Remote Access with Cisco VPN Client Fails after much research



  • All,

    Short story: non-cisco client RA vpn connections work, cisco vpn client connections don't, packets enter the LAN from the client, but never traverse past pfsense back.

    I've searched this forum and the web in general.  I'm aware of some bugs associated with this, but have found no solution.  The following thread references some of what I'm seeing: http://forum.pfsense.org/index.php/topic,35057.msg181338.html#msg181338, but there's no follow up.  And I wonder if this is related to bug http://redmine.pfsense.org/issues/1351.  In which the solution is proposed that ipsec-tools be rebuilt from pfports, but ipsec-tools on pfsense 2.0.1 is the most current 0.8.0.  I've taken the suggested steps by updating policy and proposal settings, trying issuing a single IP instead of a pool, and restarting racoon or the entire pfsense system, none have worked.  Here are some details, IP address have been sanitized:

    – Platform: PFsense 2.0.1 running in a VMWare ESX environment.
    -- IPSec Configuration:
    LAN Interface Address: 1.1.1.1
    Remote Peer Address: 2.2.2.2
    Mobile Clients Enabled
    Issuing an IP range upon connection, we'll say it's 3.3.3.3

    -- Phase I:
    Mutual PSK + Xauth
    Aggressive
    My Identifier: Public IP Address of Pfsense box
    Peer Identifier: Distinguished name with PSK
    Policy Generation: Unique
    Proposal Checking: Obey
    Encryption: AES
    Hash: MD5
    DH Group: 2
    Lifetime: 86400
    Nat-t: Force
    DPD: Enabled, 10, 5

    -- Phase II:
    Mode: Tunnel
    Protocol: ESP
    Encryption: AES, auto, 3DES
    Hash: MD5
    PFS: Off
    Lifetime: 3600

    When connecting with VPNC, things work fine.  When connecting with Cisco VPN Client, traffic flows inbound to my network, and I can even see active flows coming back from my name servers, but the traffic enters the pfsense LAN interface and never goes anywhere.  Some persistent log entries include the following:

    Mar 2 12:30:15 racoon: [Self]: INFO: IPsec-SA established: ESP 1.1.1.1[500]->2.2.2.2[500] spi=140750808(0x863afd8)
    Mar 2 12:30:15 racoon: [Self]: INFO: IPsec-SA established: ESP 2.2.2.2[500]->1.1.1.1[500] spi=1119002556(0x42b29fbc)
    Mar 2 12:30:20 racoon: ERROR: no configuration found for 2.2.2.2.
    Mar 2 12:30:20 racoon: ERROR: failed to begin ipsec sa negotication.
    Mar 2 12:30:23 racoon: ERROR: no configuration found for 2.2.2.2.
    Mar 2 12:30:23 racoon: ERROR: failed to begin ipsec sa negotication.

    Based on my searches, this may be a bug associated with either how the gui is modifying mode_cfg, shown here:

    mode_cfg
    {
    auth_source system;
    group_source system;
    pool_size 253;
    network4 3.3.3.3;
    netmask4 255.255.255.0;
    dns4 4.4.4.1;
    dns4 4.4.4.2;
    dns4 4.4.4.3;
    default_domain "[FILTERED]";
    split_dns "[FILTERED]";
    banner "/var/etc/racoon.motd";
    save_passwd on;
    }

    For your reference, here is a setkeys -DP also with only the pertinent SPI's included:

    0.0.0.0/0[any] 3.3.3.3[any] 255
    out ipsec
    esp/tunnel/1.1.1.1-2.2.2.2/unique:36
    created: Mar  2 12:46:19 2012  lastused: Mar  2 12:46:29 2012
    lifetime: 2147483(s) validtime: 0(s)
    spid=128 seq=0 pid=21230
    refcnt=1

    3.3.3.3[any] 0.0.0.0/0[any] 255
    in ipsec
    esp/tunnel/2.2.2.2-1.1.1.1/unique:36
    created: Mar  2 12:46:19 2012  lastused: Mar  2 12:46:19 2012
    lifetime: 2147483(s) validtime: 0(s)
    spid=127 seq=5 pid=21230
    refcnt=1

    Does anybody have suggestions on how to correctly setup a RA vpn connection for cisco vpn client?  Moving to another client isn't an option due to the fact that my work force is completely mobile and coordinating the installation of a different client on every remote laptop is somewhat infeasible and inefficient.  Thanks in advance for any help!



  • Interesting, no reply…  I've decided I'll be moving away from pfsense to a separate Cisco firewall, given the lack of response here and for other posts with similar issues, it seems nobody's figured this out as of yet.  Pfsense is a rockin firewall platform, but won't meet our needs right now.



  • It would have been most interesting to thoroughly troubleshoot this issue, since the Cisco VPN Client is so widely deployed.

    With regard to the "no reply" comment, you can't expect too much over a weekend …


Log in to reply