PfSense -> Cisco ASA5510



  • In our datacenter we have a pfSense 2.0.1 box, from our offices we connect to this box in the datacenter. We have some customers using different VPN also connecting to this datacenter VPN.
    Problem is all the VPN's regulary loose there connection and sometime require restart of racoon or it recovers only after 45 minutes.
    I would prefer to have the stability issue solved but sofor no luck. We are now considering replacing the pfsense box in our datacenter with a cisco ASA5510, as I don't want to replace all the pfsense boxes I like to know if pfsense 2.0.1. works with the ASA5510 ?

    Lex



  • Of course, it's working like a charm!

    I have several pfSense alix boxes located at my customers connecting to a asa 5510 at the data center. I have no problems and it's running very, very stable. All locations have static IP connecting with certs and psks. I think you have to check your logs. Be shure to use the same parameters at all locations for your ipsec config!



  • @lexl:

    Problem is all the VPN's regulary loose there connection and sometime require restart of racoon or it recovers only after 45 minutes.

    pfsense is currently using ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net/) which afaik has good interoperability with the IPsec implementations of most major vendors (Cisco, Juniper etc). However it currently does have problems with IPsec mobile.

    What devices are you using?



  • @dhatz:

    @lexl:

    Problem is all the VPN's regulary loose there connection and sometime require restart of racoon or it recovers only after 45 minutes.

    pfsense is currently using ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net/) which afaik has good interoperability with the IPsec implementations of most major vendors (Cisco, Juniper etc). However it currently does have problems with IPsec mobile.

    What devices are you using?

    We have made the decision to replace the pfsense from our datacenter with the ASA5510.  I have been setting up a lab test between the ASA5510 and pfsence 2.0.  Sofar works fine.
    Current devices are the OPNSense appliances. From our customers sites various devices are used.

    Lex



  • Without providing logs it's impossible to diagnose such problems.

    There is a chance of IPsec DPD incompatibility with some old (EOL) devices.

    There are pfsense users with over 300 concurrent IPsec tunnels.



  • @dhatz:

    Without providing logs it's impossible to diagnose such problems.

    There is a chance of IPsec DPD incompatibility with some old (EOL) devices.

    There are pfsense users with over 300 concurrent IPsec tunnels.

    The same problems exists between 2 pfsense devices. I have tried both DPD on and off with same result.

    Lex



  • Have you tried pfsense's commercial support (http://www.pfsense.org/needsupport) ?

    If you later want to setup a high-availability CARP cluster, or have a large number of IPsec peers, or need high throughput, pfsense can be quite cost-effective.



  • @dhatz:

    Have you tried pfsense's commercial support (http://www.pfsense.org/needsupport) ?

    If you later want to setup a high-availability CARP cluster, or have a large number of IPsec peers, or need high throughput, pfsense can be quite cost-effective.

    I did consider it but for the price of support I got a used ASA5510. Hopefully this gets our customer links stable.
    From our office and home links we keep using pfsense, as those are not so critical we can simply restart racoon.



  • So, are you still having IPsec issues with your office and home links, which are using pfsense?

    Regardless, until you provide full racoon logs, I doubt anyone can help.



  • We still have problems. Yesterday a new problem, the tunnel between our office and datacenter came up but we could not send traffic over it. This was still with pfsense in the datacenter. Restarting racoon on both sites did not help. This morning I restarted racoon in the office pfsense and traffic started flowing.
    Right now I don't want to spend more time on it as tomorrow I am going to install the cisco in the datacenter. I will post the results.

    Lex



  • Installed the ASA5510 in our datacenter last friday. VPN to customer is now stable.
    pfsense link from office to datacenter still erratic. Every day is looses connection for  a couple of hours.
    Looking in the log I see it is trying to intiate a phase 2 connection which fails for several hours, then at some point in time the ISAKMP-SA is expired and got deleted. After that a new phase 1 is started and everything got connected.
    Here a part of the log.

