From the reading I've been doing this has to do the way Apple has OS X set up. They require that the IPSec server specify that the client does't need to attempt reauthentication when  rekeying. I'm guessing that a the devs would have to patch racoon to do this, since I don't think it has this functionally by default.

I too would like to restart racoon with cron every day. Since racoon doesn't appear to be able to restart itself once it stops, I need to be able to have a cron job start/restart it at a specific time each day.

None of the examples of starting or restarting racoon from the command line that I've searched for seem to actually work on pfSense version 2.0.1 release.

Is there a parameter somewhere that will tell racoon to automatically restart if it is stopped?

I had issues with their x64 versions as well, I had planned on including a 2.3 beta x64 build in the exporter (the code is actually all there, and the client binary too) but their installed didn't actually function properly. It would give registry errors and/or fail to import the config. But the 32-bit works great.

Could be an MTU issue. Under System > Advanced on the Misc tab, try setting up MSS clamping for VPNs there, try something low-ish like 1400.

It's quite understandable. Afterall 2.0.2 is finished (apparently it has been for the past 3 months ;-) but sofar some last-minute issues have delayed its official release) whereas the NAT before IPsec functionality is totally new, it has just been introduced and it's not even part of stock FreeBSD.

Answer was two fold –

First dump 3cxPhone to  Useragent    : Acrobits Softphone/5.2

Then validate routing for the Route end of the Mobile IPSec which included moving it to a 172.23.0.0 sub net due to a conflict..

======================

Here are some mor informations:

PFSense on 192.168.51.0/24 side:

pfctl -s all
TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on le1 inet from 10.0.0.0/25 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
nat on le1 inet from 192.168.51.0 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
nat on le1 inet from 192.168.51.0/24 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
nat on le1 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 194.97.90.69 port 500
nat on le1 inet from 10.0.0.0/25 to any -> 194.97.90.69 port 1024:65535
nat on le1 inet from 10.0.0.128/25 to any -> 194.97.90.69 port 1024:65535
nat on le1 inet from 192.168.51.0 to any -> 194.97.90.69 port 1024:65535
nat on le1 inet from 192.168.51.0/24 to any -> 194.97.90.69 port 1024:65535
nat on le1 inet from 127.0.0.0/8 to any -> 194.97.90.69 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr-anchor "miniupnpd" all

FILTER RULES:
scrub on le0 all fragment reassemble
scrub on le1 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
block drop quick inet proto tcp from any port = 0 to any
block drop quick inet proto tcp from any to any port = 0
block drop quick inet proto udp from any port = 0 to any
block drop quick inet proto udp from any to any port = 0
block drop quick inet6 proto tcp from any port = 0 to any
block drop quick inet6 proto tcp from any to any port = 0
block drop quick inet6 proto udp from any port = 0 to any
block drop quick inet6 proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to any port = mpm-flags label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
block drop in quick from <virusprot>to any label "virusprot overload table"
block drop in on ! le0 inet from 192.168.51.0/24 to any
block drop in inet from 192.168.51.248 to any
block drop in on ! le1 inet from 194.97.90.64/27 to any
block drop in inet from 194.97.90.69 to any
block drop in on le0 inet6 from fe80::250:56ff:fe97:4d8c to any
block drop in on le1 inet6 from fe80::250:56ff:fe97:5e2a to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (le1 194.97.90.94) inet from 194.97.90.69 to ! 194.97.90.64/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass in quick on le0 proto tcp from any to (le0) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on le0 proto tcp from any to (le0) port = mpm-flags flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
pass in quick on le1 reply-to (le1 194.97.90.94) inet all flags S/SA keep state label "USER_RULE: Allow all on VM WAN"
pass in log quick on le0 inet from 192.168.51.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
pass in log quick on enc0 inet all flags S/SA keep state label "USER_RULE"
pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 212.25.8.11 port = isakmp keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound isakmp"
pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 212.25.8.11 to any port = isakmp keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound isakmp"
pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 212.25.8.11 port = sae-urn keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound nat-t"
pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 212.25.8.11 to any port = sae-urn keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound nat-t"
pass out on le1 route-to (le1 194.97.90.94) inet proto esp from any to 212.25.8.11 keep state label "IPsec: IPSEC-Tunnel-FG-CH - outbound esp proto"
pass in on le1 reply-to (le1 194.97.90.94) inet proto esp from 212.25.8.11 to any keep state label "IPsec: IPSEC-Tunnel-FG-CH - inbound esp proto"
pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 195.30.94.149 port = isakmp keep state label "IPsec: Office FGN Munich - outbound isakmp"
pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 195.30.94.149 to any port = isakmp keep state label "IPsec: Office FGN Munich - inbound isakmp"
pass out on le1 route-to (le1 194.97.90.94) inet proto udp from any to 195.30.94.149 port = sae-urn keep state label "IPsec: Office FGN Munich - outbound nat-t"
pass in on le1 reply-to (le1 194.97.90.94) inet proto udp from 195.30.94.149 to any port = sae-urn keep state label "IPsec: Office FGN Munich - inbound nat-t"
pass out on le1 route-to (le1 194.97.90.94) inet proto esp from any to 195.30.94.149 keep state label "IPsec: Office FGN Munich - outbound esp proto"
pass in on le1 reply-to (le1 194.97.90.94) inet proto esp from 195.30.94.149 to any keep state label "IPsec: Office FGN Munich - inbound esp proto"
anchor "tftp-proxy/" all
No queue in use

