IPSEC-Cisco VPN Client and pfSense



  • Hello,

    I've been a happy pfSense user and advocate for quite awhile now (thank you Chris Buechler and dev team for such a great product), and have a few successful implementations at a handful of client sites.  I'm looking to replace a few Cisco ASAs at a couple new client locations with some fairly beefy hardware running version 2.1/64-bit.

    The main driver for the firewall change is to leverage pfSense's outstanding traffic-shaping capabilities.  Now my problem; these locations have a TON of road-warriors running the Cisco VPN client on their win/mac lappys (into the hundreds).  I'm familiar with the ShrewSoft VPN client, and the countless threads saying just use that or convert to OpenVPN.  While I'm not against the ShrewSoft client, this particular client is requesting minimal impact to their end-user base, and would therefore like to continue using the Cisco VPN client that is installed and present in their system images.  And yes, I can just put the ASA behind the pfSense fw, but I'd really like to replace the ASA altogether if I can.

    We've combed the web on the subject with no real definitive answer to the question.  Has anyone been successful in getting the Cisco VPN client working with pfSense?

    We're currently testing this on a SuperMicro based i3/8Gb/pfSense 2.1 64-bit build, Quad Intel PT1000 gig nics.  Thusfar, we've been able to authenticate and connect; however no traffic is passed.  It would appear this is a common problem.

    Anyone?

    Thanks!


  • Rebel Alliance Developer Netgate

    It doesn't work, and won't work. It's also a violation of the Cisco license to do that, so it's not something we can specifically address. If you check the terms of the Cisco VPN Client license they claim it's a violation of the license to connect to anything but a Cisco device with that client.

    You might try again once 2.2 comes out as there are some under-the-hood IPsec changes happening there that may happen to affect this behavior, but it won't function as-is on any release.



  • @jimp:

    It doesn't work, and won't work. It's also a violation of the Cisco license to do that, so it's not something we can specifically address. If you check the terms of the Cisco VPN Client license they claim it's a violation of the license to connect to anything but a Cisco device with that client.

    You might try again once 2.2 comes out as there are some under-the-hood IPsec changes happening there that may happen to affect this behavior, but it won't function as-is on any release.

    Well, that is very disappointing.  Not a stab at pfSense by any means.  I'm just happy to finally get a definitive answer.  Thanks Jimp!


  • Rebel Alliance Developer Netgate

    Yep, it's a pity that they don't let others play with it, but they have to protect their IP/trademarks/etc.

    You can replace it directly with Shrew Soft or OpenVPN and it'll work fine but it still means you'd have to touch each client.



  • After doing some reading on this forum and some Google searching I came across this thread  :(

    I was really hoping to use pfsense for my home network, but one of the unchangeable requirements is that my wife can telecommute to her position at OPM (Federal Government) and they use a Cisco VPN Client. There is exactly a 0% chance I am going to call their VPN administrative staff for more information or make any changes on her work laptop to make it work…that to me is bad juju and a non-starter

    It seems from my reading that this is just not currently possible, or perhaps possible with jumping through a million hoops and configurations in a wishy-washy might work sometimes type of manner. This won't work for me, it has to be rock solid from the get go or I have to abandon my plans to use pfsense on my home network

    Say it ain't so......please?  I really wanted to upgrade from my Asus router to pfsense....

    If this is beating a dead horse, sorry for resurrecting the thread, and if setting this up is just plain not going to work does anyone have a better suggestion?  Setup a linux iptables based firewall maybe?

    Thanks,

    Joe



  • @vibenation:

    After doing some reading on this forum and some Google searching I came across this thread  :(

    I was really hoping to use pfsense for my home network, but one of the unchangeable requirements is that my wife can telecommute to her position at OPM (Federal Government) and they use a Cisco VPN Client. There is exactly a 0% chance I am going to call their VPN administrative staff for more information or make any changes on her work laptop to make it work…that to me is bad juju and a non-starter

    It seems from my reading that this is just not currently possible, or perhaps possible with jumping through a million hoops and configurations in a wishy-washy might work sometimes type of manner. This won't work for me, it has to be rock solid from the get go or I have to abandon my plans to use pfsense on my home network

    Say it ain't so......please?  I really wanted to upgrade from my Asus router to pfsense....

    If this is beating a dead horse, sorry for resurrecting the thread, and if setting this up is just plain not going to work does anyone have a better suggestion?  Setup a linux iptables based firewall maybe?

    Thanks,

    Joe

    Joe-
      This thread isn't suggesting that the cisco client won't work behind a pfSense firewall, it's suggesting the pfSense firewall can't be configured out of the box to accept connections IN from that client.  We're discussing if your wife's new employer was using pfSense as the tunnel endpoint, not if you were using it as a firewall from home.



  • @iced98lx:

    Joe-
      This thread isn't suggesting that the cisco client won't work behind a pfSense firewall, it's suggesting the pfSense firewall can't be configured out of the box to accept connections IN from that client.  We're discussing if your wife's new employer was using pfSense as the tunnel endpoint, not if you were using it as a firewall from home.

    Apparently I need to go to the Zoolander reading school….Thank you for clearing that up for me.  I suppose thats what I get for trying to burn both ends of the candle at once!

    I will attempt the deployment this weekend when I can test it without impacting her normal work routine.

    Joe



  • @vibenation:

    @iced98lx:

    Joe-
      This thread isn't suggesting that the cisco client won't work behind a pfSense firewall, it's suggesting the pfSense firewall can't be configured out of the box to accept connections IN from that client.  We're discussing if your wife's new employer was using pfSense as the tunnel endpoint, not if you were using it as a firewall from home.

    Apparently I need to go to the Zoolander reading school….Thank you for clearing that up for me.  I suppose thats what I get for trying to burn both ends of the candle at once!

    I will attempt the deployment this weekend when I can test it without impacting her normal work routine.

    Joe

    No worries, I don't expect you'll hit any snags connecting, I used cisco vpn software behind pfSense for a long time.


Log in to reply