Tunnel ipsec between pfsense and cisco router

capitangiaco · Dec 20, 2006, 10:21 AM

Hi all

I've setup a couple of ipsec tunnel between pfsense and cisco routers.
I noticed that the tunnel goes up only If I make traffic from the lan behind pfsense, the cisco side is unable to make start the vpn.

When I try to make traffic from the cisco side I can see this:

(pfsense ipsec vpn logs)

Dec 20 11:22:19 racoon: INFO: respond new phase 2 negotiation: ...162[500]<=>...106[500]
Dec 20 11:22:19 racoon: ERROR: failed to get sainfo.
Dec 20 11:22:19 racoon: ERROR: failed to get sainfo.
Dec 20 11:22:19 racoon: ERROR: failed to pre-process packet.
Dec 20 11:22:29 racoon: INFO: purging ISAKMP-SA spi=0d6050832cb03cc0:261016ad12094e2f.
Dec 20 11:22:29 racoon: INFO: purged ISAKMP-SA spi=0d6050832cb03cc0:261016ad12094e2f.
Dec 20 11:22:30 racoon: INFO: ISAKMP-SA deleted ...162[500]-...106[500] spi:0d6050832cb03cc0:261016ad12094e2f
Dec 20 11:23:48 racoon: ERROR: not acceptable Identity Protection mode

while from the cisco debug I can see:

*Mar 8 17:47:02.921: ISAKMP: local port 500, remote port 500
*Mar 8 17:47:02.921: ISAKMP: set new node 0 to QM_IDLE
*Mar 8 17:47:02.925: insert sa successfully sa = 82262E64
*Mar 8 17:47:02.925: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Mar 8 17:47:02.925: ISAKMP: Looking for a matching key for ...162 in default : success
Mar 8 17:47:02.925: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching ...162
*Mar 8 17:47:02.925: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar 8 17:47:02.929: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar 8 17:47:02.929: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar 8 17:47:02.929: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 8 17:47:02.929: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 8 17:47:02.929: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Mar 8 17:47:02.929: ISAKMP:(0:0:N/A:0): sending packet to ...162 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 8 17:47:12.933: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE…

I've tried to change aggressive/main mode and md5/sha values but the same output in the logs.
The keep alive function in pfsense doesn't work because the pfsense box was unable to ping the private ip of the cisco router (while it can ping the public ip).
At the moment I solved with a cron job in a server in the pfsense lan (I ping an host behind the cisco router every 10 seconds, I've tried to use 600secs but the tunnel goes down).

Any idea ?

thanks

Giacomo

hoba · Dec 20, 2006, 12:57 PM

You can use the Ping feature of pfSense to keep the tunnel alive or bring it up. It's at the bottom when you edit the tunnel. Just specify an IP of the remote subnet there.

What kind of identifier are you using for both ends? From the cisco logs it looks like it is trying several things to bring up the connection (agressive, main, nat-t,…). I'm not a cisco expert though but I think there are some settings wrong or not defined at all. Have a look at http://doc.m0n0.ch/handbook/examplevpn.html#id2606293 .

sindum · Dec 20, 2006, 2:48 PM

Hi

Just a quick question. Is there any nat involved ? I.e. the cisco router beeing behind a nat device or doing nat it self

capitangiaco · Jan 3, 2007, 12:54 AM

no nat. pfsense and cisco router have a public ip.
I cannot use the keep alive function cause the pfsense box cannot ping the private ip of the router (it can only ping the public ip).

Giacomo

hoba · Jan 3, 2007, 12:57 AM

Of course you can use the keepalive for this. it will use the lan ip of the pfsense as source. this way it will go through the tunnel. You can test this from the webgui if you go to diagnostics>ping and choose interface lan and ping an ip at the remote end.

capitangiaco · Jan 3, 2007, 1:20 AM

I put seconds instead the IP…
Now works !
thanks very much.

Giacomo