PfSense + Cisco

  • Hi all,
    I'm stuck in a configuration of a tunnel between a Cisco router and a pfSense 2.0.1… well at least stuck with phase2 network definition / or routes.
    Let me explain:

    schema –----------- publicIP 1 ----((internet))--------publicIP 2 -------------  :  Linux server is
                            Cisco                                                                      pfSense

    In fact the tunnel is up and running: status UP
    the SAD shows some traffic from the Cisco router. 120B each time I ping from Cisco router a server behind pfSense.

    publicIP 2 publicIP 1 ESP c29780f7 3des-cbc hmac-md5 66880 B
    publicIP 1 publicIP 2 ESP 0cddecca 3des-cbc hmac-md5 1800 B

    This linux box does receive perfectly the ping and replies correclty, as show ip table log I create to test that:
    Jul 18 03:26:15 linuxserver kernel: [354768.967481] PING_IN__linuxserver : IN=eth0 OUT= MAC=xxx SRC= DST= LEN=100 TOS=0x00 PREC=0x00 TTL=254 ID=466 PROTO=ICMP TYPE=8 CODE=0 ID=39 SEQ=3
    Jul 18 03:26:15 linuxserver kernel: [354768.967515] PING_OUT_linuxserver : IN= OUT=eth0 SRC= DST= LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=40066 PROTO=ICMP TYPE=0 CODE=0 ID=39 SEQ=3

    What I don't get is that even if SAD traffic from pfSense is growing, and the tunnel is up, the other side receives nothing

    I have also 2 IPSec firewall rules in pfSense to allow traffic both ways: I activated the log to understand better

    • LAN net * * * none   2to1 in IPSEC_FW_RULE
    • * LAN net * * none   1to2 in IPSEC_FW_RULE

    I can see in logs the 1to2 rule triggered, and never the 2to1 (eg: when the linux server replies to the ping)….

    What am I missing ?

    Thanks for your help

  • Hello,
    here is an update:

    as said above, I can't see the IPSEC Firewall rule triggered when replies to a ping request.
    In fact, I can see a LAN Firewall rule triggered if I log ICMP from my test server
    pass  Jul 18 13:09:02 LAN        ICMP  // ping started from
    pass Jul 18 13:08:15         enc0 ICMP  // ping started from

    So the problem seems to be that the route to IPSec tunnel does not exist: traffic to 10.19.x.x does NOT go to tunnel interface.
    I checked my phase2 settings:
    LOCAL Network = LAN Subnet
    REMOTE Network = Network / 16

    ((NB: I tried to put manually / 24 in LOCAL Network, but I have the same results))

    I though routes created by the IPSec tunnel were created automatically (I read this in my searches).
    Isn't it the case ?
    How can I check this point as there is no place to see Tunnel Automatically created routes ?

  • Hi,

    About the routes, i thought the same thing, that they were created automatically…
    Just for the test i create a route "tunnel virtual IP ------wangw" and then the reply icmp packet were allowed so try it.

    Do you try to do some captures in pfsense GUI when you ping your lan and wan from the cisco router ? it helps a lot.

    To check routes on the pfsense, go in the diagnostic section then "routes" you can see all the pfsense routes (manually and automatically created)

Log in to reply