IPSEC with CISCO



  • I hope there is someone that can shed light on this test of PFSENSE 2.0. We have a VPN tunnel form a PFSENSE 2.0 box to CISCO.  This version of PFSENSE has seemed to fix the MTU issue with previous version, but we are getting a strange error and I am unable to determine if it is configuration or a problem with IPSEC under 2.0.

    The tunnel seems to work fine but we cannot seem to exchange information from our application. Telnet and ping work fine, ping with large packets works fine. We recieve the following messages in the log file when the application fails.

    block Apr 30 14:16:39 enc0 10.100.186.92 192.168.11.91 TCP:
    block Apr 30 14:16:39 enc0 10.100.186.92:4571 192.168.11.91:14001 TCP:A
    pass Apr 30 14:16:39 enc0 10.100.186.92:4571 192.168.11.91:14001 TCP:S

    Can anyone tell me why the follwing is failing when the original syn passes.

    Thanks in advance
    BioBob



  • Unexpected flags on your packets.



  • Likely what Ermal said. If you can get a pcap of the traffic and post it or email it to me (cmb at pfsense dot org, with link to this thread) I can probably tell why.



  • Thanks for the assistance. If I am to do a pcap, what interface should be used? The log is indicating that the source packet failing is from the CISCO side and pcap does not allow capture from the encrypted interface. Do I need the folks on the CISCO side to capture just prior to encryption? Any help is appreciated.



  • You can capture on the IPsec interface if you SSH in and hit option 8. Run:

    tcpdump -i enc0 -s 0 -w /tmp/ipsec.pcap

    then when done, hit ctrl-c, and download /tmp/ipsec.pcap (via SCP or exec.php).



  • Thanks, I will have the Cisco side send me data on Monday.



  • The pcap shows you're getting fragments, you'll have to allow fragments in your rules.


Locked