You are looking at the wrong type of P1. EAP-MSCHAPv2 and other similar methods are only available for mobile IPsec, not for site-to-site P1s.

@Derelict: 1 = ADMIN - (192.168.2.1/24) 14 = ESXI - (192.168.2.14/24) 25 = VOIP - (192.168.2.25/24) 30 = DMZ - (192.168.2.30/24) What you say? LOL, no. thats a typo.. That would NOT work!  I've edited the orginal post to correct this.. the real address for those vlans is 2 = ADMIN - (192.168.222.0/24) 10 = LAN - (192.168.10.0/24) 11 = WORK - (192.168.11.0/24) 12 = REMOTE - (192.168.12.0/24) 14 = ESXI - (192.168.14.0/24) 25 = VOIP - (192.168.25.0/24) 30 = DMZ - (192.168.30.0/24) In a nutshell.. If I have my remote pfsense box IPSEC configure to use my LAN subnet, 192.168.10.0/24, and my LOCAL pfsense set to have his traffic come in on my lan subnet, vlan 10, everything works just peachy.. If I change the remote pfsense box to use a different subnet (say vlan 12 - 192.168.12.0/24 ), AND set my local pfsense box to have his traffic come in on vlan 12, it no workey..  Not one byte. Yes I have rules that for now allow ALL traffic to pass from the interfaces I've been testing with, namely VLAN 10, and vlan 12 on my end, and his ipsec & lan interface on the remote side I'd really like to figure this out! Thanks

i had a working config but after one of the recent pfsense updates its no more. i can ping ips but not domain names

Yes it fixed our issue, hope this thread helps someone. We could not find any information on it.

Hi Figured out a workaround myself. On mobile P1 add a P2 to route everything 0.0.0.0/0. And I am using Android built in VPN client which can define what range of IPs to go through with VPN site to site P2s are needed as suggested Thanks

For that situation I prefer OpenVPN since it generally has an easier time punching out from behind random end-user networks.

I think I have the same issue as you, and figured out the problem and a semi-workaround. Bug/Issue with NAT 1:1 rule operation on IPsec interface https://forum.pfsense.org/index.php?topic=126289.0

Thank you. Ok, I created a VIP alias and the label IP and the connection starts with the correct IP addresses. However in the IPsec logs I receive the following error. "06[NET] <con2000|506>sending packet: from VIP[500] to site2-IP[500] (400 bytes) "03[NET] error writing to socket: Can't assign requested address" And the packets don't show up at the second site (which is expected if the error description is accurate). Any idea what I haven't configured correctly?</con2000|506>

Have you fix this problem? It seems that I have exact the same problem as you. My config is almost the same as yours. I hope someone could give the right answer.

And what you're actually concerned about there.

That would be closer to how it should be so change it back and post those logs. What you have there is certainly not right.

Its been a while and you likely already figured this out but What I would do is add rules to the firewall for IPSec, reducing the access to only the NAS box.  The SOURCE address would be LAN NET and the DESTINATION address would be "single host or alias", with the hostname or ip address of the NAS box.  Make sure to allow all protocols/ports to this device to keep the rule simple. John

Cheers, looks like the choice I'm using is OK

Thanks that's good to know.

I know this post has been inactive for a while, but I just wanted to say that I ran into the same issue.  Every roughly 160 seconds (2 minutes 40 sec),  the ipsec tunnel would drop and reconnect.  Some differences for me were that there were no issues reported in the log, the other end is not a sonic wall, and my version is 2.3.2-RELEASE-p1. I fixed it by deleting my configuration and recreating it from scratch.  There must be some subtle bug in the ipsec back-end.

Yeah, unfortunately my ISP here in Nepal doesn't seem to understand what they have.  I tell them I need a fixed public IP and they keep telling me "You have a static IP!" but I know it is NATed to the outside world.  I have actually gotten IPSEC working decently well to the external IP by using dynamic DNS, but I still have other issues.  For instance my kids' xBox still has "Strict" NAT despite the fact that I have all the correct ports forwarded on my end, so they can't play Minecraft online.  I'll just have to keep talking to the ISP until I find someone that understands the problem. Thanks, -Matt