On WAN interface tab, have you already entered your cable modem IP into the 'Reject Leases From' box?  Most likely would be 192.168.100.1

Not sure that will help IPSEC though.  It means IPSEC is requesting a DHCP address before the pfSense DHCP server is up, while the cable modem interim DHCP server is up.  You may be able to turn off that interim DHCP server on your cable modem, but there's no way to do that on the motorola units I've seen.

I have a static port nat rule in place, but this does not seem to help. Do i need to create a specific rule when using ipsec in transport mode? I have a rule in place on the WAN interface for the LAN network.

@cmb:

https://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

Hi, thanks CMB .. Thats what I did as I think I explained .. :)

So it doesnt really work because when I create the static routes, it works for my pfsense box and the Active Directory interfacing i want but the machines on the distant network  side cant use the VPN anymore

Derelict, thank you for replying to my post!

The reason I want to have pfSense connect to the VPN server is that I want to be able to connect my mobile devices to my WiFi network and have access to the remote site through the VPN tunnel.

As a workaround, I can use a Mac to connect to the VPN and create a hotspot (I thins to be more reliable on a Mac than on Windows), but I consider this option as the last option.

Another solution is to buy another AccessPoint that offers Cisco IPSec with authentication, but my searches on the internet have not been very productive. If any of you know of an example, please let me know. (I have a Tomato AP, but that doesn't support IPSec out of the box)

Thanks,
Alex

Also you should be able to restore changes from the backup/Restore???

Thank you very much jimp.

I chose the first option and its working well, just as I wanted. Wasn't so hard after all. I had to add the "-4" flag in the nrpe check too.

One problem less :)

It's necessary in most every IPsec device but the methods are different.

Some define the Phase 2 networks as we do. Ethers define them using ACLs, policies, or "routes" of sorts – no matter what you need to have a list of networks to allow on your side and IPsec destinations on the far side. Some try to automate or hide parts of it, but it makes diagnosing tunnel issues much more difficult than it needs to be.

In the future it may be simplified somewhat by using aliases for Phase 2 networks, but that isn't possible yet.

@kapara:

Yeah not sure either.  I guess the best way to find out is I will post a bounty.  I am sure others will also be interested in a true IPSec failover solution.

Or ask in the strongswan / freebsd communities.

No.

@l123456:

So what shoould i ping in this case ?

I usually ping the LAN interface address of the remote box.

Why I couldn't ping from server to server ?

I'd think it is because something in your configuration prevents it.

Mostly, in my experience, IPsec connections need to match exactly on both endpoints.

Problems arise when connecting pfSense to hardware like Cisco and Sonicwall (for which there are many good tutorials online). I have done both successfully, but it is always a challenge making pfSense terminology match-up to vendor terminology.

-J

I changed the timeout of the VPN both sides and it works better.  It happens less times but still problems sometimes.  I need to disconnect it from remote side, then VPN is automatically up.
Really strange…

You running PPTP on there? That's the log you end up with in the misconfiguration described here.
https://redmine.pfsense.org/issues/1421

Jim's suggestion is the other likely possibility. When it's happening, check Diag>States, filter for ESP, :500 and :4500. What do those look like?