Cisco Concentrator 3005 alongside pfSense - vpn remote clients cannot connect



  • Ok just learning this pfSense setup. I am migrating from a cisco router with a concentrator 3005 to a pfSense box with the same concentrator. I am using the concentrator for site to site VPNs as well as a VPN gateway with LDAP authentication to our network for workers and it works great - just trying to replace the old router with IOS firewall. Current setup before pfSense:
    ISP WAN ROUTER –-> switch ---> Cisco router xxx.xxx.xxx.252 (replacing this with pfSense box)
                                          |---> Cisco 3005  xxx.xxx.xxx.250

    When I hotswap in the pfSense box, the VPN client software is not able to negotiate the security policies anymore. Here is a log sample.
    Any ideas? Help?

    29    22:05:10.528  03/16/09  Sev=Info/4 CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

    30    22:05:10.540  03/16/09  Sev=Info/5 IKE/0x6300005E
    Client sending a firewall request to concentrator

    31    22:05:10.540  03/16/09  Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.250

    32    22:05:12.859  03/16/09  Sev=Info/6 IKE/0x63000055
    Sent a keepalive on the IPSec SA

    33    22:05:15.901  03/16/09  Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!

    34    22:05:15.901  03/16/09  Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(Retransmission) to  xxx.xxx.xxx.250

    35    22:05:20.971  03/16/09  Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!

    36    22:05:20.971  03/16/09  Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(Retransmission) to  xxx.xxx.xxx.250

    37    22:05:23.001  03/16/09  Sev=Info/6 IKE/0x63000055
    Sent a keepalive on the IPSec SA

    38    22:05:26.041  03/16/09  Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!

    39    22:05:26.041  03/16/09  Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(Retransmission) to  xxx.xxx.xxx.250

    40    22:05:31.110  03/16/09  Sev=Info/4 IKE/0x6300002D
    Phase-2 retransmission count exceeded: MsgID=D080F5DE

    41    22:05:31.110  03/16/09  Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to  xxx.xxx.xxx.250

    42    22:05:31.110  03/16/09  Sev=Info/6 IKE/0x6300003D
    Sending DPD request to  xxx.xxx.xxx.250, our seq# = 3241830546

    43    22:05:31.110  03/16/09  Sev=Info/4 IKE/0x63000017
    Marking IKE SA for deletion  (I_Cookie=DFAA17D352151C9D R_Cookie=4401410B500D9A64) reason = DEL_REASON_IKE_NEG_FAILED

    44    22:05:31.110  03/16/09  Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to  xxx.xxx.xxx.250

    45    22:05:34.152  03/16/09  Sev=Info/4 IKE/0x6300004B
    Discarding IKE SA negotiation (I_Cookie=DFAA17D352151C9D R_Cookie=4401410B500D9A64) reason = DEL_REASON_IKE_NEG_FAILED

    46    22:05:34.152  03/16/09  Sev=Info/4 CM/0x6310000F
    Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

    47    22:05:34.152  03/16/09  Sev=Info/5 CM/0x63100025
    Initializing CVPNDrv

    48    22:05:34.156  03/16/09  Sev=Info/6 CM/0x63100046
    Set tunnel established flag in registry to 0.

    49    22:05:34.156  03/16/09  Sev=Info/4 IKE/0x63000001
    IKE received signal to terminate VPN connection



  • Looks like this could be a DHCP problem from the concentrator to pfSense.

    Here is a DHCP log entry with latest log first:

    Mar 17 08:19:34 dhcpd: send_packet: Permission denied
    Mar 17 08:19:34 dhcpd: DHCPOFFER on 192.168.10.231 to 00:03:a0:89:86:1d (DSI9200) via 192.168.10.0
    Mar 17 08:19:34 dhcpd: DHCPDISCOVER from 00:03:a0:89:86:1d (DSI9200) via 192.168.10.0

    So it looks like the concentrator's internal IP address is being seen as 10.0 instead of 10.26… wonder if a DHCP relay is needed??


Log in to reply