IPSec VPN to CISCO



  • Hi,

    I'm having trouble establishing a VPN connection to a customer. My network layout is as this:

    CAT5e Cable from ISP router -> HP Switch

    On this switch we have the proxy (smoothwall, soon to be pfsense) + draytek (customer vpn) + DMZ machine + pfsense.
    Each of these uses a public address from our pool.

    The pfsense machine's only purpose is for VPN, and it already has an IPSec VPN to our remote office (192.168.10.0/24). The reason I'm not using the Draytek for this is that we already have a VPN there that connects to the 10.0.0.0/8 network.

    Anyway, the customer is using Cisco and I'm using pfSense 2.0.1.

    The customer requires that all traffic from our network originates from the IP address 172.18.0.85.
    Traffic from their network will use 10.128.1.86.

    IPSec Settings:

    My network: 192.168.0.0/23
    Destination: 10.0.0.0/8

    Phase 1: IKE + AES-256 + SHA1 + DH group 2
    Phase 2: ESP + AES-256 + DH group 2

    Then I've configured manual outbound NAT rules so that traffic in the IPSec interface that has 10.0.0.0/8 as destination gets a NAT address of 172.18.0.85.

    After saving the settings nothing happened and there was nothing in the logs. If I try to ping an address in the destination network (10.0.0.0/8) then there's activity in the logs:

    
    racoon: [VPN NAME]: INFO: initiate new phase 1 negotiation: MY_PUBLIC_IP[500]<=>DEST_PUBLIC_IP[500]
    racoon: [VPN NAME]: INFO: IPsec-SA request for DEST_PUBLIC_IP queued due to no phase1 found.
    racoon: INFO: begin Identity Protection mode.
    INFO: received broken Microsoft ID: FRAGMENTATION
    racoon: INFO: received Vendor ID: CISCO-UNITY
    (...)
    racoon: [VPN NAME]: INFO: ISAKMP-SA established MY_PUBLIC_IP[500]-DEST_PUBLIC_IP[500] spi:55560e165ede1ebc:6bffad1deb758561
    racoon: [VPN NAME]: INFO: initiate new phase 2 negotiation: MY_PUBLIC_IP[500]<=>DEST_PUBLIC_IP[500]
    racoon: INFO: purging ISAKMP-SA spi=55560e165ede1ebc:6bffad1deb758561.
    racoon: INFO: purged IPsec-SA spi=120539367.
    racoon: INFO: purged ISAKMP-SA spi=55560e165ede1ebc:6bffad1deb758561.
    racoon: [VPN MCH Sonae]: INFO: ISAKMP-SA deleted MY_PUBLIC_IP[500]-DEST_PUBLIC_IP[500]  spi:55560e165ede1ebc:6bffad1deb758561
    
    

    I'm not familiar with outbound NAT rules, and the VPN's I've worked with are simple LAN-to-LAN affairs.
    Can anyone help? Can I even do this in the same machine, or do I need another pfsense just for the outbound NAT?

    Thanks!



  • Sounds like you are trying to do what Cisco would call IPSec with policy nat. AFAIK, you still cannot do this on pfSense. One question, why are you using 10.0.0.0/8? If the subnets are not the same- 10.128.1.x and 10.x.y.z, then why not use a /24+ subnet mask on the tunnels, then you could terminate them both on the Draytek (don't know if that can NAT IPsec).



  • Hi,

    The draytek is old and won't do that. Also, the customer on the draytek is using the whole class 8 10.0.0.0/8.

    If pfsense doesn't support this configuration then I'm in trouble…

    What if I create a subnet 172.18.0.x and install a 2nd NIC on pfsense with the 172.18.0.85 IP and then make a regular IPsec tunnel?
    I could then just route traffic from my network (192.168.0.0/23) to this new subnet.

    Would this work? Am I making any sense?



  • you have to NAT on something other than what's doing the IPsec, no way around it. Generally people put up a VM as a second install to handle the NAT.



  • @cmb:

    you have to NAT on something other than what's doing the IPsec, no way around it. Generally people put up a VM as a second install to handle the NAT.

    Hi,

    Could you give me more detail on how to do this? Do I need two pfSense boxes for this?
    Could this configuration coexist with the VPN I have for our remote office?

    Could I use a Windows Server 2003 to do the NAT?

    Thanks



  • Can anyone provide a quick description? Can I add an OPT interface to pfsense, or do I need two machines?
    In a two machine scenario, is this the right configuration?

    Pfsense I
    WAN interface with public IP
    LAN interface with 172.18.0.85

    IPsec tunnel to the customer network (10.0.0.0/8).

    Pfsense II
    WAN interface 172.18.0.x
    LAN interface 192.168.0.x (my local network)

    Clients in my network will have a route that states that for destination 10.0.0.0/8 the gateway is 192.168.0.x.

    How do I configure NAT on Pfsense II?

    Thanks



  • @cmb:

    you have to NAT on something other than what's doing the IPsec, no way around it. Generally people put up a VM as a second install to handle the NAT.

    I have setup 2 pfsense boxes with the interfaces configured like in my previous post. Can you give me some guidance on how to set this up?

    Thanks



  • Help? :(



  • I need help on this exact issue too. It seems like there are a ton of orphaned threads with similar questions. I'd even be willing to pay someone for help on this…



  • Im very interested in this too



  • This is the setup I have with a cisco ASA:

    Phase 1

    PSK
    Neg Mode: Main
    My ID My IP
    Peer ID: Peer IP
    Key:….etc
    Policy Gen: Default
    Proposal: Obey
    Enc: AES 128
    Hash: SHA1
    DH: 2
    Lifetime: 28800
    NAT-T disable
    DPD Disabled

    Phase 2:

    ESP
    Enc: AES 128
    Hash: SHA1
    PFS: 2
    Lifetime: 3600

    Tunnel has been up and solid!


Log in to reply