IPSEC VPN with 3005 Cisco VPN Concentrator



  • Was unable to ping from VPN Concentrator across my pfsense to other devices and could not figure it out.  Finally saw a response in the filter logs via SSH.  Why don't these blocks show up in the firewall logs?  Is that by design?

    4. 082419 rule 70/0(match): block in on enc0: 192.168.101.12 > 10.20.30.51: ICMP echo request, id 512, seq 15874, length 40
    5. 510903 rule 70/0(match): block in on enc0: 192.168.101.12 > 10.20.30.51: ICMP echo request, id 512, seq 16130, length 40
    5. 489187 rule 70/0(match): block in on enc0: 192.168.101.12 > 10.20.30.51: ICMP echo request, id 512, seq 16386, length 40
    5. 500892 rule 70/0(match): block in on enc0: 192.168.101.12 > 10.20.30.51: ICMP echo request, id 512, seq 16642, length 40

    Once I added a rule to IPSEC allowing ANY to ANY **** etc it started to pass traffic.  When I delete the rule the traffic continues to pass through.  The only way I found to stop the traffic is either to disable the VPN or reset the states.  I was under the assumption that if you remove a rule allowing traffic that it would stop the traffic.  Would be nice to see logging for IPSEC when you create a rule and choose "Log packets that are handled by this rule"



  • anyone?



  • Hmm i'm not sure about the issue, but i'm thinking about getting a Cisco 3005 as our VPN concentrator for about 100 IPSec VPN Tunnels.

    It seems you have the 3005 working with pfSense, so i guess i'm just asking, Would you recommend it?



  • It's a stateful firewall, as long as the state is valid it works.

    Consider the no state option on that rule.



  • The cisco concentrator is a really nice device.  pfsense could probably do the same if they added policy NAT as a feature.  This allows other networks to have the same subnet as yours which is currently a problem.  Why would you not want to use pfsense for those 100 vpn tunnels?



  • @kapara:

    The cisco concentrator is a really nice device.  pfsense could probably do the same if they added policy NAT as a feature.  This allows other networks to have the same subnet as yours which is currently a problem.  Why would you not want to use pfsense for those 100 vpn tunnels?

    Yeah, I'm going to give pfSense a try. I have every IPSec tunnel on a different IP range, so i don't see any reason why it wouldn't work as a 100+ tunnel concentrator, provided it has enough CPU power.



  • @databeestje

    Thanks for the response!


Locked