Tunnel connect but no data can pass

gdy1039

pfsense2.0.3(i386) + vmware
I set a vpn like this
(11.1.1.1) R1 (12.1.1.1)   –> (12.1.1.2) R2 (23.1.1.1)  --> (23.1.1.1) R3 (33.1.1.1)

1:
R1 default gateway to 12.1.1.2
R3 default gateway to 23.1.1.1
2:permit any in all wan interface
3:I can see tunnel is connect success.
4:in R1 ping 23.1.1.1 success, in r3 ping 12.1.1.1 success.
5:when I run command in R1  "ping -S 11.1.1.1 33.1.1.1"
I can see data is sended in status->ipsec->SAD
but the ping don't get any respond.
6:in log firewall I can see deny icmp log
block Jul 10 01:56:11 enc0 33.1.1.1 11.1.1.1 ICMP
7:no nat here

please help me.
+++++++++++++++r1.conf+++++++++++++++++++
[2.0.3-RELEASE][root@pfSense.localdomain]/root(1): cat /var/etc/racoon.conf

This file is automatically generated. Do not edit

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
       adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
       isakmp 12.1.1.1 [500];
       isakmp_natt 12.1.1.1 [4500];
}

remote 23.1.1.2
{
       ph1id 1;
       exchange_mode main;
       my_identifier address 12.1.1.1;
       peers_identifier address 23.1.1.2;
       ike_frag on;
       generate_policy = off;
       initial_contact = on;
       nat_traversal = on;

dpd_delay = 10;
       dpd_maxfail = 5;
       support_proxy on;
       proposal_check claim;

proposal
       {
               authentication_method pre_shared_key;
               encryption_algorithm 3des;
               hash_algorithm sha1;
               dh_group 2;
               lifetime time 28800 secs;
       }
}

sainfo subnet 11.1.1.0/24 any subnet 33.1.1.0/24 any
{
       remoteid 1;
       encryption_algorithm 3des;
       authentication_algorithm hmac_sha1;
       pfs_group 2;
       lifetime time 3600 secs;
       compression_algorithm deflate;
}
[2.0.3-RELEASE][root@pfSense.localdomain]/root(2):
+++++++++++++++++++++++++++++++++

–---------------------R3.CONF--------------------------
[2.0.3-RELEASE][root@pfSense.localdomain]/root(1): cat /var/etc/racoon.conf

This file is automatically generated. Do not edit

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
       adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
       isakmp 23.1.1.2 [500];
       isakmp_natt 23.1.1.2 [4500];
}

remote 12.1.1.1
{
       ph1id 1;
       exchange_mode main;
       my_identifier address 23.1.1.2;
       peers_identifier address 12.1.1.1;
       ike_frag on;
       generate_policy = off;
       initial_contact = on;
       nat_traversal = on;

dpd_delay = 10;
       dpd_maxfail = 5;
       support_proxy on;
       proposal_check claim;

proposal
       {
               authentication_method pre_shared_key;
               encryption_algorithm 3des;
               hash_algorithm sha1;
               dh_group 2;
               lifetime time 28800 secs;
       }
}

sainfo subnet 33.1.1.0/24 any subnet 11.1.1.0/24 any
{
       remoteid 1;
       encryption_algorithm 3des;
       authentication_algorithm hmac_sha1;
       pfs_group 2;
       lifetime time 3600 secs;
       compression_algorithm deflate;
}
[2.0.3-RELEASE][root@pfSense.localdomain]/root(2):
–-----------------------------------------------------

gdy1039

permit in rule->ipsec ,then it's ok