STATES:
all icmp 194.97.90.69:65334 -> 212.25.8.2      0:0
all icmp 192.168.51.248:65334 -> 192.168.51.12      0:0
all udp 194.97.90.69:500 -> 212.25.8.11:500      MULTIPLE:MULTIPLE
all esp 194.97.90.69 <- 212.25.8.11      MULTIPLE:MULTIPLE
all tcp 192.168.51.16:57603 <- 10.0.0.130:55420      ESTABLISHED:ESTABLISHED
all tcp 10.0.0.130:55420 -> 192.168.51.16:57603      ESTABLISHED:ESTABLISHED
all tcp 10.0.0.130:65119 <- 192.168.51.16:50661      ESTABLISHED:ESTABLISHED
all tcp 192.168.51.16:50661 -> 10.0.0.130:65119      ESTABLISHED:ESTABLISHED
all udp 194.97.90.69:500 -> 195.30.94.149:500      MULTIPLE:MULTIPLE
all tcp 192.168.51.16:8443 <- 10.0.0.130:61331      FIN_WAIT_2:ESTABLISHED
all tcp 10.0.0.130:61331 -> 192.168.51.16:8443      ESTABLISHED:FIN_WAIT_2
all tcp 192.168.51.20:10051 <- 10.0.0.254:22576      FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:22576 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.20:10051 <- 10.0.0.254:48475      FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:48475 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.20:10051 <- 10.0.0.254:30376      FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:30376 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.20:10051 <- 10.0.0.254:22875      FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:22875 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.20:10051 <- 10.0.0.254:6412      FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:6412 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.130:61383 -> 192.168.51.15:9084      SYN_SENT:CLOSED
all tcp 192.168.51.20:10051 <- 10.0.0.254:4796      FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:4796 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.248:44 <- 192.168.51.20:55212      ESTABLISHED:ESTABLISHED
all tcp 192.168.51.20:10051 <- 10.0.0.254:27192      FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:27192 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.15:9084 <- 10.0.0.130:61397      CLOSED:SYN_SENT
all tcp 10.0.0.130:61397 -> 192.168.51.15:9084      SYN_SENT:CLOSED
all udp 192.168.51.255:138 <- 192.168.51.149:138      NO_TRAFFIC:SINGLE

INFO:
Status: Enabled for 1 days 13:54:06          Debug: Urgent

Interface Stats for le0              IPv4            IPv6
  Bytes In                      614602893            4032
  Bytes Out                      201370476              292
  Packets In
    Passed                        3017844              56
    Blocked                          2576                0
  Packets Out
    Passed                        3102562                4
    Blocked                              0                0

