PFSENSE 1.2.3 IPSEC with CISCO ASA

mst · Mar 1, 2010, 12:58 PM

Yes, it was set to 60 sec, now I have changed to 20 sec.

Thank You

longoc · Apr 28, 2010, 4:07 PM

I'm having this same problem. mst, did this fix work for you?

mst · Apr 28, 2010, 4:10 PM

NOPE still waiting and searching ….. but so far no luck ....

MST

KForce · Apr 28, 2010, 4:50 PM

Try checking the prefer older sa box under gen>adv. i was having similar issues but mine was just dropping randomly. Something to try I guess.

longoc · Apr 28, 2010, 5:22 PM

@KForce:

Try checking the prefer older sa box under gen>adv. i was having similar issues but mine was just dropping randomly. Something to try I guess.

I tried that and http://forum.pfsense.org/index.php/topic,13847.0.html to no avail. I hate to have to be forced to downgrade to 1.2.2 because 1.2.3 is really slick.

jimp · Apr 28, 2010, 5:42 PM

Until someone posts more information – specifically the config from the ASA and info from pfSense, along with relevant logs from both -- any suggestions are really just guesswork.

Has anyone with an ASA checked their config against the one on page 262 (section 13.9.3) of the book?

longoc · Apr 28, 2010, 6:37 PM

I have about 80 ipsec site to site tunnels running on the ASA. Probably about 40 monowall, 30 1.2.2 pfsense and 10 1.2.3 pfsense. Only the ones running 1.2.3 are giving me this issue. All the configs are identical (phase1, phase2) and the corresponding config on the ASA are the same too.

crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime none

crypto map Outside_map 10231 match address CMAPLIST10231
crypto map Outside_map 10231 set pfs
crypto map Outside_map 10231 set peer 12.49.210.138
crypto map Outside_map 10231 set transform-set TSET3DES

sungard-asa-main# show run tunnel-group 12.49.210.138
tunnel-group 12.49.210.138 type ipsec-l2l
tunnel-group 12.49.210.138 ipsec-attributes
pre-shared-key *

crypto map Outside_map interface Outside

I think thats all the relevant config you need.

THe tunnel stays up for about a day, but drops off and I have to log into pfsense and disable/enable the ipsec tunnel.

Another issue I have is that after a while, I can still ping the internal interface of the PFSense box through the ipsec tunnel, but I can't http to that address. During this time, remote people behind the PFSense box can no longer get to network services such as email and shares.

longoc · Apr 28, 2010, 6:38 PM

Missed one line
crypto ipsec transform-set TSET3DES esp-3des esp-sha-hmac

jimp · Apr 28, 2010, 8:46 PM

You have "lifetime none" set on the Cisco, but on pfSense the lifetime defaults to 86400 I believe, which would explain the day delay. Since the Cisco is probably initiating the tunnel, rekeying is left to the initiator, and since it doesn't believe the tunnel has expired, it probably isn't even trying to rekey.

Try setting lifetime limits instead of directing it to stay alive using the same info forever and it may have more success.

longoc · Apr 28, 2010, 8:43 PM

Will do. Thanks!