IPSec VPN Between Cisco 881 and Pfsense 2.1.3 not working

mtafur.mfsac

Hi Everybody.

I have this setup:

Remote Site (192.168.2.0/24) –-Cisco 881 (LAN .1, WAN 181.177.xxx.xxxx) ---- Internet --- Pfsense (WAN 190.12.xxx.xxx, LAN .1) --- Local Site (192.168.1.0/24).

Seems a pretty simple setup. We are trying to achieve an IPSec VPN here...it's been 2 days and we have no way of TX/RX packets from the VPN.

Configuration on the Remote Site (Cisco)

XXXXX#sh run
Building configuration...

Current configuration : 2523 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXXXX
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 xxxxxxx
!
no aaa new-model
!
!
ip source-route
ip dhcp excluded-address 192.168.2.1 192.168.2.100
!
ip dhcp pool Miraflores2_DHCPPool
   import all
   network 192.168.2.0 255.255.255.0
   dns-server 192.168.1.252
   default-router 192.168.2.1
!
!
ip cef
no ip domain lookup
ip domain name xxxxxxx
!
!
license boot module c880-data level advsecurity
!
!
username xxxxx password 0 xxxxxx
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key MYKEY address 190.12.xxx.xxx
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto map pfsense 15 ipsec-isakmp
 set peer 190.12.xxx.xxx
 set transform-set AES256-SHA
 set pfs group2
 match address acl_vpn
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!

interface FastEthernet0
 spanning-tree portfast
!
interface FastEthernet1
 spanning-tree portfast
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 description WAN INTERFACE
 ip address 181.177.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map pfsense
!
interface Vlan1
 description LAN INTERFACE
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 181.177.xxx.xxx
ip route 192.168.1.0 255.255.255.0 190.12.82.163
no ip http server
no ip http secure-server
!
!
ip access-list extended acl_nat
 permit ip 192.168.2.0 0.0.0.255 any
 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended acl_vpn
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
 password XXXXXX
 login
 no modem enable
line aux 0
line vty 0 4
 access-class 1 in
 exec-timeout 30 0
 privilege level 15
 password XXXXX
 login local
 transport preferred ssh
 transport input ssh
!
scheduler max-task-time 5000
end

Logs on PFSense

Last 300 IPsec log entries 
May 15 10:36:03 racoon: [LAN2LAN - Fase 1 - Miraflores 1 a Miraflores 2]: INFO: IPsec-SA established: ESP 190.12.xxx.xxx[500]->181.177.xxx.xxx[500] spi=535795823(0x1fef986f) 
May 15 10:36:03 racoon: [LAN2LAN - Fase 1 - Miraflores 1 a Miraflores 2]: INFO: IPsec-SA established: ESP 190.12.xxx.xxx[500]->181.177.xxx.xxx[500] spi=181901907(0xad79a53) 
May 15 10:36:03 racoon: WARNING: attribute has been modified. 
May 15 10:36:03 racoon: INFO: received RESPONDER-LIFETIME: 4608000 kbytes 
May 15 10:36:03 racoon: [LAN2LAN - Fase 1 - Miraflores 1 a Miraflores 2]: INFO: initiate new phase 2 negotiation: 190.12.xxx.xxx[500]<=>181.177.xxx.xxx[500] 
May 15 10:35:17 racoon: INFO: purged IPsec-SA proto_id=ESP spi=4031659779\. 

So, until now tunnel is up (Checked SAs, SPs and logs on both sides says pretty the same). But I can't ping either side.

I use VPN for mobile users, btw. IPSec based.

Remote site is new, there is nothing connected to the local switch (so, int is down). I tried creating a loopbak int int the Cisco, but no result. I have been trying to set this up from a remote console.

Please help…

dsvj1977

Hi there!

When I ran into traffic problems across the VPN, I had to create firewall rules in the IPSec section of my pfSense. And the admin on the other side also had to create firewall rules to allow traffic.  I would suggest you start there if you haven't already.

Daryl

mtafur.mfsac

Hi Daniel, thanks for the reply. I have already a rule on the PfSense IPsec tab. Also, the router has the ACLs set correctly.

Makes me wonder if there is a routing problem within PfSense.

mtafur.mfsac

well, I managed to get it working.

I had to add rules not only in the IPSEC tab of the firewall, also to the LAN.

I.e.: local network 192.168.1.0/24, remote 192.168.2.0/24.

Had to créate three rules:

one for IPSEC where is any / any.

The other two in the LAN, with source: local / desto: remote and vice-versa.

Tunnel is working now. Just to let you know guys in case you are stuck like I was.

don't forget to check you tcpdump -n esp to view if VPN traffic is passing, at least. Firewall ogs are your friend, too.

mtafur.mfsac

Just to let you know…

after tinkering with rules and testing, I just came up with this:

One rule, Lan to IPSec Subnet in the LAN tab.
The other rule, any to any in the IPSec tab.

and I just got the DHCP ip helper address working...so I'm using my DHCP server. :D.