VPN Phase 2 Entry For Static Routed Network



  • Hi,

    Scenario:
    Remote Office(Cisco ASA Firewall)
    LAN - 10.50.0.0/24

    This has an IPsec VPN to:

    Head Office(pfSense V2.4.2.p1)
    LAN - 10.10.0.0/24

    Clients in Remote Office can access 10.10.0.0 and 10.150.0.0 via the VPN as phase 2 entries have been added:
    Cisco        <-> pfSense
    10.50.0.0/24 <-> 10.10.0.0
    10.50.0.0/24 <-> 10.150.0.0

    pfSense OPT interface is connected to a routed network where 10.150.0.0/24 is available via a static route on the pfSense.

    Problem:
    1. If the tunnel drops for any reason only the 10.50.0.0 to 10.10.0.0 phase 2 will re-establish by itself.  The only way to re-establish both phase 2 is to MANUALLY drop the VPN from the pfSense console and initiate it from that end.
    2. Traffic from 10.50.0.0 to 10.150.0.0 will not re-establish that phase 2.

    Looking at the pfSense guides it looks like it can't send a keep alive for the 10.150.0.0 phase 2 entry because it doesn't have an interface directly on the 10.150.0.0 subnet.  Obviously it can for the 10.10.0.0 entry.

    Questions:
    1. Is there a way to make the pfSense establish the phase 2 for 10.50.0.0 to 10.150.0.0 when initiated from the Cisco end?
    2. Is there a way to force the pfSense to re-connect automatically if a phase 2 entry drops?
    3. Is there another way to solve the problems?

    Thanks in advance…


Log in to reply