Yes it fixed our issue, hope this thread helps someone. We could not find any information on it.

Hi Figured out a workaround myself. On mobile P1 add a P2 to route everything 0.0.0.0/0. And I am using Android built in VPN client which can define what range of IPs to go through with VPN site to site P2s are needed as suggested Thanks

For that situation I prefer OpenVPN since it generally has an easier time punching out from behind random end-user networks.

I think I have the same issue as you, and figured out the problem and a semi-workaround. Bug/Issue with NAT 1:1 rule operation on IPsec interface https://forum.pfsense.org/index.php?topic=126289.0

Thank you. Ok, I created a VIP alias and the label IP and the connection starts with the correct IP addresses. However in the IPsec logs I receive the following error. "06[NET] <con2000|506>sending packet: from VIP[500] to site2-IP[500] (400 bytes) "03[NET] error writing to socket: Can't assign requested address" And the packets don't show up at the second site (which is expected if the error description is accurate). Any idea what I haven't configured correctly?</con2000|506>

Have you fix this problem? It seems that I have exact the same problem as you. My config is almost the same as yours. I hope someone could give the right answer.

And what you're actually concerned about there.

That would be closer to how it should be so change it back and post those logs. What you have there is certainly not right.

Its been a while and you likely already figured this out but What I would do is add rules to the firewall for IPSec, reducing the access to only the NAS box.  The SOURCE address would be LAN NET and the DESTINATION address would be "single host or alias", with the hostname or ip address of the NAS box.  Make sure to allow all protocols/ports to this device to keep the rule simple. John

Cheers, looks like the choice I'm using is OK

Thanks that's good to know.

I know this post has been inactive for a while, but I just wanted to say that I ran into the same issue.  Every roughly 160 seconds (2 minutes 40 sec),  the ipsec tunnel would drop and reconnect.  Some differences for me were that there were no issues reported in the log, the other end is not a sonic wall, and my version is 2.3.2-RELEASE-p1. I fixed it by deleting my configuration and recreating it from scratch.  There must be some subtle bug in the ipsec back-end.

Yeah, unfortunately my ISP here in Nepal doesn't seem to understand what they have.  I tell them I need a fixed public IP and they keep telling me "You have a static IP!" but I know it is NATed to the outside world.  I have actually gotten IPSEC working decently well to the external IP by using dynamic DNS, but I still have other issues.  For instance my kids' xBox still has "Strict" NAT despite the fact that I have all the correct ports forwarded on my end, so they can't play Minecraft online.  I'll just have to keep talking to the ISP until I find someone that understands the problem. Thanks, -Matt

How come I can do that on Fortinet for instance? I just create my IPSEC VPN with the 10.0.44.128/25 P2 and a VIP 10.0.44.129, make it point to an IP from any local network and it works. Is this behaviour non-standard? I guess I could use OpenVPN instead, right?