IPSEC Tunnel with Virtual IP
-
Hi
I am trying to configure an IPSEC VPN tunnel between cisco ASA 5510 and PFSense 2.2.1.In Pfsense i have added a VIP as the interface to achieve a fail over between Master/Slave firewalls.Also added VIP under "My identifier".
When i try to establish the tunnel, i am not able to do so with the Virtual IP.
Still shows MM_WAIT_MSG2 in cisco.(cisco as an initiator waiting to hear back from PFSense)
If i remove the VIP and enter the WAN interface address as the IP address in PFSense,the tunnel works perfectly.
PHASE 1 Configurations
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800PHASE 2 Configurations
Added Local LAN IP Address Range
Added Remote LAN Ip Address Range
Encryption AES256
Hash sha
lifetime 3600NAT-T
Disabled in both the firewalls
PFS
Disabled in both the firewalls
Access list
Have added the ACL under IPSEC in both the firewalls.
Not sure why IPSEC is not working with VIP in PFSense 2.2.1
Any help will be highly Appreciated.
-
Why 2.2.1? Several IPsec issues were corrected in the early 2.2.X releases. Not sure if that's one of them, but..
-
Do VIP cannot be used in IPSEC in Pfsense 2.2.1?
-
Any suggestions would be really helpful.
-
Upgrading to a supported release is the best advice in this situation. Numerous IPsec issues have been fixed since then, and many CARP issues were fixed in 2.2.3 and later.
You won't find many people willing to troubleshoot such an out-of-date version, and it's likely your issue has been fixed.
-
added the VIP under identifiers for the IPSEC?
By default they are the IP, if you change peer/local to example KEY_ID and then the designated identifiers, they also need to be matched on the other site.I used KEY_ID on my PFsense but on the sonicwall remote VPN, it was registering as FQDN ( ??? ??? ??? ??? ??? ) I had to change the sonicwall identifiers as FQDN instead lol.
Remote GW is always the public IP of the other ends VPN tunnel, not a virtual IP, as it's created internally to use from the remote site.
