PFSense Site to Site with Sonicwall Multiple Subnets

  • Hope someone can help me here, This is my first PFSense (2.3.2), I'm trying to connect to a Sonicwall NSA2600 via IPSec. I can get the tunnel come up fine as long as I don't add a second phase 2, which is needed. When I add a second phase 2 (copy of the first but a different remote network). It shows it connects to both but only one will work. On the Sonicwall side I have it setup to allow both networks via address objects. When I do a packet capture on the Sonicwall, the phase 2 that fails to ping gives me "DROPPED, Drop Code: 408(Octeon Decrypyion Failed Selector check), Module Id: 20(ipSec)". Which means it can't decrypt that Phase 2. It must be something in my Phase 2 that I am missing. Also, it is not always the new phase 2 I add, it seem if I reboot the PFSense the first network I trying pinging it happens to.

    Any help would be great.

    ![PFSense IPSec.png](/public/imported_attachments/1/PFSense IPSec.png)
    ![PFSense IPSec.png_thumb](/public/imported_attachments/1/PFSense IPSec.png_thumb)

  • LAYER 8 Netgate

    Like the Cisco ASA, I don't think the Sonicwall can handle multiple traffic selectors on a child SA like that. Try enabling split connections on the "Phase 1".

  • Thank you! That worked.

Log in to reply