Cisco Concentrator 3005 alongside pfSense - vpn remote clients cannot connect

bfulford7

Ok just learning this pfSense setup. I am migrating from a cisco router with a concentrator 3005 to a pfSense box with the same concentrator. I am using the concentrator for site to site VPNs as well as a VPN gateway with LDAP authentication to our network for workers and it works great - just trying to replace the old router with IOS firewall. Current setup before pfSense:
ISP WAN ROUTER –-> switch ---> Cisco router xxx.xxx.xxx.252 (replacing this with pfSense box)
                                      |---> Cisco 3005  xxx.xxx.xxx.250

When I hotswap in the pfSense box, the VPN client software is not able to negotiate the security policies anymore. Here is a log sample.
Any ideas? Help?

29    22:05:10.528  03/16/09  Sev=Info/4 CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

30    22:05:10.540  03/16/09  Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

31    22:05:10.540  03/16/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.250

32    22:05:12.859  03/16/09  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

33    22:05:15.901  03/16/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

34    22:05:15.901  03/16/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to  xxx.xxx.xxx.250

35    22:05:20.971  03/16/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

36    22:05:20.971  03/16/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to  xxx.xxx.xxx.250

37    22:05:23.001  03/16/09  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

38    22:05:26.041  03/16/09  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

39    22:05:26.041  03/16/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to  xxx.xxx.xxx.250

40    22:05:31.110  03/16/09  Sev=Info/4 IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=D080F5DE

41    22:05:31.110  03/16/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to  xxx.xxx.xxx.250

42    22:05:31.110  03/16/09  Sev=Info/6 IKE/0x6300003D
Sending DPD request to  xxx.xxx.xxx.250, our seq# = 3241830546

43    22:05:31.110  03/16/09  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=DFAA17D352151C9D R_Cookie=4401410B500D9A64) reason = DEL_REASON_IKE_NEG_FAILED

44    22:05:31.110  03/16/09  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to  xxx.xxx.xxx.250

45    22:05:34.152  03/16/09  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=DFAA17D352151C9D R_Cookie=4401410B500D9A64) reason = DEL_REASON_IKE_NEG_FAILED

46    22:05:34.152  03/16/09  Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

47    22:05:34.152  03/16/09  Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

48    22:05:34.156  03/16/09  Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

49    22:05:34.156  03/16/09  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

bfulford7

Looks like this could be a DHCP problem from the concentrator to pfSense.

Here is a DHCP log entry with latest log first:

Mar 17 08:19:34 dhcpd: send_packet: Permission denied
Mar 17 08:19:34 dhcpd: DHCPOFFER on 192.168.10.231 to 00:03:a0:89:86:1d (DSI9200) via 192.168.10.0
Mar 17 08:19:34 dhcpd: DHCPDISCOVER from 00:03:a0:89:86:1d (DSI9200) via 192.168.10.0

So it looks like the concentrator's internal IP address is being seen as 10.0 instead of 10.26… wonder if a DHCP relay is needed??