IPsec to Cisco 3500 Concentrator

  • I was sent some connection specifics regarding a connection to a Cisco concentrator, and am now trying to figure out how to properly configure my pfSense box, or see if a connection with these settings is even possible.  Any help with the translation would be greatly appreciated.

    On the Cisco side:

    Digital Certificate: None (Use Preshared Keys)
    Certificate Transmission: Identity certificate only
    Preshared Key: ****
    Authentication: ESP/SHA/HMAC-160
    Encryption: AES-256
    IKE Proposal: IKE-3DES-SHA
    Filter: None
    IPSec NAT-T: Unchecked
    Bandwidth Policy: None
    Routing: None
    Network List: Use IP Address/Wildcard-mask below
    IP Address:

    I've tried an array of settings on the pfSense side, so I'm not sure if posting my current config will do much good.  Some other points that might be of interest, however: I am running an OpenVPN on this box, and I'm also doing some traffic shaping.


  • I don't know if the 3500 and 3005 have similar setups but I think they might.  I will try to post an image mapping the cisco to the pfsense.

    Does the tunnel come up?  Also make sure you are allowing the IPSEC traffic from you pfsense WAN address through to the public interface of your concentrator.

  • I've had varying levels of success, but haven't been able to get traffic across.  My latest victory was getting into Phase 2 negotiations, and the log showing "racoon: INFO: ISAKMP-SA established …" however a ping to the remote host was still unsuccessful.  Within the firewall I do have a rule allowing all traffic.  I'm not sure what else I should be looking for in the log.  To me that statement was quite promising.  I'm wondering, if at this point the remote side might have some rules blocking me out.

  • Do not forget to add a rule on IPSEC allowing protocol any * * * * …etc on your pfsense.  I struggled with with a similar issue where the tunnel could come up but no traffic could pass correctly.  Once allowed the correct ports and protocols through to the concentrator all worked perfect.  Do you have a firewall or other device in front of the concentrator controlling traffic to it?

  • Proto  Source  Port  Destination  Port  Gateway  Schedule  Description 
      *         *          *            *           *       *            Allow All IPSec Traffic

    Thats the only rule I have set up in IPSEC.  Unfortunately I'm not in control of the network on the Cisco side, so I'm not sure if anything is sitting in front of it.

  • In most environments where I have a concentrator there is a PIX in front of it and the Concentrator is on the DMZ.  We have to specify each wan IP of the other side in the PIX on our DMZ access list in order to allow traffic to pass through.  We do this for each tunnel.  Some people allow all IPSEC traffic from any to the public interface of their VPN devices.  You should verify that as it very well could be your problem.

  • It looks like there is a firewall in place, with a static route sending all traffic from that IP to the Concentrator.  So I'm guessing my only choice right now is to see if I can get a 1.3 snapshot running and utilize the new NAT-T transversal?

  • Got it!  It was a problem with NAT-T on the Cisco side.  Got the remote admin to send me some screenshots and was able to get him to enable NAT-T traversal on his end.  So the current working config is:

    Local Subnet –-- pfSense ---- Internet ---- Cisco PIX Firewall ---- Cisco VPN Concentrator ---- Remote Subnet

    Thanks for the help!


Log in to reply