PfSense + Cisco

ATI · Jul 18, 2012, 3:02 AM

Hi all,
I'm stuck in a configuration of a tunnel between a Cisco router and a pfSense 2.0.1… well at least stuck with phase2 network definition / or routes.
Let me explain:

schema
10.19.0.0/16 –----------- publicIP 1 ----((internet))--------publicIP 2 ------------- 192.168.10.0/24 : Linux server is 192.168.10.25
Cisco pfSense
10.19.1.2 192.168.10.4

In fact the tunnel is up and running: status UP
the SAD shows some traffic from the Cisco router. 120B each time I ping from Cisco router a server behind pfSense.

publicIP 2 publicIP 1 ESP c29780f7 3des-cbc hmac-md5 66880 B
publicIP 1 publicIP 2 ESP 0cddecca 3des-cbc hmac-md5 1800 B

This linux box does receive perfectly the ping and replies correclty, as show ip table log I create to test that:
Jul 18 03:26:15 linuxserver kernel: [354768.967481] PING_IN__linuxserver : IN=eth0 OUT= MAC=xxx SRC=10.19.1.2 DST=192.168.10.25 LEN=100 TOS=0x00 PREC=0x00 TTL=254 ID=466 PROTO=ICMP TYPE=8 CODE=0 ID=39 SEQ=3
Jul 18 03:26:15 linuxserver kernel: [354768.967515] PING_OUT_linuxserver : IN= OUT=eth0 SRC=192.168.10.25 DST=10.19.1.2 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=40066 PROTO=ICMP TYPE=0 CODE=0 ID=39 SEQ=3

What I don't get is that even if SAD traffic from pfSense is growing, and the tunnel is up, the other side receives nothing

I have also 2 IPSec firewall rules in pfSense to allow traffic both ways: I activated the log to understand better

LAN net * 10.19.0.0/16 * * none 2to1 in IPSEC_FW_RULE
10.19.0.0/16 * LAN net * * none 1to2 in IPSEC_FW_RULE

I can see in logs the 1to2 rule triggered, and never the 2to1 (eg: when the linux server replies to the ping)….

What am I missing ?

Thanks for your help

ATI · Jul 18, 2012, 5:10 PM

Hello,
here is an update:

as said above, I can't see the IPSEC Firewall rule triggered when 192.168.10.25 replies to a 10.19.1.2 ping request.
In fact, I can see a LAN Firewall rule triggered if I log ICMP from my test server
LOG:
pass Jul 18 13:09:02 LAN 192.168.10.25 10.19.1.2 ICMP // ping started from 192.168.10.25
pass Jul 18 13:08:15 enc0 10.19.1.2 192.168.10.25 ICMP // ping started from 10.19.1.2

So the problem seems to be that the route to IPSec tunnel does not exist: traffic to 10.19.x.x does NOT go to tunnel interface.
I checked my phase2 settings:
LOCAL Network = LAN Subnet
REMOTE Network = Network 10.19.0.0 / 16

((NB: I tried to put manually 192.168.10.0 / 24 in LOCAL Network, but I have the same results))

I though routes created by the IPSec tunnel were created automatically (I read this in my searches).
Isn't it the case ?
How can I check this point as there is no place to see Tunnel Automatically created routes ?

Lazyhead · Jul 25, 2012, 7:50 AM

Hi,

About the routes, i thought the same thing, that they were created automatically…
Just for the test i create a route "tunnel virtual IP ------wangw" and then the reply icmp packet were allowed so try it.

Do you try to do some captures in pfsense GUI when you ping your lan and wan from the cisco router ? it helps a lot.

To check routes on the pfsense, go in the diagnostic section then "routes" you can see all the pfsense routes (manually and automatically created)