I unfortunately can not answer your question and I know this won't help your specific issue but I am curious if you know that you can use a single carp IP and then put an IP Alias attached to that carp IP.  This reduces the amount of CARP network traffic on an interface.  During a firewall failover and the main CARP IP gets brought down the IP Aliases attached to that CARP IP will also be brought down and up along with the CARP IP on the primary and secondary firewall.  It is also done much faster that way from what I read.  I just recently discovered this so I just wanted to spread the info for those that haven't searched on it.  I don't know if you are already doing that or not.

On the second router all set up in the same way. There are no rules prohibiting IPsec.

NAT config -

Automatic outbound NAT rule generation
          (IPsec passthrough included)

I'll try to set up the IPSec tunnel on Cisco-Linksys device today and will report.

Check your ipsec firewall rules? Are they set to any and any?

In the firewall rules. What rules are in the Ipec tab? They should also be any and any??

@wisowebs:

Lonney are you still using the mentioned configuration?  I am attempting to establish an IPSEC connection from PFsense to one of 2 Watchguard x10's and for the life of me cannot get it to work.  The logs yield nothing.  I can add the gateway with success.  When I add and apply my phase two settings I can get them to take only if the check box "add this tunnel to the BOVPN-Allow Policies" is unchecked

No dynamic DNS, static IP in each location for the WAN.  Any help anyone could toss my way I would greatly appreciate.  I have scrapped this forum and google with not much help outside of this post.

I didn't notice you had posted twice, I only saw the second one.

I'm really not too sure, before I got my config working I had no previous experience with IPSec in general. Most of the information I gleaned from the WatchGuard documentation which is not written in such a way as to help you configure it for non WatchGuard devices, and few bits and pieces from searching forums etc.

If you're having problems getting the WatchGuard configured you could try contacting WG for support. I had dealt with them a few times for other things, and they were very helpful.

Nobody have any tips/ideas?

Thank you cmb!  Disabling 'Prefer older IPsec SAs' (i.e., clearing the checkbox) definitely shortened my IPsec negotiation time with the remote SonicWALL PRO 3060 to near-instantaneous.  Wow.

Under the hood, was this setting causing a lot of 'negotiation chatter' between the two peers, or does this setting simply cause pfSense to spin its own wheels and cause the negotiation delay?  I ask because the SonicWALL 'Gen3' model series do not seem to have a corresponding setting.

Well that was simple… Guess this is why I shoudn't configure networks at 1 in the morning. I just forgot to add a route on the openwrt router.

How can I close this topic?

I am a bit confused as far as the Gateways are concerned. I can't add a Gateway that falls outside the subnet of the WAN interface. How would I set this up to connect to 2 unique public IP endpoints?

It should be disabled. It just didn't get disabled on 2.0.3 before it shipped.

You can't change it per connection, it's a global setting.

Usually so long as the IPsec Phase 2 matches (0.0.0.0/0 as local on your side of the P2), the firewall rules on the IPsec tab match, and your outbound NAT is set to manual and has a rule for the remote P2 network, then it would work.

How exactly do you have the Android device configured?

Last I tried it, http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0#Device_Setup_.28Android.29 worked for me on all of my Android devices.

Though I've long since ditched IPsec in favor of OpenVPN for mobile access