PFSense Site to Site with Sonicwall Multiple Subnets

jgshier

Hope someone can help me here, This is my first PFSense (2.3.2), I'm trying to connect to a Sonicwall NSA2600 via IPSec. I can get the tunnel come up fine as long as I don't add a second phase 2, which is needed. When I add a second phase 2 (copy of the first but a different remote network). It shows it connects to both but only one will work. On the Sonicwall side I have it setup to allow both networks via address objects. When I do a packet capture on the Sonicwall, the phase 2 that fails to ping gives me "DROPPED, Drop Code: 408(Octeon Decrypyion Failed Selector check), Module Id: 20(ipSec)". Which means it can't decrypt that Phase 2. It must be something in my Phase 2 that I am missing. Also, it is not always the new phase 2 I add, it seem if I reboot the PFSense the first network I trying pinging it happens to.

Any help would be great.

Jon
![PFSense IPSec.png](/public/imported_attachments/1/PFSense IPSec.png)
![PFSense IPSec.png_thumb](/public/imported_attachments/1/PFSense IPSec.png_thumb)

Derelict

Like the Cisco ASA, I don't think the Sonicwall can handle multiple traffic selectors on a child SA like that. Try enabling split connections on the "Phase 1".

jgshier

Thank you! That worked.