    Mar 29 00:18:06 hqgate racoon: ERROR: xx.xx.173.22 give up to get IPsec-SA due to time up to wait.
    Mar 29 00:18:38 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 00:18:38 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 00:19:08 hqgate racoon: ERROR: xx.xx.173.22 give up to get IPsec-SA due to time up to wait.
    Mar 29 00:19:38 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 00:19:38 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 00:20:08 hqgate racoon: ERROR: xx.xx.173.22 give up to get IPsec-SA due to time up to wait.
    Mar 29 00:20:38 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 00:20:38 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 00:21:08 hqgate racoon: ERROR: xx.xx.173.22 give up to get IPsec-SA due to time up to wait.
    Mar 29 00:21:38 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    –------ repeats for hours
    Mar 29 03:04:38 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 03:04:38 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 03:05:08 hqgate racoon: ERROR: xx.xx.173.22 give up to get IPsec-SA due to time up to wait.
    Mar 29 03:05:36 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 03:05:36 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 03:06:06 hqgate racoon: ERROR: xx.xx.173.22 give up to get IPsec-SA due to time up to wait.
    Mar 29 03:06:38 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 03:06:38 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 03:07:08 hqgate racoon: ERROR: xx.xx.173.22 give up to get IPsec-SA due to time up to wait.
    Mar 29 03:07:38 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 03:07:38 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 03:08:08 hqgate racoon: ERROR: xx.xx.173.22 give up to get IPsec-SA due to time up to wait.
    Mar 29 03:08:37 hqgate racoon: INFO: ISAKMP-SA expired 10.0.0.1[4500]-xx.xx.173.22[4500] spi:769370e716f9ac76:d6407916da85d110
    Mar 29 03:08:37 hqgate racoon: INFO: ISAKMP-SA deleted 10.0.0.1[4500]-xx.xx.173.22[4500] spi:769370e716f9ac76:d6407916da85d110
    Mar 29 03:08:38 hqgate racoon: INFO: IPsec-SA request for xx.xx.173.22 queued due to no phase1 found.
    Mar 29 03:08:38 hqgate racoon: INFO: initiate new phase 1 negotiation: 10.0.0.1[500]<=>xx.xx.173.22[500]
    Mar 29 03:08:38 hqgate racoon: INFO: begin Identity Protection mode.
    Mar 29 03:08:38 hqgate racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Mar 29 03:08:38 hqgate racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Mar 29 03:08:38 hqgate racoon: [xx.xx.173.22] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
    Mar 29 03:08:38 hqgate racoon: [xx.xx.173.22] INFO: Hashing xx.xx.173.22[500] with algo #2
    Mar 29 03:08:38 hqgate racoon: [10.0.0.1] INFO: Hashing 10.0.0.1[500] with algo #2
    Mar 29 03:08:38 hqgate racoon: INFO: Adding remote and local NAT-D payloads.
    Mar 29 03:08:38 hqgate racoon: INFO: received Vendor ID: CISCO-UNITY
    Mar 29 03:08:38 hqgate racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Mar 29 03:08:38 hqgate racoon: [10.0.0.1] INFO: Hashing 10.0.0.1[500] with algo #2
    Mar 29 03:08:38 hqgate racoon: INFO: NAT-D payload #0 doesn't match
    Mar 29 03:08:38 hqgate racoon: [xx.xx.173.22] INFO: Hashing xx.xx.173.22[500] with algo #2
    Mar 29 03:08:38 hqgate racoon: INFO: NAT-D payload #1 verified
    Mar 29 03:08:38 hqgate racoon: INFO: NAT detected: ME
    Mar 29 03:08:38 hqgate racoon: INFO: KA list add: 10.0.0.1[4500]->xx.xx.173.22[4500]
    Mar 29 03:08:38 hqgate racoon: INFO: received Vendor ID: DPD
    Mar 29 03:08:38 hqgate racoon: WARNING: port 4500 expected, but 0
    Mar 29 03:08:38 hqgate racoon: INFO: ISAKMP-SA established 10.0.0.1[4500]-xx.xx.173.22[4500] spi:b8f83189e313122e:4b72c25324c25538
    Mar 29 03:08:39 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 03:08:39 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 03:08:39 hqgate racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Mar 29 03:08:39 hqgate racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    Mar 29 03:08:39 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=38040629(0x2447435)
    Mar 29 03:08:39 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=974173733(0x3a10b625)
    Mar 29 03:56:40 hqgate racoon: INFO: IPsec-SA expired: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=974173733(0x3a10b625)
    Mar 29 03:56:40 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 03:56:40 hqgate racoon: INFO: IPsec-SA expired: ESP/Tunnel xx.xx.173.22[500]->10.0.0.1[500] spi=38040629(0x2447435)
    Mar 29 03:56:40 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 03:56:40 hqgate racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Mar 29 03:56:40 hqgate racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    Mar 29 03:56:40 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=97527094(0x5d02536)
