Check your ipsec firewall rules? Are they set to any and any?

In the firewall rules. What rules are in the Ipec tab? They should also be any and any??

@wisowebs: Lonney are you still using the mentioned configuration?  I am attempting to establish an IPSEC connection from PFsense to one of 2 Watchguard x10's and for the life of me cannot get it to work.  The logs yield nothing.  I can add the gateway with success.  When I add and apply my phase two settings I can get them to take only if the check box "add this tunnel to the BOVPN-Allow Policies" is unchecked No dynamic DNS, static IP in each location for the WAN.  Any help anyone could toss my way I would greatly appreciate.  I have scrapped this forum and google with not much help outside of this post. I didn't notice you had posted twice, I only saw the second one. I'm really not too sure, before I got my config working I had no previous experience with IPSec in general. Most of the information I gleaned from the WatchGuard documentation which is not written in such a way as to help you configure it for non WatchGuard devices, and few bits and pieces from searching forums etc. If you're having problems getting the WatchGuard configured you could try contacting WG for support. I had dealt with them a few times for other things, and they were very helpful.

Nobody have any tips/ideas?

Thank you cmb!  Disabling 'Prefer older IPsec SAs' (i.e., clearing the checkbox) definitely shortened my IPsec negotiation time with the remote SonicWALL PRO 3060 to near-instantaneous.  Wow. Under the hood, was this setting causing a lot of 'negotiation chatter' between the two peers, or does this setting simply cause pfSense to spin its own wheels and cause the negotiation delay?  I ask because the SonicWALL 'Gen3' model series do not seem to have a corresponding setting.

Well that was simple… Guess this is why I shoudn't configure networks at 1 in the morning. I just forgot to add a route on the openwrt router. How can I close this topic?

I am a bit confused as far as the Gateways are concerned. I can't add a Gateway that falls outside the subnet of the WAN interface. How would I set this up to connect to 2 unique public IP endpoints?

It should be disabled. It just didn't get disabled on 2.0.3 before it shipped. You can't change it per connection, it's a global setting.

Usually so long as the IPsec Phase 2 matches (0.0.0.0/0 as local on your side of the P2), the firewall rules on the IPsec tab match, and your outbound NAT is set to manual and has a rule for the remote P2 network, then it would work.

How exactly do you have the Android device configured? Last I tried it, http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0#Device_Setup_.28Android.29 worked for me on all of my Android devices. Though I've long since ditched IPsec in favor of OpenVPN for mobile access

If you have a chance, take a backup and try a pfSense 2.1 snapshot, it's using a newer version of IPsec tools (racoon). There were a few changes to IPsec from 2.0.1 to 2.0.2 but not that I'm aware of that would cause problems with mobile client SAs. Do make sure that you have "Prefer old IPsec SA" unchecked under System > Advanced on the Misc tab.

For the sake of your sanity (speaking from bitter experience) change the remote subnets. I spent years using NAT to workaround just this issue, and with sites daisy-chained together over private circuits I'd got NAT(NAT(NAT))) going on in some cases!  It took me about a day to completely renumber each LAN (about 65-70 PCs each + servers, switches, printers, router(s), etc) - I wish I'd done it years ago!

To clarify the 'bringing the tunnel up' point: All the 'connect' button does is to ping a node in the P2 subnet so the daemon will see this and bring the tunnel up for it.  It's no different than you pinging a remote node from a connected PC and the tunnel should come up if you do that.  If not then you have some troubleshooting to do. Next, in my experience the ASAs are a bit picky about who gets to initiate the tunnel.  Usually, setting 'Obey' in the P1 proposal checking will sort them out.  Basically you're saying that when the ASA responds, agree to do things their way from then on.

Did you ever find a solution to your problem?  I have a similar problem.  My Mobile Device IPSec settings work great for OSx and iOS.  My Android device succeeds on the Phase 1 connection, but as soon as I try to connect to anything Phase 2 fails and the tunnel drops.  I have multiple Phase 2s.  My current hypothesis is that Android can't handle more than one Phase 2.  I'm trying to get my hands on a test pfSense to test this hypothesis.  Would love to hear if anyone has a solution.

Here is one answer to my question, to reset all your states go to Diagnostics->States->reset. This is a broad tools though. I would like to reset states that correspond to a specific rule established.

Hi, Thanks for the reply, seems to have solved most of the problems will tune it over the next few days to iron out any hold outs. Thanks again for your time.

Cisco makes a hardware VPN client, the 3002 just for this purpose.  I think it is discontinued, but still works well for connecting a group of people as a classic Cisco IPSEC client.