State Table                          Total            Rate
  current entries                      30
  searches                        17825509          130.6/s
  inserts                          978951            7.2/s
  removals                          978921            7.2/s
Counters
  match                            981606            7.2/s
  bad-offset                            0            0.0/s
  fragment                              0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                            0            0.0/s
  ip-option                              4            0.0/s
  proto-cksum                            8            0.0/s
  state-mismatch                        0            0.0/s
  state-insert                          0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                              0            0.0/s
  divert                                0            0.0/s

LABEL COUNTERS:
Default deny rule IPv4 581824 1572 227481 1572 227481 0 0
Default deny rule IPv4 580462 0 0 0 0 0 0
Default deny rule IPv6 581824 0 0 0 0 0 0
Default deny rule IPv6 290262 0 0 0 0 0 0
Block snort2c hosts 580462 0 0 0 0 0 0
Block snort2c hosts 580462 0 0 0 0 0 0
sshlockout 580462 0 0 0 0 0 0
webConfiguratorlockout 284694 0 0 0 0 0 0
virusprot overload table 291562 0 0 0 0 0 0
pass IPv4 loopback 291562 0 0 0 0 0 0
pass IPv4 loopback 288900 0 0 0 0 0 0
pass IPv6 loopback 0 0 0 0 0 0 0
pass IPv6 loopback 0 0 0 0 0 0 0
let out anything IPv4 from firewall host itself 580462 468378 291462249 226730 270976461 241648 20485788
let out anything IPv6 from firewall host itself 288900 0 0 0 0 0 0
let out anything from firewall host itself 288900 336 25536 168 12768 168 12768
IPsec internal host to host 288900 2767605 162093472 1375851 80128734 1391754 81964738
anti-lockout rule 580462 0 0 0 0 0 0
anti-lockout rule 3 633 81468 219 15035 414 66433
USER_RULE: Allow all on VM WAN 580461 1253 210217 1148 116626 105 93591
USER_RULE: Default LAN -> any 579423 2769913 162655791 1394063 82527141 1375850 80128650
USER_RULE 290017 468378 291462249 241648 20485788 226730 270976461
IPsec: IPSEC-Tunnel-FG-CH - outbound isakmp 290472 0 0 0 0 0 0
IPsec: IPSEC-Tunnel-FG-CH - inbound isakmp 209 0 0 0 0 0 0
IPsec: IPSEC-Tunnel-FG-CH - outbound nat-t 172 0 0 0 0 0 0
IPsec: IPSEC-Tunnel-FG-CH - inbound nat-t 172 0 0 0 0 0 0
IPsec: IPSEC-Tunnel-FG-CH - outbound esp proto 492 0 0 0 0 0 0
IPsec: IPSEC-Tunnel-FG-CH - inbound esp proto 320 0 0 0 0 0 0
IPsec: Office FGN Munich - outbound isakmp 492 14842 1801228 7417 892976 7425 908252
IPsec: Office FGN Munich - inbound isakmp 209 0 0 0 0 0 0
IPsec: Office FGN Munich - outbound nat-t 172 0 0 0 0 0 0
IPsec: Office FGN Munich - inbound nat-t 168 0 0 0 0 0 0
IPsec: Office FGN Munich - outbound esp proto 492 1126 171152 0 0 1126 171152
IPsec: Office FGN Munich - inbound esp proto 320 0 0 0 0 0 0

TIMEOUTS:
tcp.first                  120s
tcp.opening                  30s
tcp.established          86400s
tcp.closing                900s
tcp.finwait                  45s
tcp.closed                  90s
tcp.tsdiff                  30s
udp.first                    60s
udp.single                  30s
udp.multiple                60s
icmp.first                  20s
icmp.error                  10s
other.first                  60s
other.single                30s
other.multiple              60s
frag                        30s
interval                    10s
adaptive.start            5400 states
adaptive.end              10800 states
src.track                    0s

LIMITS:
states        hard limit    9000
src-nodes    hard limit    9000
frags        hard limit    5000
tables        hard limit    3000
table-entries hard limit  200000

