PFSENSE 1.2.3 IPSEC with CISCO ASA

jimp

Do you have Dead Peer Detection enabled for the IPsec tunnel on pfSense? It should see that the peer is gone and reset. You may need to set it to something low, like 10 or 20 seconds.

mst

Yes, it was set to 60 sec, now I have changed to 20 sec.

Thank You

longoc

I'm having this same problem. mst, did this fix work for you?

mst

NOPE still waiting and searching ….. but so far no luck ....

MST

KForce

Try checking the prefer older sa box under gen>adv. i was having similar issues but mine was just dropping randomly. Something to try I guess.

longoc

@KForce:

Try checking the prefer older sa box under gen>adv. i was having similar issues but mine was just dropping randomly. Something to try I guess.

I tried that and http://forum.pfsense.org/index.php/topic,13847.0.html to no avail. I hate to have to be forced to downgrade to 1.2.2 because 1.2.3 is really slick.

jimp

Until someone posts more information – specifically the config from the ASA and info from pfSense, along with relevant logs from both -- any suggestions are really just guesswork.

Has anyone with an ASA checked their config against the one on page 262 (section 13.9.3) of the book?

longoc

I have about 80 ipsec site to site  tunnels running on the ASA. Probably about 40 monowall, 30 1.2.2 pfsense and 10 1.2.3 pfsense. Only the ones running 1.2.3 are giving me this issue. All the configs are identical (phase1, phase2) and the corresponding config on the ASA are the same too.

crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime none

crypto map Outside_map 10231 match address CMAPLIST10231
crypto map Outside_map 10231 set pfs
crypto map Outside_map 10231 set peer 12.49.210.138
crypto map Outside_map 10231 set transform-set TSET3DES

sungard-asa-main# show run tunnel-group 12.49.210.138
tunnel-group 12.49.210.138 type ipsec-l2l
tunnel-group 12.49.210.138 ipsec-attributes
pre-shared-key *

crypto map Outside_map interface Outside

I think thats all the relevant config you need.

THe tunnel stays up for about a day, but drops off and I have to log into pfsense and disable/enable the ipsec tunnel.

Another issue I have is that after a while, I can still ping the internal interface of the PFSense box through the ipsec tunnel, but I can't http to that address. During this time, remote people behind the PFSense box can no longer get to network services such as email and shares.

longoc

Missed one line
crypto ipsec transform-set TSET3DES esp-3des esp-sha-hmac

jimp

You have "lifetime none" set on the Cisco, but on pfSense the lifetime defaults to 86400 I believe, which would explain the day delay. Since the Cisco is probably initiating the tunnel, rekeying is left to the initiator, and since it doesn't believe the tunnel has expired, it probably isn't even trying to rekey.

Try setting lifetime limits instead of directing it to stay alive using the same info forever and it may have more success.

longoc

Will do. Thanks!