PfSense to Cisco ISR IPSec VPN Issues

Termina

Hello,

Long time cisco user, just started playing around with pfSense.

So far, it doesn't appear that ipsec VPN functions as expected and was hoping for some help.

I'm following the guide here: https://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS

I've set up numerous Cisco to Sonicwall/Fortigate/etc. before and am surprised that pfsense is having such trouble with this simple task

Below is the debug output from pfsense

Dec 25 11:58:15 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4e0: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
Dec 25 11:58:15 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447910: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
Dec 25 11:58:16 racoon: DEBUG: got pfkey X_SPDDUMP message
Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
Dec 25 11:58:16 racoon: DEBUG: got pfkey X_SPDDUMP message
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4c0: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 10.20.30.0/24[0] 10.20.30.1/32[0] proto=any dir=in
Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
Dec 25 11:58:16 racoon: DEBUG: got pfkey X_SPDDUMP message
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4c0: 10.20.30.1/32[0] 10.20.30.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 10.20.30.0/24[0] 10.20.30.1/32[0] proto=any dir=in
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4c0: 10.20.30.1/32[0] 10.20.30.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
Dec 25 11:58:16 racoon: DEBUG: got pfkey X_SPDDUMP message
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4c0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 10.20.30.0/24[0] 10.20.30.1/32[0] proto=any dir=in
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4c0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4c0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447790: 10.20.30.1/32[0] 10.20.30.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[1] recv()
Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[2] recv()
Dec 25 11:58:16 racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
Dec 25 11:58:16 racoon: DEBUG: hmac(modp1024)
Dec 25 11:58:16 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
Dec 25 11:58:16 racoon: DEBUG: getsainfo params: loc='10.20.30.0/24' rmt='192.168.10.0/24' peer='NULL' client='NULL' id=1
Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
Dec 25 11:58:16 racoon: DEBUG: got pfkey REGISTER message
Dec 25 11:58:16 racoon: INFO: unsupported PF_KEY message REGISTER
Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
Dec 25 11:58:16 racoon: DEBUG: got pfkey X_SPDADD message
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4d0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 10.20.30.0/24[0] 10.20.30.1/32[0] proto=any dir=in
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4d0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4d0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447790: 10.20.30.1/32[0] 10.20.30.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4d0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447910: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
Dec 25 11:58:16 racoon: DEBUG: got pfkey X_SPDADD message
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4d0: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 10.20.30.0/24[0] 10.20.30.1/32[0] proto=any dir=in
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4d0: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in

No logs on the cisco even with debug crypto ipsec/isakmp

Using the following settings in Pfsense 2.1

Phase1 and 2 match on the Cisco (3DES/SHA1/group 2 for phase 1, 3DES/MD5/no group for Phase 2)

(Also, as a side note, since I'm verified will I always have to type the captcha? The captchas on this site are terrible)

Thanks!

EDIT: Added the relevant parts of the cisco config as well

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800

crypto isakmp key PRESHAREDKEY address PFSENSEWANIP

crypto isakmp keepalive 3600 periodic

crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac

crypto map IPSEC-MAP 10 ipsec-isakmp
set peer PFSENSEWANIP
set security-association lifetime seconds 28800
set transform-set VPNSET
match address TEST-VPN-ACL

int WANINTERFACE
crypto map IPSEC-MAP

! Have tried with and without this. Some site to site VPN seems to require this
ip route 10.20.30.0 255.255.255.0 PFSENSEWANIP

ip access-list extended TEST-VPN-ACL
permit ip 192.168.10.0 0.0.0.255 10.20.30.0 0.0.0.255
permit ip 10.20.30.0 0.0.0.255 192.168.10.0 0.0.0.255

ip access-list extended NAT_ACL
deny  ip 192.168.10.0 0.0.0.255 10.20.30.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any

Matthias

You haven't set the hash type in your crypto policy

Termina

If you're talking about the cisco config, SHA1 is the default and doesn't show up

Termina

After a few days trying this out, I think it's time to give up and try a different solution.

Was trying out pfsense for work, we are an MSP and were looking for some alternatives. While many of the other features may work great, ipsec is a must have and clearly isn't very mature.

What is more troubling is the many forum posts one finds with no replies in the ipsec category…

Thanks for the great project, look forward to seeing how it matures after a few years

netsysadmin

Hello,

Have you already given up?
I've configured IPSec site-to-site VPNs between Cisco 1841 & 2801 routers, and between the Cisco 2801 router & a pfSense firewall.
Maybe we can try to find a solution, if you agree.

Thanks.