TABLES:
snort2c
sshlockout
virusprot
webConfiguratorlockout

OS FINGERPRINTS:
700 fingerprints loaded

PFSense on 10.0.0.128/25 side:

pfctl -s all
TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
nat on le1 inet from 192.168.51.0/24 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
nat on le1 inet from 10.0.0.128/25 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
nat on le1 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 212.25.8.11 port 500
nat on le1 inet from 10.0.0.128/25 to any -> 212.25.8.11 port 1024:65535
nat on le1 inet from 192.168.51.0/24 to any -> 212.25.8.11 port 1024:65535
nat on le1 inet from 10.0.0.128/25 to any -> 212.25.8.11 port 1024:65535
nat on le1 inet from 127.0.0.0/8 to any -> 212.25.8.11 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr-anchor "miniupnpd" all

FILTER RULES:
scrub on le0 all fragment reassemble
scrub on le1 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
block drop quick inet proto tcp from any port = 0 to any
block drop quick inet proto tcp from any to any port = 0
block drop quick inet proto udp from any port = 0 to any
block drop quick inet proto udp from any to any port = 0
block drop quick inet6 proto tcp from any port = 0 to any
block drop quick inet6 proto tcp from any to any port = 0
block drop quick inet6 proto udp from any port = 0 to any
block drop quick inet6 proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to any port = mpm-flags label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
block drop in quick from <virusprot>to any label "virusprot overload table"
block drop in on ! le0 inet from 10.0.0.128/25 to any
block drop in inet from 10.0.0.254 to any
block drop in on ! le1 inet from 212.25.8.0/25 to any
block drop in inet from 212.25.8.11 to any
block drop in on le0 inet6 from fe80::20c:29ff:fe3c:4258 to any
block drop in on le1 inet6 from fe80::20c:29ff:fe3c:4262 to any
pass in quick on le1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on le1 inet proto udp from any port = bootpc to 212.25.8.11 port = bootps keep state label "allow access to DHCP server"
pass out quick on le1 inet proto udp from 212.25.8.11 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (le1 212.25.8.1) inet from 212.25.8.11 to ! 212.25.8.0/25 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass in quick on le0 proto tcp from any to (le0) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on le0 proto tcp from any to (le0) port = mpm-flags flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
pass in log quick on le1 reply-to (le1 212.25.8.1) inet all flags S/SA keep state label "USER_RULE: Allow all on VM WAN"
pass in log quick on le0 inet from 10.0.0.128/25 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
pass in log quick on enc0 inet all flags S/SA keep state label "USER_RULE"
pass out on le1 route-to (le1 212.25.8.1) inet proto udp from any to 194.97.90.69 port = isakmp keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound isakmp"
pass in on le1 reply-to (le1 212.25.8.1) inet proto udp from 194.97.90.69 to any port = isakmp keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound isakmp"
pass out on le1 route-to (le1 212.25.8.1) inet proto udp from any to 194.97.90.69 port = sae-urn keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound nat-t"
pass in on le1 reply-to (le1 212.25.8.1) inet proto udp from 194.97.90.69 to any port = sae-urn keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound nat-t"
pass out on le1 route-to (le1 212.25.8.1) inet proto esp from any to 194.97.90.69 keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - outbound esp proto"
pass in on le1 reply-to (le1 212.25.8.1) inet proto esp from 194.97.90.69 to any keep state label "IPsec: IPSEC-tunnel-Far-Galaxy - inbound esp proto"
anchor "tftp-proxy/" all
No queue in use

