IPsec to Cisco ASA – not stable or good



  • We've been running a IPsec tunnel between office and Rackspace environments for several years, using Openswan on Linux for the office end, Cisco ASAs at Rackspace.

    Tried moving the simpler of those tunnels to pfSense, using the same settings, figuring Strongswan should work as well as Openswan. So far it's a disaster. The results vary from working reasonably, to 25-75% packet loss, to total loss. I've spend hours on the phone with Rackspace techs trying to work out where the problem is. It's not at all apparent.

    I'd far rather use the pfSense Strongswan than have to stand up systems behind it to handle Openswan. And it's hard to believe Strongswan has so much apparent trouble with a Cisco. Have others seen this problem? Is there some set of protocol settings which is magic for this combo?



  • I am connecting to ASA 5505s and 5515s without any packet loss issues, but I don't pass much traffic. Maybe enable the Cisco extensions under IPsec advanced settings?



  • Thanks for the suggestion. Not the solution here, but was worth experimenting with.