Trouble connecting to Cisco VPN

hessie

Hi !

I'm trying to connect to a cisco vpn server/router, problem seems that something with my network configuration is wrong.

My Local LAN Subnet has: 192.168.222.0/24 (IP of pfSense .254)
Local OPT1 is 172.25.99.64/28 (IP of pfSense .65)

Remote VPN Net is 172.25.0.0/18

I already had a working VPN Connection under IPSec with different IP's which worked, now with the new IP Networks nothing at all works. The Log just says:
Aug 13 19:03:17 racoon: INFO: fe80::250:bfff:fe7e:358e%rl0[500] used as isakmp port (fd=23)
Aug 13 19:03:17 racoon: [Self]: INFO: 172.25.99.65[500] used as isakmp port (fd=22)
Aug 13 19:03:17 racoon: INFO: fe80::202:b3ff:fe92:3fde%fxp0[500] used as isakmp port (fd=21)
Aug 13 19:03:17 racoon: [Self]: INFO: 92.50.102.93[500] used as isakmp port (fd=20)
Aug 13 19:03:17 racoon: INFO: fe80::214:78ff:feeb:5750%ath0[500] used as isakmp port (fd=19)
Aug 13 19:03:17 racoon: [Self]: INFO: 192.168.222.254[500] used as isakmp port (fd=18)
Aug 13 19:03:17 racoon: INFO: fe80::250:daff:fe80:3fb4%xl0[500] used as isakmp port (fd=17)
Aug 13 19:03:17 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Aug 13 19:03:17 racoon: INFO: ::1[500] used as isakmp port (fd=15)
Aug 13 19:03:17 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14)
Aug 13 19:03:17 racoon: INFO: fe80::250:bfff:fe7e:358e%tun0[500] used as isakmp port (fd=13)
Aug 13 19:03:17 racoon: [Self]: INFO: 10.0.1.1[500] used as isakmp port (fd=12)
Aug 13 19:03:17 racoon: INFO: fe80::250:bfff:fe7e:358e%rl0[500] used as isakmp port (fd=23)
Aug 13 19:03:17 racoon: [Self]: INFO: 172.25.99.65[500] used as isakmp port (fd=22)
Aug 13 19:03:17 racoon: INFO: fe80::202:b3ff:fe92:3fde%fxp0[500] used as isakmp port (fd=21)
Aug 13 19:03:17 racoon: [Self]: INFO: 92.50.102.93[500] used as isakmp port (fd=20)
Aug 13 19:03:17 racoon: INFO: fe80::214:78ff:feeb:5750%ath0[500] used as isakmp port (fd=19)
Aug 13 19:03:17 racoon: [Self]: INFO: 192.168.222.254[500] used as isakmp port (fd=18)
Aug 13 19:03:17 racoon: INFO: fe80::250:daff:fe80:3fb4%xl0[500] used as isakmp port (fd=17)
Aug 13 19:03:17 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Aug 13 19:03:17 racoon: INFO: ::1[500] used as isakmp port (fd=15)
Aug 13 19:03:17 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14)
Aug 13 19:03:17 racoon: INFO: fe80::250:bfff:fe7e:358e%tun0[500] used as isakmp port (fd=13)
Aug 13 19:03:17 racoon: [Self]: INFO: 10.0.1.1[500] used as isakmp port (fd=12)

So it seems that pfSense does not get out, whyever.

I'm trying to connect thru WAN which has a static IP, the remote setup has not changed but the IP. I can ping
the remote host but nothing happens in the log..

Maybe someone got an idea ?

hessie

Connection is working now, the remote side had the subnet mask wrong defined :-/

I've got these interfaces now:

LAN 192.168.222.0/24 where 192.168.222.254 is pfSense
WAN static
OPT1 172.25.66.64/28 where 172.25.66.64 is pfSense

Remote IPSec Net is 172.25.0.0/18

I now want to ping and make traffic from LAN (!) over the IPSec Tunnel to a host which has 172.25.23.23.

I can already ping from pfSense shell but from a machine behind pfSense in LAN Net I get:

[trn1 ~]# ping 172.25.23.198
PING 172.25.22.198 (172.25.23.198) 56(84) bytes of data.
From 192.168.222.254 icmp_seq=1 Time to live exceeded
From 192.168.222.254 icmp_seq=2 Time to live exceeded
From 192.168.222.254 icmp_seq=3 Time to live exceeded

I've already added a static route like this:

LAN Target 172.25.0.0/18 Through GW 172.25.99.65

Do I need to add something else ? NAT for example ? The remote side does not know of my 192.168.222.x net.

If NAT is not possible, can I bridge the two interfaces 172.25.69.65 and 192.168.222.254 so that I can just use
an IP out of the 172.x net on one of my machines ?

Thanks !

hessie

push

capitangiaco

try to debug using traceroute: are packets exiting from the right interface ?

Giacomo