Config Conversion - half right (half not yet right…)

Criggie

So I'm working to replace an old debian firewall with a pfsense box, and most of it is going okay.

The big holdup is converting the existing openswan ipsec config.  This box has two tunnels, and I've managed to translate one tunnel but not the other.

WORKING TUNNEL

Here's the linux config:

conn pork-beer
        authby=secret
        left=XXX.27.218.143
        leftsubnet=10.0.0.0/23
        leftnexthop=XXX.37.70.1
        leftsourceip=10.0.0.1
        right=XXX.143.230.55
        rightsubnet=192.168.1.0/24
        rightnexthop=%defaultroute
        rightsourceip=192.168.1.1
        auto=start
        compress=no
        dpddelay=30
        dpdtimeout=120
        esp=3des-sha1-96
        pfs=yes
        ikelifetime=24h
        rekey=yes

And the matching pfsense config is:

That all works fine.  My problem is the next bit:

NOT-WORKING TUNNEL

conn pork-to-cellco
                type=tunnel
                esp=3des-md5
                ike=3des-md5
                keyexchange=ike
                pfs=yes
                authby=secret
                left=XXX.27.218.143     
                leftsubnet=10.0.0.0/25   
                leftnexthop=%defaultroute
                right=XXX.6.200.4
                rightsubnet=10.15.0.0/20
                rightnexthop=%defaultroute
                auto=start

My attempt at a pfSense config:

So short of guessing over and over, what have I got wrong ?