• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PFSENSE 1.2.3 IPSEC with CISCO ASA

Scheduled Pinned Locked Moved IPsec
12 Posts 4 Posters 7.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jimp Rebel Alliance Developer Netgate
    last edited by Mar 1, 2010, 5:20 AM

    Do you have Dead Peer Detection enabled for the IPsec tunnel on pfSense? It should see that the peer is gone and reset. You may need to set it to something low, like 10 or 20 seconds.

    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

    Need help fast? Netgate Global Support!

    Do not Chat/PM for help!

    1 Reply Last reply Reply Quote 0
    • M
      mst
      last edited by Mar 1, 2010, 12:58 PM

      Yes, it was set to 60 sec, now I have changed to 20 sec.

      Thank You

      1 Reply Last reply Reply Quote 0
      • L
        longoc
        last edited by Apr 28, 2010, 4:07 PM

        I'm having this same problem. mst, did this fix work for you?

        1 Reply Last reply Reply Quote 0
        • M
          mst
          last edited by Apr 28, 2010, 4:10 PM

          NOPE still waiting and searching ….. but so far no luck ....

          MST

          1 Reply Last reply Reply Quote 0
          • K
            KForce
            last edited by Apr 28, 2010, 4:50 PM

            Try checking the prefer older sa box under gen>adv. i was having similar issues but mine was just dropping randomly. Something to try I guess.

            1 Reply Last reply Reply Quote 0
            • L
              longoc
              last edited by Apr 28, 2010, 5:22 PM

              @KForce:

              Try checking the prefer older sa box under gen>adv. i was having similar issues but mine was just dropping randomly. Something to try I guess.

              I tried that and http://forum.pfsense.org/index.php/topic,13847.0.html to no avail. I hate to have to be forced to downgrade to 1.2.2 because 1.2.3 is really slick.

              1 Reply Last reply Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Apr 28, 2010, 5:42 PM

                Until someone posts more information – specifically the config from the ASA and info from pfSense, along with relevant logs from both -- any suggestions are really just guesswork.

                Has anyone with an ASA checked their config against the one on page 262 (section 13.9.3) of the book?

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • L
                  longoc
                  last edited by Apr 28, 2010, 6:37 PM

                  I have about 80 ipsec site to site  tunnels running on the ASA. Probably about 40 monowall, 30 1.2.2 pfsense and 10 1.2.3 pfsense. Only the ones running 1.2.3 are giving me this issue. All the configs are identical (phase1, phase2) and the corresponding config on the ASA are the same too.


                  crypto isakmp policy 5
                  authentication pre-share
                  encryption 3des
                  hash sha
                  group 2
                  lifetime none

                  crypto map Outside_map 10231 match address CMAPLIST10231
                  crypto map Outside_map 10231 set pfs
                  crypto map Outside_map 10231 set peer 12.49.210.138
                  crypto map Outside_map 10231 set transform-set TSET3DES

                  sungard-asa-main# show run tunnel-group 12.49.210.138
                  tunnel-group 12.49.210.138 type ipsec-l2l
                  tunnel-group 12.49.210.138 ipsec-attributes
                  pre-shared-key *

                  crypto map Outside_map interface Outside

                  I think thats all the relevant config you need.

                  THe tunnel stays up for about a day, but drops off and I have to log into pfsense and disable/enable the ipsec tunnel.

                  Another issue I have is that after a while, I can still ping the internal interface of the PFSense box through the ipsec tunnel, but I can't http to that address. During this time, remote people behind the PFSense box can no longer get to network services such as email and shares.

                  1 Reply Last reply Reply Quote 0
                  • L
                    longoc
                    last edited by Apr 28, 2010, 6:38 PM

                    Missed one line
                    crypto ipsec transform-set TSET3DES esp-3des esp-sha-hmac

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimp Rebel Alliance Developer Netgate
                      last edited by Apr 28, 2010, 8:46 PM Apr 28, 2010, 6:53 PM

                      You have "lifetime none" set on the Cisco, but on pfSense the lifetime defaults to 86400 I believe, which would explain the day delay. Since the Cisco is probably initiating the tunnel, rekeying is left to the initiator, and since it doesn't believe the tunnel has expired, it probably isn't even trying to rekey.

                      Try setting lifetime limits instead of directing it to stay alive using the same info forever and it may have more success.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • L
                        longoc
                        last edited by Apr 28, 2010, 8:43 PM

                        Will do. Thanks!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          [[user:consent.lead]]
                          [[user:consent.not_received]]