Remote Access with Cisco VPN Client Fails after much research
-
All,
Short story: non-cisco client RA vpn connections work, cisco vpn client connections don't, packets enter the LAN from the client, but never traverse past pfsense back.
I've searched this forum and the web in general. I'm aware of some bugs associated with this, but have found no solution. The following thread references some of what I'm seeing: http://forum.pfsense.org/index.php/topic,35057.msg181338.html#msg181338, but there's no follow up. And I wonder if this is related to bug http://redmine.pfsense.org/issues/1351. In which the solution is proposed that ipsec-tools be rebuilt from pfports, but ipsec-tools on pfsense 2.0.1 is the most current 0.8.0. I've taken the suggested steps by updating policy and proposal settings, trying issuing a single IP instead of a pool, and restarting racoon or the entire pfsense system, none have worked. Here are some details, IP address have been sanitized:
– Platform: PFsense 2.0.1 running in a VMWare ESX environment.
-- IPSec Configuration:
LAN Interface Address: 1.1.1.1
Remote Peer Address: 2.2.2.2
Mobile Clients Enabled
Issuing an IP range upon connection, we'll say it's 3.3.3.3-- Phase I:
Mutual PSK + Xauth
Aggressive
My Identifier: Public IP Address of Pfsense box
Peer Identifier: Distinguished name with PSK
Policy Generation: Unique
Proposal Checking: Obey
Encryption: AES
Hash: MD5
DH Group: 2
Lifetime: 86400
Nat-t: Force
DPD: Enabled, 10, 5-- Phase II:
Mode: Tunnel
Protocol: ESP
Encryption: AES, auto, 3DES
Hash: MD5
PFS: Off
Lifetime: 3600When connecting with VPNC, things work fine. When connecting with Cisco VPN Client, traffic flows inbound to my network, and I can even see active flows coming back from my name servers, but the traffic enters the pfsense LAN interface and never goes anywhere. Some persistent log entries include the following:
Mar 2 12:30:15 racoon: [Self]: INFO: IPsec-SA established: ESP 1.1.1.1[500]->2.2.2.2[500] spi=140750808(0x863afd8)
Mar 2 12:30:15 racoon: [Self]: INFO: IPsec-SA established: ESP 2.2.2.2[500]->1.1.1.1[500] spi=1119002556(0x42b29fbc)
Mar 2 12:30:20 racoon: ERROR: no configuration found for 2.2.2.2.
Mar 2 12:30:20 racoon: ERROR: failed to begin ipsec sa negotication.
Mar 2 12:30:23 racoon: ERROR: no configuration found for 2.2.2.2.
Mar 2 12:30:23 racoon: ERROR: failed to begin ipsec sa negotication.Based on my searches, this may be a bug associated with either how the gui is modifying mode_cfg, shown here:
mode_cfg
{
auth_source system;
group_source system;
pool_size 253;
network4 3.3.3.3;
netmask4 255.255.255.0;
dns4 4.4.4.1;
dns4 4.4.4.2;
dns4 4.4.4.3;
default_domain "[FILTERED]";
split_dns "[FILTERED]";
banner "/var/etc/racoon.motd";
save_passwd on;
}For your reference, here is a setkeys -DP also with only the pertinent SPI's included:
0.0.0.0/0[any] 3.3.3.3[any] 255
out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/unique:36
created: Mar 2 12:46:19 2012 lastused: Mar 2 12:46:29 2012
lifetime: 2147483(s) validtime: 0(s)
spid=128 seq=0 pid=21230
refcnt=13.3.3.3[any] 0.0.0.0/0[any] 255
in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/unique:36
created: Mar 2 12:46:19 2012 lastused: Mar 2 12:46:19 2012
lifetime: 2147483(s) validtime: 0(s)
spid=127 seq=5 pid=21230
refcnt=1Does anybody have suggestions on how to correctly setup a RA vpn connection for cisco vpn client? Moving to another client isn't an option due to the fact that my work force is completely mobile and coordinating the installation of a different client on every remote laptop is somewhat infeasible and inefficient. Thanks in advance for any help!
-
Interesting, no reply… I've decided I'll be moving away from pfsense to a separate Cisco firewall, given the lack of response here and for other posts with similar issues, it seems nobody's figured this out as of yet. Pfsense is a rockin firewall platform, but won't meet our needs right now.
-
It would have been most interesting to thoroughly troubleshoot this issue, since the Cisco VPN Client is so widely deployed.
With regard to the "no reply" comment, you can't expect too much over a weekend …