STATES:
all icmp 10.0.0.254:28658 <- 10.0.0.253      0:0
all icmp 10.0.0.254:50354 <- 10.0.0.252      0:0
all carp 224.0.0.18 <- 212.25.8.26      NO_TRAFFIC:SINGLE
all icmp 212.25.8.11:48441 -> 212.25.8.1      0:0
all icmp 10.0.0.254:48441 -> 10.0.0.254      0:0
all udp 212.25.8.11:500 <- 194.97.90.69:500      MULTIPLE:MULTIPLE
all tcp 212.25.8.11:44 <- 195.30.94.149:29036      ESTABLISHED:ESTABLISHED
all tcp 212.25.8.11:44 <- 195.30.94.149:30734      ESTABLISHED:ESTABLISHED
all esp 212.25.8.11 -> 194.97.90.69      MULTIPLE:MULTIPLE
all tcp 192.168.51.16:57603 <- 10.0.0.130:55420      ESTABLISHED:ESTABLISHED
all tcp 10.0.0.130:55420 -> 192.168.51.16:57603      ESTABLISHED:ESTABLISHED
all tcp 10.0.0.130:65119 <- 192.168.51.16:50661      ESTABLISHED:ESTABLISHED
all tcp 192.168.51.16:50661 -> 10.0.0.130:65119      ESTABLISHED:ESTABLISHED
all tcp 192.168.51.16:8443 <- 10.0.0.130:61186      TIME_WAIT:TIME_WAIT
all tcp 10.0.0.130:61186 -> 192.168.51.16:8443      TIME_WAIT:TIME_WAIT
all tcp 10.0.0.254:51664 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:32911 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all tcp 212.25.8.11:44 <- 195.30.94.149:52536      ESTABLISHED:ESTABLISHED
all tcp 10.0.0.254:31106 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.51.15:9084 <- 10.0.0.130:61306      CLOSED:SYN_SENT
all tcp 10.0.0.254:14321 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:19233 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:10051 <- 10.0.0.129:55623      FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.254:38917 -> 192.168.51.20:10051      FIN_WAIT_2:FIN_WAIT_2
all igmp 224.0.0.1 <- 212.25.3.137      NO_TRAFFIC:SINGLE
all pfsync 10.0.0.252 <- 10.0.0.253      SINGLE:MULTIPLE
all pfsync 10.0.0.253 -> 10.0.0.252      MULTIPLE:SINGLE
all tcp 10.0.0.254:45545 -> 192.168.51.20:10051      ESTABLISHED:ESTABLISHED

INFO:
Status: Enabled for 2 days 18:33:13          Debug: Urgent

Interface Stats for le0              IPv4            IPv6
  Bytes In                      400694979          398592
  Bytes Out                      615563169              256
  Packets In
    Passed                        6346568            1180
    Blocked                          1960            3832
  Packets Out
    Passed                        8598800                3
    Blocked                            270                0

State Table                          Total            Rate
  current entries                      28
  searches                        37303419          155.7/s
  inserts                          1665570            7.0/s
  removals                        1665542            7.0/s
Counters
  match                            1675756            7.0/s
  bad-offset                            0            0.0/s
  fragment                              0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                            0            0.0/s
  ip-option                          3838            0.0/s
  proto-cksum                          21            0.0/s
  state-mismatch                        6            0.0/s
  state-insert                          0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                              0            0.0/s
  divert                                0            0.0/s

LABEL COUNTERS:
Default deny rule IPv4 1013104 55 2464 55 2464 0 0
Default deny rule IPv4 1006863 0 0 0 0 0 0
Default deny rule IPv6 1013104 5575 401400 5575 401400 0 0
Default deny rule IPv6 513470 0 0 0 0 0 0
Block snort2c hosts 1012438 0 0 0 0 0 0
Block snort2c hosts 1012438 0 0 0 0 0 0
sshlockout 1012438 0 0 0 0 0 0
webConfiguratorlockout 484573 0 0 0 0 0 0
virusprot overload table 505209 0 0 0 0 0 0
allow access to DHCP server 22308 0 0 0 0 0 0
allow access to DHCP server 194 388 176190 194 111744 194 64446
allow access to DHCP server 514896 0 0 0 0 0 0
pass IPv4 loopback 1008899 22059 1317735 11610 682668 10449 635067
pass IPv4 loopback 2322 0 0 0 0 0 0
pass IPv6 loopback 5667 0 0 0 0 0 0
pass IPv6 loopback 1161 0 0 0 0 0 0
let out anything IPv4 from firewall host itself 1012244 7232351 487832654 2400612 147667655 4831739 340164999
let out anything IPv6 from firewall host itself 507229 0 0 0 0 0 0
let out anything from firewall host itself 507229 8642 796952 4244 443326 4398 353626
IPsec internal host to host 507229 795805 495094348 384978 459432413 410827 35661935
anti-lockout rule 1012244 0 0 0 0 0 0
anti-lockout rule 2309 0 0 0 0 0 0
USER_RULE: Allow all on VM WAN 1012244 37420 17180593 18024 1765745 19396 15414848
USER_RULE: Default LAN -> any 990970 154652 30724591 62193 16620611 92459 14103980
USER_RULE 499094 4802251 290029335 2420598 144153657 2381653 145875678
IPsec: IPSEC-tunnel-Far-Galaxy - outbound isakmp 508445 0 0 0 0 0 0
IPsec: IPSEC-tunnel-Far-Galaxy - inbound isakmp 8409 0 0 0 0 0 0
IPsec: IPSEC-tunnel-Far-Galaxy - outbound nat-t 8357 0 0 0 0 0 0
IPsec: IPSEC-tunnel-Far-Galaxy - inbound nat-t 8357 0 0 0 0 0 0
IPsec: IPSEC-tunnel-Far-Galaxy - outbound esp proto 8409 0 0 0 0 0 0
IPsec: IPSEC-tunnel-Far-Galaxy - inbound esp proto 52 0 0 0 0 0 0

