PfSense to Cisco ISR IPSec VPN Issues



  • Hello,

    Long time cisco user, just started playing around with pfSense.

    So far, it doesn't appear that ipsec VPN functions as expected and was hoping for some help.

    I'm following the guide here: https://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS

    I've set up numerous Cisco to Sonicwall/Fortigate/etc. before and am surprised that pfsense is having such trouble with this simple task

    Below is the debug output from pfsense

    Dec 25 11:58:15 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4e0: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
    Dec 25 11:58:15 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447910: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
    Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Dec 25 11:58:16 racoon: DEBUG: got pfkey X_SPDDUMP message
    Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Dec 25 11:58:16 racoon: DEBUG: got pfkey X_SPDDUMP message
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4c0: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 10.20.30.0/24[0] 10.20.30.1/32[0] proto=any dir=in
    Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Dec 25 11:58:16 racoon: DEBUG: got pfkey X_SPDDUMP message
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4c0: 10.20.30.1/32[0] 10.20.30.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 10.20.30.0/24[0] 10.20.30.1/32[0] proto=any dir=in
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4c0: 10.20.30.1/32[0] 10.20.30.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
    Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Dec 25 11:58:16 racoon: DEBUG: got pfkey X_SPDDUMP message
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4c0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 10.20.30.0/24[0] 10.20.30.1/32[0] proto=any dir=in
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4c0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4c0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447790: 10.20.30.1/32[0] 10.20.30.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[1] recv()
    Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[2] recv()
    Dec 25 11:58:16 racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
    Dec 25 11:58:16 racoon: DEBUG: hmac(modp1024)
    Dec 25 11:58:16 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
    Dec 25 11:58:16 racoon: DEBUG: getsainfo params: loc='10.20.30.0/24' rmt='192.168.10.0/24' peer='NULL' client='NULL' id=1
    Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Dec 25 11:58:16 racoon: DEBUG: got pfkey REGISTER message
    Dec 25 11:58:16 racoon: INFO: unsupported PF_KEY message REGISTER
    Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Dec 25 11:58:16 racoon: DEBUG: got pfkey X_SPDADD message
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4d0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 10.20.30.0/24[0] 10.20.30.1/32[0] proto=any dir=in
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4d0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4d0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447790: 10.20.30.1/32[0] 10.20.30.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4d0: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447910: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.20.30.0/24[0] 192.168.10.0/24[0] proto=any dir=out
    Dec 25 11:58:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Dec 25 11:58:16 racoon: DEBUG: got pfkey X_SPDADD message
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4d0: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 10.20.30.0/24[0] 10.20.30.1/32[0] proto=any dir=in
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe4d0: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in
    Dec 25 11:58:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.10.0/24[0] 10.20.30.0/24[0] proto=any dir=in

    No logs on the cisco even with debug crypto ipsec/isakmp

    Using the following settings in Pfsense 2.1

    Phase1 and 2 match on the Cisco (3DES/SHA1/group 2 for phase 1, 3DES/MD5/no group for Phase 2)

    (Also, as a side note, since I'm verified will I always have to type the captcha? The captchas on this site are terrible)

    Thanks!

    EDIT: Added the relevant parts of the cisco config as well

    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800

    crypto isakmp key PRESHAREDKEY address PFSENSEWANIP

    crypto isakmp keepalive 3600 periodic

    crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac

    crypto map IPSEC-MAP 10 ipsec-isakmp
    set peer PFSENSEWANIP
    set security-association lifetime seconds 28800
    set transform-set VPNSET
    match address TEST-VPN-ACL

    int WANINTERFACE
    crypto map IPSEC-MAP

    ! Have tried with and without this. Some site to site VPN seems to require this
    ip route 10.20.30.0 255.255.255.0 PFSENSEWANIP

    ip access-list extended TEST-VPN-ACL
    permit ip 192.168.10.0 0.0.0.255 10.20.30.0 0.0.0.255
    permit ip 10.20.30.0 0.0.0.255 192.168.10.0 0.0.0.255

    ip access-list extended NAT_ACL
    deny  ip 192.168.10.0 0.0.0.255 10.20.30.0 0.0.0.255
    permit ip 192.168.10.0 0.0.0.255 any



  • You haven't set the hash type in your crypto policy



  • If you're talking about the cisco config, SHA1 is the default and doesn't show up



  • After a few days trying this out, I think it's time to give up and try a different solution.

    Was trying out pfsense for work, we are an MSP and were looking for some alternatives. While many of the other features may work great, ipsec is a must have and clearly isn't very mature.

    What is more troubling is the many forum posts one finds with no replies in the ipsec category…

    Thanks for the great project, look forward to seeing how it matures after a few years



  • Hello,

    Have you already given up?
    I've configured IPSec site-to-site VPNs between Cisco 1841 & 2801 routers, and between the Cisco 2801 router & a pfSense firewall.
    Maybe we can try to find a solution, if you agree.

    Thanks.


Log in to reply