It probably has more to do with how the HAproxy instance is sourcing the traffic that is trying to reach the servers. If the proxy process using the "wrong" IP to send the traffic to the server, it would never enter the tunnel because it wouldn't match the Phase 2 entry on the tunnel. Try redirecting temporarily to a local server, see how the traffic is sourced, and account for that in the IPsec Phase 2 configuration.

Well if both devices can't ping each other, then that will need to be resolved. You also seem to be missing rules for ISKMP (500 UDP), AH, ESP and Nat-T (4500 UDP). I'm still learning my way around pfsense myself, but once I opened up the required ports on the WAN side filtering of both devices, the tunnel came up.

Works like a charm! Thanks a lot  ;D

Status > IPsec. Green icon means a phase 2 is established. You can look at the SAD and SPD tabs to see the interpreted output of "setkey -D" and "setkey -DP", if needed.

I've never done it but check out below post…seems to be exactly what you are attempting. http://forum.pfsense.org/index.php?topic=27444.0;prev_next=prev

thank you for taking the time to follow up, DPD is disabled for the IPsec, as I found that same conclusion, but my "GRE" tunnels are what's failing.

This appears to be a routing issue:  I can do a packet capture on the IPSec interface of pfsense, and I can see incoming pings, and their destination: 12:52:18.793013 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP}: ICMP echo request, id 1, seq 1871, length 40 12:52:19.826520 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP}: ICMP echo request, id 1, seq 1872, length 40 12:52:21.329649 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP}: ICMP echo request, id 1, seq 1873, length 40 12:52:23.829947 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP2}: ICMP echo request, id 1, seq 1881, length 40 12:52:25.326576 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP2}: ICMP echo request, id 1, seq 1882, length 40 After I disconnect, and have cleared the ipsec log, this appears after a moment or two: Apr 28 12:49:50 racoon: DEBUG: pk_recv: retry[0] recv() Apr 28 12:49:50 racoon: DEBUG: got pfkey ACQUIRE message Apr 28 12:49:50 racoon: DEBUG: suitable outbound SP found: 0.0.0.0/0[0] 10.1.53.1/32[0] proto=any dir=out. Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe728: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: {LAN_SUBNET}/24[0] {LAN_IP}/32[0] proto=any dir=in Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe728: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501648: {LAN_IP}/32[0] {LAN_SUBNET}/24[0] proto=any dir=out Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe728: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x285013c8: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: suitable inbound SP found: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in. Im not sure if that is relevant or not.

Hello, Thanks for your advice. I changed this setting yesterday to 1400. Today, Snort and the ASA are reporting the same error… (One side is connected by fiber directly to the backbone and the other side has a cable modem with docsis 3) I don't really know what to do now...

Thank you! I was working with site-to-site VPN so intently I didn't even think to look at the mobile VPN page.  All is well now. Thanks again!

Sloved it was beacouse ipcop firewall which already had that connection with another ip cop so i try to connect to another location and it works i think i need to restart this ipcop to clean his memory and it should work. THX

Ok, then can PFSense handle having Phase 1 and Phase 2 in the same subnet?  On the local side the p1 IP = CARP VIP (WAN if)  p2 IP = IP Alias VIP (WAN if) NAT 1:1 WAN if WAN rules created IPSEC rules created Still does not come up.

I have now managed to get what I can assume is a stable connection between both locations using IPSEC.. I am just a bit lost how to resolve remote hostnames. I have added a remote device on location 2 to a computer on location 1 hosts file and I now can ping across the IPSEC tunnel to that device. I am guessing I now need to look at some sort of DNS that will resolve hostnames automatically and accessable from both locations as adding hostnames will be a bit of a pain.