always use:
> restart ipsec-key-management
solves most issues, jsut note all tunlles on box will bounce lol
i have found that ISP are really bad about blocking ESP traffic somtimes, the tunnles come but no traffic can pass....... very annoying
usally a reboot of the cable/dsl router fixes it