 2]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>2.3.4.5[500]

Have you been able to find a fix for this, or I am doing something wrong here?

Will do. Thanks!

In that case you might check other common routing issues:

Ensure the pfSense host is the default gateway for internal machines Ensure that both sides are using unique, non-overlapping subnets Ensure that client PCs have proper subnet masks set Ensure there are no client-level firewalls preventing traffic from outside their subnet.

You may need to try packet captures on several different legs of the tunnel (LAN on each end, the enc0 interface on each end) to see if the traffic is hitting pfSense, if it's making it into the tunnel, coming out the other end, and getting passed on to the clients

thats a bad config. you are using PFS GP2 on the pfbox but in the sonicwall you dont have it checked it use it. check that box on the sonicwall and it will come alive

Kyle

Very good! That fixed my problem, 3 days now without a drop. pF on 2D3's is the only way to go lol 45 tunnels and not a single flaw now.

I thought that folders automatically should be visisble in explorer. When i connected networkunit with
automatic reconnect they became visible under my computer. I gave them a "unitletter" which i renamed and put on desktop.
I think the speed is better in the tunnel than over internet.

Now i got all function i wanted and shall go further with mobile connection!

Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.

Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction. :)

I have Bold 9000.
First go to Options->Security Options-> VPN and create VPN connection.
Name=ChooseAName
Gateway type="CheckPoint".
Concentrator IP address=your pfSense WAN IP
Username=does not matter
User password=put your shared secret here
IP address and Subnet mask: try to put here network range you are trying to reach (it's network behind pfSense)
All IKE and IPSec parameters to be configured to match your pfSense settings.
Save this VPN-connection.

Go to Options->Security Options->WiFi Connections and configure your WiFi connection. In VPN part of this connection entered in VPN config (ChooseAName).
That is it. First connect to WiFi, then in Options->Security Options->VPN you can activate/deactivate VPN (which is ipsec tunnel).

Just to be clear, it sounds like this:

Site A:

WAN Subnet is public, PPPoE LAN Subnet is 192.168.2.x

Site B:

WAN Subnet is private, 192.168.1.x LAN Subnet is also 192.168.1.x

Is that right? If so, that won't work. The LAN and WAN subnets must be different at Site B, and that may be part of your problem.

However, if the tunnel comes up OK, you may just be missing the firewall rules for IPsec. Go to Firewall > Rules, IPsec tab on both sites and add an allow all rule (or allow whatever you like) - be sure the protocol on the rule is 'any' and not TCP or else you can't ping over the tunnel.

jimp,  no problem on changing Chris' phone number.  It was the one he had listed on his website.

http://chrisbuechler.com/index.php?id=34

Roy…

@jimp:

There are mechanisms in place but IPsec has its quirks when working with different devices. Renegotiation is left up to the initiator, so depending on "who started it" (the tunnel) that is who needs to handle the renegotiation.

When dealing with non-pfSense devices I have often had to set "Prefer old IPsec SAs" under System > Advanced. Can you try to set that and see if there is a difference?

Thanks, I looked at what parameters I have access to configure, and found an IKE sysvar called rekey_passive, and the description says "When an IPSec or IKE SA expires, the original initiator usually initiates a rekeying negotiation. This sysvar is intended for use when interfacing with an IKE implementation that cannot initiate rekeying. For IKE v1 only."

That sounds like what you are referring to, and  IKE v1 is the "old IPSec SAs"?

I will play with that!  Thanks for the hint!

Today im in the process of rebuilding my -now-secondary- system that was running as our Primary with 1.2.3. Its VPN1401 card was working properly running 1.2.x so ill let you know if it appears to work as expected when running 1.2.3. If nothing else it would be nice to know if the vpn1401 card is the problem with the other box or if it might be something else with the other box. Ill report back later with results.

Thanks!
-E

@jimp:

It's less about the number of tunnels and more about throughput. What kind of bandwidth are you dealing with?

Odds are you'll end up saturating the PCI bus of that accelerator card at reasonable speeds. Those cards are meant to offload the task on lower-end hardware, in the several hundred MHz range, nowhere near what you have.

I'd run tests without the card installed and see if you still have trouble.