Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trouble connecting to Cisco VPN

    IPsec
    2
    4
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hessie
      last edited by

      Hi !

      I'm trying to connect to a cisco vpn server/router, problem seems that something with my network configuration is wrong.

      My Local LAN Subnet has: 192.168.222.0/24 (IP of pfSense .254)
      Local OPT1 is 172.25.99.64/28 (IP of pfSense .65)

      Remote VPN Net is 172.25.0.0/18

      I already had a working VPN Connection under IPSec with different IP's which worked, now with the new IP Networks nothing at all works. The Log just says:
      Aug 13 19:03:17 racoon: INFO: fe80::250:bfff:fe7e:358e%rl0[500] used as isakmp port (fd=23)
      Aug 13 19:03:17 racoon: [Self]: INFO: 172.25.99.65[500] used as isakmp port (fd=22)
      Aug 13 19:03:17 racoon: INFO: fe80::202:b3ff:fe92:3fde%fxp0[500] used as isakmp port (fd=21)
      Aug 13 19:03:17 racoon: [Self]: INFO: 92.50.102.93[500] used as isakmp port (fd=20)
      Aug 13 19:03:17 racoon: INFO: fe80::214:78ff:feeb:5750%ath0[500] used as isakmp port (fd=19)
      Aug 13 19:03:17 racoon: [Self]: INFO: 192.168.222.254[500] used as isakmp port (fd=18)
      Aug 13 19:03:17 racoon: INFO: fe80::250:daff:fe80:3fb4%xl0[500] used as isakmp port (fd=17)
      Aug 13 19:03:17 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
      Aug 13 19:03:17 racoon: INFO: ::1[500] used as isakmp port (fd=15)
      Aug 13 19:03:17 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14)
      Aug 13 19:03:17 racoon: INFO: fe80::250:bfff:fe7e:358e%tun0[500] used as isakmp port (fd=13)
      Aug 13 19:03:17 racoon: [Self]: INFO: 10.0.1.1[500] used as isakmp port (fd=12)
      Aug 13 19:03:17 racoon: INFO: fe80::250:bfff:fe7e:358e%rl0[500] used as isakmp port (fd=23)
      Aug 13 19:03:17 racoon: [Self]: INFO: 172.25.99.65[500] used as isakmp port (fd=22)
      Aug 13 19:03:17 racoon: INFO: fe80::202:b3ff:fe92:3fde%fxp0[500] used as isakmp port (fd=21)
      Aug 13 19:03:17 racoon: [Self]: INFO: 92.50.102.93[500] used as isakmp port (fd=20)
      Aug 13 19:03:17 racoon: INFO: fe80::214:78ff:feeb:5750%ath0[500] used as isakmp port (fd=19)
      Aug 13 19:03:17 racoon: [Self]: INFO: 192.168.222.254[500] used as isakmp port (fd=18)
      Aug 13 19:03:17 racoon: INFO: fe80::250:daff:fe80:3fb4%xl0[500] used as isakmp port (fd=17)
      Aug 13 19:03:17 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
      Aug 13 19:03:17 racoon: INFO: ::1[500] used as isakmp port (fd=15)
      Aug 13 19:03:17 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14)
      Aug 13 19:03:17 racoon: INFO: fe80::250:bfff:fe7e:358e%tun0[500] used as isakmp port (fd=13)
      Aug 13 19:03:17 racoon: [Self]: INFO: 10.0.1.1[500] used as isakmp port (fd=12)

      So it seems that pfSense does not get out, whyever.

      I'm trying to connect thru WAN which has a static IP, the remote setup has not changed but the IP. I can ping
      the remote host but nothing happens in the log..

      Maybe someone got an idea ?

      1 Reply Last reply Reply Quote 0
      • H
        hessie
        last edited by

        Connection is working now, the remote side had the subnet mask wrong defined :-/

        I've got these interfaces now:

        LAN 192.168.222.0/24 where 192.168.222.254 is pfSense
        WAN static
        OPT1 172.25.66.64/28 where 172.25.66.64 is pfSense

        Remote IPSec Net is 172.25.0.0/18

        I now want to ping and make traffic from LAN (!) over the IPSec Tunnel to a host which has 172.25.23.23.

        I can already ping from pfSense shell but from a machine behind pfSense in LAN Net I get:

        [trn1 ~]# ping 172.25.23.198
        PING 172.25.22.198 (172.25.23.198) 56(84) bytes of data.
        From 192.168.222.254 icmp_seq=1 Time to live exceeded
        From 192.168.222.254 icmp_seq=2 Time to live exceeded
        From 192.168.222.254 icmp_seq=3 Time to live exceeded

        I've already added a static route like this:

        LAN Target 172.25.0.0/18 Through GW 172.25.99.65

        Do I need to add something else ? NAT for example ? The remote side does not know of my 192.168.222.x net.

        If NAT is not possible, can I bridge the two interfaces 172.25.69.65 and 192.168.222.254 so that I can just use
        an IP out of the 172.x net on one of my machines ?

        Thanks !

        1 Reply Last reply Reply Quote 0
        • H
          hessie
          last edited by

          push

          1 Reply Last reply Reply Quote 0
          • C
            capitangiaco
            last edited by

            try to debug using traceroute: are packets exiting from the right interface ?

            Giacomo

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.