PFSENSE 1.2.3 IPSEC with CISCO ASA



  • Hello PFSENSE Experts,

    I have IPSEC tunnel between pfsense and Cisco Asa, and I have just noticed after I reboot Cisco ASA,
    ipsec tunnel is down. No matter if I try to ping other subnet, it will go up after I uncheck ENABLE IPSEC and check again, then SAVE, and I have VPN tunnel ipsec up again.

    Did anyone experience something similar? Is there any work around for that problem?

    thank you,


  • Rebel Alliance Developer Netgate

    Do you have Dead Peer Detection enabled for the IPsec tunnel on pfSense? It should see that the peer is gone and reset. You may need to set it to something low, like 10 or 20 seconds.



  • Yes, it was set to 60 sec, now I have changed to 20 sec.

    Thank You



  • I'm having this same problem. mst, did this fix work for you?



  • NOPE still waiting and searching ….. but so far no luck ....

    MST



  • Try checking the prefer older sa box under gen>adv. i was having similar issues but mine was just dropping randomly. Something to try I guess.



  • @KForce:

    Try checking the prefer older sa box under gen>adv. i was having similar issues but mine was just dropping randomly. Something to try I guess.

    I tried that and http://forum.pfsense.org/index.php/topic,13847.0.html to no avail. I hate to have to be forced to downgrade to 1.2.2 because 1.2.3 is really slick.


  • Rebel Alliance Developer Netgate

    Until someone posts more information – specifically the config from the ASA and info from pfSense, along with relevant logs from both -- any suggestions are really just guesswork.

    Has anyone with an ASA checked their config against the one on page 262 (section 13.9.3) of the book?



  • I have about 80 ipsec site to site  tunnels running on the ASA. Probably about 40 monowall, 30 1.2.2 pfsense and 10 1.2.3 pfsense. Only the ones running 1.2.3 are giving me this issue. All the configs are identical (phase1, phase2) and the corresponding config on the ASA are the same too.


    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime none

    crypto map Outside_map 10231 match address CMAPLIST10231
    crypto map Outside_map 10231 set pfs
    crypto map Outside_map 10231 set peer 12.49.210.138
    crypto map Outside_map 10231 set transform-set TSET3DES

    sungard-asa-main# show run tunnel-group 12.49.210.138
    tunnel-group 12.49.210.138 type ipsec-l2l
    tunnel-group 12.49.210.138 ipsec-attributes
    pre-shared-key *

    crypto map Outside_map interface Outside

    I think thats all the relevant config you need.

    THe tunnel stays up for about a day, but drops off and I have to log into pfsense and disable/enable the ipsec tunnel.

    Another issue I have is that after a while, I can still ping the internal interface of the PFSense box through the ipsec tunnel, but I can't http to that address. During this time, remote people behind the PFSense box can no longer get to network services such as email and shares.



  • Missed one line
    crypto ipsec transform-set TSET3DES esp-3des esp-sha-hmac


  • Rebel Alliance Developer Netgate

    You have "lifetime none" set on the Cisco, but on pfSense the lifetime defaults to 86400 I believe, which would explain the day delay. Since the Cisco is probably initiating the tunnel, rekeying is left to the initiator, and since it doesn't believe the tunnel has expired, it probably isn't even trying to rekey.

    Try setting lifetime limits instead of directing it to stay alive using the same info forever and it may have more success.



  • Will do. Thanks!


Log in to reply