Trouble connecting to Cisco VPN



  • Hi !

    I'm trying to connect to a cisco vpn server/router, problem seems that something with my network configuration is wrong.

    My Local LAN Subnet has: 192.168.222.0/24 (IP of pfSense .254)
    Local OPT1 is 172.25.99.64/28 (IP of pfSense .65)

    Remote VPN Net is 172.25.0.0/18

    I already had a working VPN Connection under IPSec with different IP's which worked, now with the new IP Networks nothing at all works. The Log just says:
    Aug 13 19:03:17 racoon: INFO: fe80::250:bfff:fe7e:358e%rl0[500] used as isakmp port (fd=23)
    Aug 13 19:03:17 racoon: [Self]: INFO: 172.25.99.65[500] used as isakmp port (fd=22)
    Aug 13 19:03:17 racoon: INFO: fe80::202:b3ff:fe92:3fde%fxp0[500] used as isakmp port (fd=21)
    Aug 13 19:03:17 racoon: [Self]: INFO: 92.50.102.93[500] used as isakmp port (fd=20)
    Aug 13 19:03:17 racoon: INFO: fe80::214:78ff:feeb:5750%ath0[500] used as isakmp port (fd=19)
    Aug 13 19:03:17 racoon: [Self]: INFO: 192.168.222.254[500] used as isakmp port (fd=18)
    Aug 13 19:03:17 racoon: INFO: fe80::250:daff:fe80:3fb4%xl0[500] used as isakmp port (fd=17)
    Aug 13 19:03:17 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
    Aug 13 19:03:17 racoon: INFO: ::1[500] used as isakmp port (fd=15)
    Aug 13 19:03:17 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14)
    Aug 13 19:03:17 racoon: INFO: fe80::250:bfff:fe7e:358e%tun0[500] used as isakmp port (fd=13)
    Aug 13 19:03:17 racoon: [Self]: INFO: 10.0.1.1[500] used as isakmp port (fd=12)
    Aug 13 19:03:17 racoon: INFO: fe80::250:bfff:fe7e:358e%rl0[500] used as isakmp port (fd=23)
    Aug 13 19:03:17 racoon: [Self]: INFO: 172.25.99.65[500] used as isakmp port (fd=22)
    Aug 13 19:03:17 racoon: INFO: fe80::202:b3ff:fe92:3fde%fxp0[500] used as isakmp port (fd=21)
    Aug 13 19:03:17 racoon: [Self]: INFO: 92.50.102.93[500] used as isakmp port (fd=20)
    Aug 13 19:03:17 racoon: INFO: fe80::214:78ff:feeb:5750%ath0[500] used as isakmp port (fd=19)
    Aug 13 19:03:17 racoon: [Self]: INFO: 192.168.222.254[500] used as isakmp port (fd=18)
    Aug 13 19:03:17 racoon: INFO: fe80::250:daff:fe80:3fb4%xl0[500] used as isakmp port (fd=17)
    Aug 13 19:03:17 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
    Aug 13 19:03:17 racoon: INFO: ::1[500] used as isakmp port (fd=15)
    Aug 13 19:03:17 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14)
    Aug 13 19:03:17 racoon: INFO: fe80::250:bfff:fe7e:358e%tun0[500] used as isakmp port (fd=13)
    Aug 13 19:03:17 racoon: [Self]: INFO: 10.0.1.1[500] used as isakmp port (fd=12)

    So it seems that pfSense does not get out, whyever.

    I'm trying to connect thru WAN which has a static IP, the remote setup has not changed but the IP. I can ping
    the remote host but nothing happens in the log..

    Maybe someone got an idea ?



  • Connection is working now, the remote side had the subnet mask wrong defined :-/

    I've got these interfaces now:

    LAN 192.168.222.0/24 where 192.168.222.254 is pfSense
    WAN static
    OPT1 172.25.66.64/28 where 172.25.66.64 is pfSense

    Remote IPSec Net is 172.25.0.0/18

    I now want to ping and make traffic from LAN (!) over the IPSec Tunnel to a host which has 172.25.23.23.

    I can already ping from pfSense shell but from a machine behind pfSense in LAN Net I get:

    [trn1 ~]# ping 172.25.23.198
    PING 172.25.22.198 (172.25.23.198) 56(84) bytes of data.
    From 192.168.222.254 icmp_seq=1 Time to live exceeded
    From 192.168.222.254 icmp_seq=2 Time to live exceeded
    From 192.168.222.254 icmp_seq=3 Time to live exceeded

    I've already added a static route like this:

    LAN Target 172.25.0.0/18 Through GW 172.25.99.65

    Do I need to add something else ? NAT for example ? The remote side does not know of my 192.168.222.x net.

    If NAT is not possible, can I bridge the two interfaces 172.25.69.65 and 192.168.222.254 so that I can just use
    an IP out of the 172.x net on one of my machines ?

    Thanks !



  • push



  • try to debug using traceroute: are packets exiting from the right interface ?

    Giacomo


Log in to reply