TIMEOUTS:
tcp.first                  120s
tcp.opening                  30s
tcp.established          86400s
tcp.closing                900s
tcp.finwait                  45s
tcp.closed                  90s
tcp.tsdiff                  30s
udp.first                    60s
udp.single                  30s
udp.multiple                60s
icmp.first                  20s
icmp.error                  10s
other.first                  60s
other.single                30s
other.multiple              60s
frag                        30s
interval                    10s
adaptive.start            6000 states
adaptive.end              12000 states
src.track                    0s

LIMITS:
states        hard limit    10000
src-nodes    hard limit    10000
frags        hard limit    5000
tables        hard limit    3000
table-entries hard limit  200000

TABLES:
snort2c
sshlockout
virusprot
webConfiguratorlockout

OS FINGERPRINTS:
700 fingerprints loaded

Traceroutes from 10.0.0.165 and 10.0.0.166 to 192.168.51.20:

traceroute 192.168.51.20
    traceroute to 192.168.51.20 (192.168.51.20), 30 hops max, 60 byte packets
    1  10.0.0.165 (10.0.0.165)  3009.797 ms !H  3009.797 ms !H  3009.795 ms !H

traceroute 192.168.51.20
    traceroute to 192.168.51.20 (192.168.51.20), 30 hops max, 60 byte packets
    1  10.0.0.166 (10.0.0.166)  3018.811 ms !H  3018.809 ms !H  3018.806 ms !H</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

Hi Jimp,

Okay that makes sense and you were correct. The keepalive didn't do anything, but pinging a system on the remote network did initiate the tunnel.

Setting NAT Traversal to Force in Phase 1 seems to have fixed the issue for now.

From memory, 3DES is more reliable than AES when connecting to a sonic. It may also help to disable DPD and NAT-T.

No, IPSec matches the traffic before it hits the routing table.

IT WORKS!, Thanks for your help Podilarius. After re-saving the Phase II entries something clicked, so I can now ping remote hosts. Which I of course would not have been able to without that rule change :)

Ben, US network - 192.168.11.0/24
UK network - 192.168.10.0/24
have tried setting network address to 192.168.10.0/23 for phase 2 which didnot work.
thanks

Hi

You need to set the "Local network" to the opposite remote network… ie on the A-C phase2  you set the local subnet to the B subnet and the remote one to the C subnet, and on the A-B one you set the local network to C subnet and the remote one to the B subnet.

Hope that makes sense

Ben

Hi

You need to set the phase2 "Local Network" to the "Lan Subnet" option, and also - leave the tickbox for "Network List  Provide a list of accessible networks to clients" ticked - unless you want ALL traffic from the mobile client to be sent over the tunnel.

Regards

Ben

Ok thanks for the info.

Check Diagnostics > Routes - when you pick the interface for OpenVPN or IPsec, it adds a route to the peer's IP via that interface's gateway. Having two gateways on the same interface might be confusing that code.

OpenVPN you can set for an interface of "any" and then it won't add a route like that.