Thanks, I will try it. Best regards

http://doc.pfsense.org/index.php/Tutorials –> http://www.pfsense.org/mirror.php?section=tutorials/mobile_ipsec/

I have quite a few tunnels(~10-15) to the same BEFVP41 linksys router. I'm only using Main mode and not agressive but mine all work fine. I've seen most of those errors in my logs but after max of 1 or 2 minutes the tunnels usually come right back up. The only one I haven't seen is: racoon: ERROR: libipsec failed pfkey align (Invalid sadb message) What do the logs on the linksys look like?

I had to open port 500 on the pfsense box. At least open it to connections coming from the IP of the sonicwall. I'm sure you already have checked but make sure again all your phase 1 settings are the same on both sides.

@csnf: It appears the issue is with the the default gateway of the machines at the 'main' site.  The pfSense machine at the main site is IP 10.1.1.8 and the machines which are not accessable have a gateway of 10.1.1.254, which is the second gateway that is still in use since I'm testing with the pfSense machine. Can you put a static route in the existing gateway 10.1.1.254 pointing to your pfsense box for your other subnet?

Sorry no ideas but I also have these errors and have looked around for answers. My VPNs also work just fine but it is a little disconcerting.

Just an Update, i solved my Problem… The IPSEC Logfiles were OK, no errors Connected but no traffic the Problem was the one site was configured for DHCP not static...

we are running on 192.168.2.0/24, NATted to x.x.191/24 and they are on x.x.249.0/24 for the external IP's we ping to. Internal IP's on their side is in the 10.x.x.x range. Also /24 as far as we know…

I had issues with this as well.  Perhaps this will help.  I have three ADSL modem/routers in front of my PFSense box. Make sure NAT is disabled on PFSense if it is behind another router otherwise you double NAT.  Enable Manual outbound NAT but don't create any rules unless you have a mix of connections.  That is create NATs for interfaces that are directly connected and don't for those that are behind a NATing router. If you are load balancing across multi link the define a rule on LAN: all protos/ports, destination: <the other="" end="">, route via "default".  This will make sure that all traffic to this destination gets through and does not get bounced around. Cheers Jon</the>

Are you using PPTP or IPSEC?

I don't think so….. ???

Have you tried putting pfSense in all locations?  You could even try with the CD and floppy combo as to not mess with your freebsd setup.

Window sizes are a function of the endpoints. WAN optimization devices are largely an overpriced way to accommodate things you can do on the endpoints if you know what you're doing. There are some benefits, but most of them can be accommodated by configuring the endpoints accordingly. @ChuckShoe: So, I was running some tests between the two sites (Mainly doing tracert's and pings, Latency between the two sites is consistent at 27ms) The Tracerts always error out on Hop 2, because its going across the encrypted tunnel and it doesn't make it to the other end before it times out. This got me thinking that this delay or lack of acknowledgement is causing the TCP window settings to not open up to their fullest potential. Again, strictly a function of the endpoints. traceroute not answering on a hop has nothing to do with TCP ACKs. Delay isn't what causes a lack of response, there is a hop where you won't see anything when going over IPsec, that's just how it works.

Hello, looks here….in the next release, i hope so, http://forum.pfsense.org/index.php/topic,12648.0.html Regards Heiko

This bounty has been completed: http://forum.pfsense.org/index.php/topic,12648.0.html