Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Issues between Cisco ASA 5510

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phatty
      last edited by

      So overall I have had my share of problems with IPSEC since the upgrade to 2.2. I thought I had all the problems cleaned up but now I am suddenly having issues with one of my sites connecting to an ASA5510. The site with pfSense has 2 networks I am trying to route through the VPN, so I have two phase 2 entries. The strange part is before I started troubleshooting I actually had 3 Phase 2 entries for another subnet but I was still having problems. So here is the overview

      Originally pfSense has 3 Phase 2 configs,
      LAN Subnet Selected
      LAN2 Subnet Selected
      Manually configured 192.168.242.0/24 that is used by OpenVPN clients.

      With the above in place LAN and LAN2 subnet configurations would always work as expected, but the manually configured subnet would not automatically connect.

      So then I decided LAN2 subnet doesn't really need to route to this other location, perhaps it was something pfSense was not liking about 3 Phase 2 entries. So I deleted reference to LAN2 Subnet on both sites, but my problems continue. LAN Subnet connects OK, Manually configured subnet does not automatically connect. I have deleted and compared the Phase 2 entries and everything is identical.  I then tried to change which side is the connector vs initiator but results were the same. If I stopped the IPSEC service, and started it up, only LAN Subnet phase2 would initialize. If i then manually disconnect the IPSEC and Manually click the connect button, both Subnets would come alive.  Eventually, probably during a rekey, the manually configured subnet will break again.

      Basic Overview of settings
      V1 Key Exchange
      PSK, Main Mode
      Manually configured Identifiers
      Phase 2 uses ESP, no PFS Keygroup, with the specific encryption/algorithms selected that are being used.

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        You have to upgrade to 2.2.3 from snapshots.pfsense.org, if you can, since there are fixes in it for this case.

        1 Reply Last reply Reply Quote 0
        • P
          phatty
          last edited by

          Upgraded to

          2.2.3-DEVELOPMENT (i386)
          built on Fri Jun 12 18:04:33 CDT 2015

          And I still notice that my second phase is not coming online for the manually configured subnet without manually disconnecting/reconnecting the connection.

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            Yeah you would need to send traffic for the second one to connect as well.
            I though i had fixed that already in the status page apparently not :)

            Can you just confirm that the tunnles work?
            I will fix the cosmetics of bringing up both tunnels from the status screen.

            1 Reply Last reply Reply Quote 0
            • P
              phatty
              last edited by

              OK, I did not try to pass traffic, just went by the status page, I will get a laptop and hotspot so I can do some remote testing and see if all works as expected and report back.

              1 Reply Last reply Reply Quote 0
              • P
                phatty
                last edited by

                I verified that while status did not show connected, I was able to pass traffic and then the status updated to reflect 2 subnets.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.