I got my ipsec implemtation working, it was an issue with the routes of the computer I was testing with…

Looks like this could be a DHCP problem from the concentrator to pfSense.

Here is a DHCP log entry with latest log first:

Mar 17 08:19:34 dhcpd: send_packet: Permission denied
Mar 17 08:19:34 dhcpd: DHCPOFFER on 192.168.10.231 to 00:03:a0:89:86:1d (DSI9200) via 192.168.10.0
Mar 17 08:19:34 dhcpd: DHCPDISCOVER from 00:03:a0:89:86:1d (DSI9200) via 192.168.10.0

So it looks like the concentrator's internal IP address is being seen as 10.0 instead of 10.26… wonder if a DHCP relay is needed??

You should use gateway/failover configuration. I do not know how pfSense choses interfaces to fill  drop-down list.
You my wish to try to modify your config.xml just for testing ;-) For example I have in config:
<load_balancer><lbpool><type>gateway</type>
<behaviour>failover</behaviour>
<monitorip>x.x.x.x</monitorip>
<name>Internet</name>
<desc><port><servers>wan|y.y.y.y</servers>
<servers>opt1|x.x.x.x</servers></port></desc></lbpool></load_balancer>

You have to create a static route.

Assuming that the dns server on the other side is 192.168.100.1 and your pfSense on your side is 10.77.76.1, if not ajust accordingly. Note that the network for the remote dns server is /32 and not /24.

Interface  Network           Gateway LAN        192.168.100.1/32  10.77.76.1

After that you have to go to Service -> DNS Forwarder and in the section saying "Below you can override an entire domain by specifying an authoritative dns server to be queried for that domain." you add.

Domain      IP colo.local  192.168.100.1

You will now have to connect to your server using \server1.colo.local\Data or whatever you used in the previous section. To avoid to write the "colo.local" you could add this to your Windows TCP/IP Advanced DNS configuration.

To answer my question: gif interface is not mandatory, but recommended if you are about to debug your ipsec connection.

Thanks, I will try it.

Best regards

http://doc.pfsense.org/index.php/Tutorials
–> http://www.pfsense.org/mirror.php?section=tutorials/mobile_ipsec/

I have quite a few tunnels(~10-15) to the same BEFVP41 linksys router. I'm only using Main mode and not agressive but mine all work fine. I've seen most of those errors in my logs but after max of 1 or 2 minutes the tunnels usually come right back up. The only one I haven't seen is:

racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)

What do the logs on the linksys look like?

I had to open port 500 on the pfsense box. At least open it to connections coming from the IP of the sonicwall.

I'm sure you already have checked but make sure again all your phase 1 settings are the same on both sides.

@csnf:

It appears the issue is with the the default gateway of the machines at the 'main' site.  The pfSense machine at the main site is IP 10.1.1.8 and the machines which are not accessable have a gateway of 10.1.1.254, which is the second gateway that is still in use since I'm testing with the pfSense machine.

Can you put a static route in the existing gateway 10.1.1.254 pointing to your pfsense box for your other subnet?

Sorry no ideas but I also have these errors and have looked around for answers. My VPNs also work just fine but it is a little disconcerting.

Just an Update, i solved my Problem…

The IPSEC Logfiles were OK, no errors Connected but no traffic

the Problem was the one site was configured for DHCP not static...

we are running on 192.168.2.0/24, NATted to x.x.191/24 and they are on x.x.249.0/24 for the external IP's we ping to. Internal IP's on their side is in the 10.x.x.x range. Also /24 as far as we know…

I had issues with this as well.  Perhaps this will help.  I have three ADSL modem/routers in front of my PFSense box.

Make sure NAT is disabled on PFSense if it is behind another router otherwise you double NAT.  Enable Manual outbound NAT but don't create any rules unless you have a mix of connections.  That is create NATs for interfaces that are directly connected and don't for those that are behind a NATing router.

If you are load balancing across multi link the define a rule on LAN: all protos/ports, destination: <the other="" end="">, route via "default".  This will make sure that all traffic to this destination gets through and does not get bounced around.

Cheers
Jon</the>