IPSsec between PFSense <-> Cisco

  • Hello,

    I need to create an IPSec tunnel between my PFSense and a remote Cisco device. The configuration is done on both side and it works !
    BUT !…
    ... The problem is it only works when, on the Cisco, the ID = IP Address. When the Cisco is configured to send its FQDN as Identifier, the tunnel doesn not come UP. There are some depedencies that oblige us to keep the FQDN as ID on the cisco.

    My question is :

    How can I tell to PFSense to accept FQDN as Identifier instead of the Public IP addresse ?

    Thank you in advance

    Note : I'm using PFSense 1.2 RC3

    Note 2 : I got those errors when the Cisco send the FQDN :
    racoon: ERROR: invalid ID payload.
    racoon: ERROR: Expecting IP address type in main mode, but FQDN.

    Note 3 : When I try to use agressive mode I get this error :
    racoon: ERROR: not acceptable Identity Protection mode

  • there is an option in pfsense call 'My Identifier'

    you will see when creating your tunnel under Phase 1 proposal.

    can you post your cisco config. i can't seem to get a site to set working between my cisco asa and my pfsense.


  • Thank you for your answer, I don't have the cisco conf under my hand yet but about the "My Identifier" in pfsense what should I put ? I setted "IP Address" and put the FW ip address in the box. But you think it can be the problem ? Because as I said, when the Identity is set to IP (instead of FQDN) in the Cisco, it works.

    But what I don't understand is when I read the RFC 2409 section 5.4 I can see :

    When using pre-shared key authentication with Main Mode the key can
      only be identified by the IP address of the peers since HASH_I must
      be computed before the initiator has processed IDir. Aggressive Mode
      allows for a wider range of identifiers of the pre-shared secret to
      be used. In addition, Aggressive Mode allows two parties to maintain
      multiple, different pre-shared keys and identify the correct one for
      a particular exchange.

    It means that there is no possibility to tell PFSense to use FQDN for the VPN Tunnel ? If that's it, why does cisco use the FQDN ??

    Thank you

  • Interesting…from what I understand of Cisco (I am not a Cisco expert) you do have the ability to change the identifier.

    In your Cisco config look for this:

    At the cisco configuration terminal type:
    crypto isakmp identity ?

    You will see:

    address  Use the IP address of the interface for the identity
      auto      Identity automatically determined by the connection type: IP
                address for preshared key and Cert DN for Cert based connections
      hostname  Use the hostname of the router for the identity
      key-id    Use the specified key-id for the identity

  • That's exact ! But the problem is this option is global ! And can affect other configurations, that's why we will keep it to "hostname".

    Now the question is : how to tell Pfsense to accept Hostname as identifier for a pre-shared key IPSec tunnel ??

    Thank you in advance

  • UP ! :)

  • can you post your cisco config. i have never been able to get my site to site going between pfsense and my cisco asa.


  • What Cisco device are you using, router?, pix?, asa?.  Additionally, what OS version is running on the Cisco.  Tomorrow I will upload my working pfSense 1.2RC3 - Cisco PIX 506 6.3.5. config's.

  • Hello,

    I am struggling to get ipsec working getween pfsense 1.2rc4 and Cisco 1721 with crypto ios.
    Is it possible to post your IOS config?



  • Hi everyone,

    I got tunnel standing to router 1800 series with  12.4(6)T8
    The problem is, that i can initiate tunnel only from pfSense side (when traffic is sent to destination private network, eg. ping tunel is set up). when tunnel is standing everythin works fine.

    I have firewall WAN ESP, ipsec and LAN rules set.

    Does anyone have idea ?

  • @Blobot:

    UP ! :)

    Could you please send me a short description of how you mananged to get it up and running?