IPSEC VPN with 3005 Cisco VPN Concentrator
-
Was unable to ping from VPN Concentrator across my pfsense to other devices and could not figure it out. Finally saw a response in the filter logs via SSH. Why don't these blocks show up in the firewall logs? Is that by design?
4. 082419 rule 70/0(match): block in on enc0: 192.168.101.12 > 10.20.30.51: ICMP echo request, id 512, seq 15874, length 40
5. 510903 rule 70/0(match): block in on enc0: 192.168.101.12 > 10.20.30.51: ICMP echo request, id 512, seq 16130, length 40
5. 489187 rule 70/0(match): block in on enc0: 192.168.101.12 > 10.20.30.51: ICMP echo request, id 512, seq 16386, length 40
5. 500892 rule 70/0(match): block in on enc0: 192.168.101.12 > 10.20.30.51: ICMP echo request, id 512, seq 16642, length 40Once I added a rule to IPSEC allowing ANY to ANY **** etc it started to pass traffic. When I delete the rule the traffic continues to pass through. The only way I found to stop the traffic is either to disable the VPN or reset the states. I was under the assumption that if you remove a rule allowing traffic that it would stop the traffic. Would be nice to see logging for IPSEC when you create a rule and choose "Log packets that are handled by this rule"
-
anyone?
-
Hmm i'm not sure about the issue, but i'm thinking about getting a Cisco 3005 as our VPN concentrator for about 100 IPSec VPN Tunnels.
It seems you have the 3005 working with pfSense, so i guess i'm just asking, Would you recommend it?
-
It's a stateful firewall, as long as the state is valid it works.
Consider the no state option on that rule.
-
The cisco concentrator is a really nice device. pfsense could probably do the same if they added policy NAT as a feature. This allows other networks to have the same subnet as yours which is currently a problem. Why would you not want to use pfsense for those 100 vpn tunnels?
-
The cisco concentrator is a really nice device. pfsense could probably do the same if they added policy NAT as a feature. This allows other networks to have the same subnet as yours which is currently a problem. Why would you not want to use pfsense for those 100 vpn tunnels?
Yeah, I'm going to give pfSense a try. I have every IPSec tunnel on a different IP range, so i don't see any reason why it wouldn't work as a 100+ tunnel concentrator, provided it has enough CPU power.
-
Thanks for the response!