When you go to Status / IPSec are the Local and Remote IPs in the right sub-nets ?  Also, check SPD –

Then see if it agrees with the routing / rules / LAN nets in use.

==========

@jimp:

It depends on the tunnel.

If it's a "mobile" tunnel setup, then pfSense can't really accurately see the status.

If it's a normal style, it reads the SAD and SPD info from the IPsec daemon to determine if it has fully established both Phase 1 and Phase 2.

I'm using IPsec in Transport mode ( GRE tunnel passing through ).

Thank you.

@jimp:

dhatz is correct, ipsec-tools, which is what we use for IPsec, does not support lifetimes by data size, only by time.

A little extra research on this topic reveals that it seems to be deprecated in racoon, ie. removed and I will therefore assume that it is not a feature that is coming (back)…

Could you try testing this with pfsense 2.1-BETA?

There have been a number of patches applied to ipsec-tools 0.8.0 (although several more patches have been commited to the ipsec-tools tree http://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/crypto/dist/ipsec-tools/src/ that haven't made it into pfsense yet)

PS: You could also run racoon in high verbosity mode and check the discussions in
http://sourceforge.net/mailarchive/forum.php?forum_name=ipsec-tools-commits

What shows up in the IPsec log when you try to connect?

What client settings are you using exactly?

What error shows up on the client?

Is the username and password you're using valid? (Check System > User Manager, make sure the user exists and has the IPsec dialin permission)

@SectorNine50:

Don't use "LAN subnet" on the phase 2 settings, type the address in yourself.  I ran into this issue and that fixed it for me.

That's odd …

Could you please save and compare (diff file1 file2) the files
/var/etc/racoon.conf
/var/etc/spd.conf
under both situations (when you put in "LAN subnet" and when you type the address yourself) ?

@namezero111111:

I have a problem with an IPSec tunnel where after any amount of time (sometimes 20 mins, sometimes hours or days), traffic will just stop flowing even though the tunnel is up. One side will show multiple SAD entries.
If I start deleting "unused" SADs, the tunnel will start working again. Obviously that isn't a solution.

Here are some facts:

Both sides running on 2.0.1-RELEASE (amd64) built on Mon Dec 12 18:43:51 EST 2011 Both sides have "Prefer older SAs" in the advanced settings disabled (it used to be enabled but made no difference). DPD is enabled and I tried playing with the values as well as disabling it completely With DPD disabled, the tunnel stays stalled longer

Are you still having this problem ?

You might also want to check the discussion at the ipsec-tools-devel list:
http://marc.info/?l=ipsec-tools-devel&m=129842631426424&w=2

Hi,

About the routes, i thought the same thing, that they were created automatically…
Just for the test i create a route "tunnel virtual IP ------wangw" and then the reply icmp packet were allowed so try it.

Do you try to do some captures in pfsense GUI when you ping your lan and wan from the cisco router ? it helps a lot.

To check routes on the pfsense, go in the diagnostic section then "routes" you can see all the pfsense routes (manually and automatically created)

My idea did not work, endian doesn't play nice when it's not the main firewall.

Well, I seem to have made this work… I'm not entirely sure how, though.  I deleted all the SPDs on both sides, recreated the Phase 2 rules, and then sent some ICMP traffic from one side to the other, and the tunnel was built.  Even though I had no connect button on either pfSense box, it still came up when traffic appeared.

So, lesson learned!

PFSENSE, NANOBSD, 2.0.1
I had the same problem, IPSEC tunnel was establised, all green, no traffic goes through.
When you look at SAD, SAD (Status,Ipsec, SAD)shows me multiple connections.
I think, the reason are short interrupts, Phase1 does not recognise the break, stays established, but Phase2 opens a new connection.
But this does not work.
My solution:
Change Mode from aggressive to main on both sides. (even with dynamic IPs)

Thank you for your help Jimp, I rechecked PFS on the RV042 but it still didn't work. After changing and changing back a few other settings I ended up setting both sides to Main instead of Aggressive. I was able to initiate a tunnel from the pfsense side this time and it seems to be working good now.

Again Thanks