Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cisco Concentrator 3005 alongside pfSense - vpn remote clients cannot connect

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bfulford7
      last edited by

      Ok just learning this pfSense setup. I am migrating from a cisco router with a concentrator 3005 to a pfSense box with the same concentrator. I am using the concentrator for site to site VPNs as well as a VPN gateway with LDAP authentication to our network for workers and it works great - just trying to replace the old router with IOS firewall. Current setup before pfSense:
      ISP WAN ROUTER –-> switch ---> Cisco router xxx.xxx.xxx.252 (replacing this with pfSense box)
                                            |---> Cisco 3005  xxx.xxx.xxx.250

      When I hotswap in the pfSense box, the VPN client software is not able to negotiate the security policies anymore. Here is a log sample.
      Any ideas? Help?

      29    22:05:10.528  03/16/09  Sev=Info/4 CM/0x6310000E
      Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

      30    22:05:10.540  03/16/09  Sev=Info/5 IKE/0x6300005E
      Client sending a firewall request to concentrator

      31    22:05:10.540  03/16/09  Sev=Info/4 IKE/0x63000013
      SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.250

      32    22:05:12.859  03/16/09  Sev=Info/6 IKE/0x63000055
      Sent a keepalive on the IPSec SA

      33    22:05:15.901  03/16/09  Sev=Info/4 IKE/0x63000021
      Retransmitting last packet!

      34    22:05:15.901  03/16/09  Sev=Info/4 IKE/0x63000013
      SENDING >>> ISAKMP OAK TRANS *(Retransmission) to  xxx.xxx.xxx.250

      35    22:05:20.971  03/16/09  Sev=Info/4 IKE/0x63000021
      Retransmitting last packet!

      36    22:05:20.971  03/16/09  Sev=Info/4 IKE/0x63000013
      SENDING >>> ISAKMP OAK TRANS *(Retransmission) to  xxx.xxx.xxx.250

      37    22:05:23.001  03/16/09  Sev=Info/6 IKE/0x63000055
      Sent a keepalive on the IPSec SA

      38    22:05:26.041  03/16/09  Sev=Info/4 IKE/0x63000021
      Retransmitting last packet!

      39    22:05:26.041  03/16/09  Sev=Info/4 IKE/0x63000013
      SENDING >>> ISAKMP OAK TRANS *(Retransmission) to  xxx.xxx.xxx.250

      40    22:05:31.110  03/16/09  Sev=Info/4 IKE/0x6300002D
      Phase-2 retransmission count exceeded: MsgID=D080F5DE

      41    22:05:31.110  03/16/09  Sev=Info/4 IKE/0x63000013
      SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to  xxx.xxx.xxx.250

      42    22:05:31.110  03/16/09  Sev=Info/6 IKE/0x6300003D
      Sending DPD request to  xxx.xxx.xxx.250, our seq# = 3241830546

      43    22:05:31.110  03/16/09  Sev=Info/4 IKE/0x63000017
      Marking IKE SA for deletion  (I_Cookie=DFAA17D352151C9D R_Cookie=4401410B500D9A64) reason = DEL_REASON_IKE_NEG_FAILED

      44    22:05:31.110  03/16/09  Sev=Info/4 IKE/0x63000013
      SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to  xxx.xxx.xxx.250

      45    22:05:34.152  03/16/09  Sev=Info/4 IKE/0x6300004B
      Discarding IKE SA negotiation (I_Cookie=DFAA17D352151C9D R_Cookie=4401410B500D9A64) reason = DEL_REASON_IKE_NEG_FAILED

      46    22:05:34.152  03/16/09  Sev=Info/4 CM/0x6310000F
      Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

      47    22:05:34.152  03/16/09  Sev=Info/5 CM/0x63100025
      Initializing CVPNDrv

      48    22:05:34.156  03/16/09  Sev=Info/6 CM/0x63100046
      Set tunnel established flag in registry to 0.

      49    22:05:34.156  03/16/09  Sev=Info/4 IKE/0x63000001
      IKE received signal to terminate VPN connection

      1 Reply Last reply Reply Quote 0
      • B
        bfulford7
        last edited by

        Looks like this could be a DHCP problem from the concentrator to pfSense.

        Here is a DHCP log entry with latest log first:

        Mar 17 08:19:34 dhcpd: send_packet: Permission denied
        Mar 17 08:19:34 dhcpd: DHCPOFFER on 192.168.10.231 to 00:03:a0:89:86:1d (DSI9200) via 192.168.10.0
        Mar 17 08:19:34 dhcpd: DHCPDISCOVER from 00:03:a0:89:86:1d (DSI9200) via 192.168.10.0

        So it looks like the concentrator's internal IP address is being seen as 10.0 instead of 10.26… wonder if a DHCP relay is needed??

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.