Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC VPN with 3005 Cisco VPN Concentrator

    IPsec
    3
    7
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kapara
      last edited by

      Was unable to ping from VPN Concentrator across my pfsense to other devices and could not figure it out.  Finally saw a response in the filter logs via SSH.  Why don't these blocks show up in the firewall logs?  Is that by design?

      4. 082419 rule 70/0(match): block in on enc0: 192.168.101.12 > 10.20.30.51: ICMP echo request, id 512, seq 15874, length 40
      5. 510903 rule 70/0(match): block in on enc0: 192.168.101.12 > 10.20.30.51: ICMP echo request, id 512, seq 16130, length 40
      5. 489187 rule 70/0(match): block in on enc0: 192.168.101.12 > 10.20.30.51: ICMP echo request, id 512, seq 16386, length 40
      5. 500892 rule 70/0(match): block in on enc0: 192.168.101.12 > 10.20.30.51: ICMP echo request, id 512, seq 16642, length 40

      Once I added a rule to IPSEC allowing ANY to ANY **** etc it started to pass traffic.  When I delete the rule the traffic continues to pass through.  The only way I found to stop the traffic is either to disable the VPN or reset the states.  I was under the assumption that if you remove a rule allowing traffic that it would stop the traffic.  Would be nice to see logging for IPSEC when you create a rule and choose "Log packets that are handled by this rule"

      Skype ID:  Marinhd

      1 Reply Last reply Reply Quote 0
      • K
        kapara
        last edited by

        anyone?

        Skype ID:  Marinhd

        1 Reply Last reply Reply Quote 0
        • D
          djamp42
          last edited by

          Hmm i'm not sure about the issue, but i'm thinking about getting a Cisco 3005 as our VPN concentrator for about 100 IPSec VPN Tunnels.

          It seems you have the 3005 working with pfSense, so i guess i'm just asking, Would you recommend it?

          1 Reply Last reply Reply Quote 0
          • D
            databeestje
            last edited by

            It's a stateful firewall, as long as the state is valid it works.

            Consider the no state option on that rule.

            1 Reply Last reply Reply Quote 0
            • K
              kapara
              last edited by

              The cisco concentrator is a really nice device.  pfsense could probably do the same if they added policy NAT as a feature.  This allows other networks to have the same subnet as yours which is currently a problem.  Why would you not want to use pfsense for those 100 vpn tunnels?

              Skype ID:  Marinhd

              1 Reply Last reply Reply Quote 0
              • D
                djamp42
                last edited by

                @kapara:

                The cisco concentrator is a really nice device.  pfsense could probably do the same if they added policy NAT as a feature.  This allows other networks to have the same subnet as yours which is currently a problem.  Why would you not want to use pfsense for those 100 vpn tunnels?

                Yeah, I'm going to give pfSense a try. I have every IPSec tunnel on a different IP range, so i don't see any reason why it wouldn't work as a 100+ tunnel concentrator, provided it has enough CPU power.

                1 Reply Last reply Reply Quote 0
                • K
                  kapara
                  last edited by

                  @databeestje

                  Thanks for the response!

                  Skype ID:  Marinhd

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.