    Mar 29 03:56:40 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=716192246(0x2ab039f6)
    Mar 29 03:56:51 hqgate racoon: INFO: purged IPsec-SA proto_id=ESP spi=974173733.
    Mar 29 04:44:41 hqgate racoon: INFO: IPsec-SA expired: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=716192246(0x2ab039f6)
    Mar 29 04:44:41 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 04:44:41 hqgate racoon: INFO: IPsec-SA expired: ESP/Tunnel xx.xx.173.22[500]->10.0.0.1[500] spi=97527094(0x5d02536)
    Mar 29 04:44:41 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 04:44:41 hqgate racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Mar 29 04:44:41 hqgate racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    Mar 29 04:44:41 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=217150900(0xcf175b4)
    Mar 29 04:44:41 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=883125005(0x34a36b0d)
    Mar 29 04:44:52 hqgate racoon: INFO: purged IPsec-SA proto_id=ESP spi=716192246.
    Mar 29 05:32:42 hqgate racoon: INFO: IPsec-SA expired: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=883125005(0x34a36b0d)
    Mar 29 05:32:42 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 05:32:42 hqgate racoon: INFO: IPsec-SA expired: ESP/Tunnel xx.xx.173.22[500]->10.0.0.1[500] spi=217150900(0xcf175b4)
    Mar 29 05:32:42 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 05:32:42 hqgate racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Mar 29 05:32:42 hqgate racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    Mar 29 05:32:42 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=40114728(0x2641a28)
    Mar 29 05:32:42 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=2947937028(0xafb5f304)
    Mar 29 05:32:52 hqgate racoon: INFO: purged IPsec-SA proto_id=ESP spi=883125005.
    Mar 29 06:20:43 hqgate racoon: INFO: IPsec-SA expired: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=2947937028(0xafb5f304)
    Mar 29 06:20:43 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 06:20:43 hqgate racoon: INFO: IPsec-SA expired: ESP/Tunnel xx.xx.173.22[500]->10.0.0.1[500] spi=40114728(0x2641a28)
    Mar 29 06:20:43 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 06:20:43 hqgate racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Mar 29 06:20:43 hqgate racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    Mar 29 06:20:43 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=257156797(0xf53e6bd)
    Mar 29 06:20:43 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=2335043435(0x8b2def6b)
    Mar 29 06:20:52 hqgate racoon: INFO: purged IPsec-SA proto_id=ESP spi=2947937028.
    Mar 29 07:08:44 hqgate racoon: INFO: IPsec-SA expired: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=2335043435(0x8b2def6b)
    Mar 29 07:08:44 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 07:08:44 hqgate racoon: INFO: IPsec-SA expired: ESP/Tunnel xx.xx.173.22[500]->10.0.0.1[500] spi=257156797(0xf53e6bd)
    Mar 29 07:08:44 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 07:08:44 hqgate racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Mar 29 07:08:44 hqgate racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    Mar 29 07:08:44 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=117536177(0x70175b1)
    Mar 29 07:08:44 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=2787622241(0xa627bd61)
    Mar 29 07:08:51 hqgate racoon: INFO: purged IPsec-SA proto_id=ESP spi=2335043435.
    Mar 29 07:56:45 hqgate racoon: INFO: IPsec-SA expired: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=2787622241(0xa627bd61)
    Mar 29 07:56:45 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]
    Mar 29 07:56:45 hqgate racoon: INFO: IPsec-SA expired: ESP/Tunnel xx.xx.173.22[500]->10.0.0.1[500] spi=117536177(0x70175b1)
    Mar 29 07:56:45 hqgate racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
    Mar 29 07:56:45 hqgate racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Mar 29 07:56:45 hqgate racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    Mar 29 07:56:45 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=162229185(0x9ab6bc1)
    Mar 29 07:56:45 hqgate racoon: INFO: IPsec-SA established: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=2258337132(0x869b7d6c)
    Mar 29 07:56:51 hqgate racoon: INFO: purged IPsec-SA proto_id=ESP spi=2787622241.
    Mar 29 08:44:46 hqgate racoon: INFO: IPsec-SA expired: ESP 10.0.0.1[500]->xx.xx.173.22[500] spi=2258337132(0x869b7d6c)
    Mar 29 08:44:46 hqgate racoon: INFO: initiate new phase 2 negotiation: 10.0.0.1[4500]<=>xx.xx.173.22[4500]

    In this setup DPD was not enabled in the pfSense. I have now enabled it to see if this makes any difference.

    Lex



  • After enabling DPD it appears system is stable.

    Lex


Log in to reply