Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSEC-Cisco VPN Client and pfSense

    IPsec
    4
    8
    3562
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BeerHat last edited by

      Hello,

      I've been a happy pfSense user and advocate for quite awhile now (thank you Chris Buechler and dev team for such a great product), and have a few successful implementations at a handful of client sites.  I'm looking to replace a few Cisco ASAs at a couple new client locations with some fairly beefy hardware running version 2.1/64-bit.

      The main driver for the firewall change is to leverage pfSense's outstanding traffic-shaping capabilities.  Now my problem; these locations have a TON of road-warriors running the Cisco VPN client on their win/mac lappys (into the hundreds).  I'm familiar with the ShrewSoft VPN client, and the countless threads saying just use that or convert to OpenVPN.  While I'm not against the ShrewSoft client, this particular client is requesting minimal impact to their end-user base, and would therefore like to continue using the Cisco VPN client that is installed and present in their system images.  And yes, I can just put the ASA behind the pfSense fw, but I'd really like to replace the ASA altogether if I can.

      We've combed the web on the subject with no real definitive answer to the question.  Has anyone been successful in getting the Cisco VPN client working with pfSense?

      We're currently testing this on a SuperMicro based i3/8Gb/pfSense 2.1 64-bit build, Quad Intel PT1000 gig nics.  Thusfar, we've been able to authenticate and connect; however no traffic is passed.  It would appear this is a common problem.

      Anyone?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        It doesn't work, and won't work. It's also a violation of the Cisco license to do that, so it's not something we can specifically address. If you check the terms of the Cisco VPN Client license they claim it's a violation of the license to connect to anything but a Cisco device with that client.

        You might try again once 2.2 comes out as there are some under-the-hood IPsec changes happening there that may happen to affect this behavior, but it won't function as-is on any release.

        1 Reply Last reply Reply Quote 0
        • B
          BeerHat last edited by

          @jimp:

          It doesn't work, and won't work. It's also a violation of the Cisco license to do that, so it's not something we can specifically address. If you check the terms of the Cisco VPN Client license they claim it's a violation of the license to connect to anything but a Cisco device with that client.

          You might try again once 2.2 comes out as there are some under-the-hood IPsec changes happening there that may happen to affect this behavior, but it won't function as-is on any release.

          Well, that is very disappointing.  Not a stab at pfSense by any means.  I'm just happy to finally get a definitive answer.  Thanks Jimp!

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            Yep, it's a pity that they don't let others play with it, but they have to protect their IP/trademarks/etc.

            You can replace it directly with Shrew Soft or OpenVPN and it'll work fine but it still means you'd have to touch each client.

            1 Reply Last reply Reply Quote 0
            • V
              vibenation last edited by

              After doing some reading on this forum and some Google searching I came across this thread  :(

              I was really hoping to use pfsense for my home network, but one of the unchangeable requirements is that my wife can telecommute to her position at OPM (Federal Government) and they use a Cisco VPN Client. There is exactly a 0% chance I am going to call their VPN administrative staff for more information or make any changes on her work laptop to make it work…that to me is bad juju and a non-starter

              It seems from my reading that this is just not currently possible, or perhaps possible with jumping through a million hoops and configurations in a wishy-washy might work sometimes type of manner. This won't work for me, it has to be rock solid from the get go or I have to abandon my plans to use pfsense on my home network

              Say it ain't so......please?  I really wanted to upgrade from my Asus router to pfsense....

              If this is beating a dead horse, sorry for resurrecting the thread, and if setting this up is just plain not going to work does anyone have a better suggestion?  Setup a linux iptables based firewall maybe?

              Thanks,

              Joe

              1 Reply Last reply Reply Quote 0
              • I
                iced98lx last edited by

                @vibenation:

                After doing some reading on this forum and some Google searching I came across this thread  :(

                I was really hoping to use pfsense for my home network, but one of the unchangeable requirements is that my wife can telecommute to her position at OPM (Federal Government) and they use a Cisco VPN Client. There is exactly a 0% chance I am going to call their VPN administrative staff for more information or make any changes on her work laptop to make it work…that to me is bad juju and a non-starter

                It seems from my reading that this is just not currently possible, or perhaps possible with jumping through a million hoops and configurations in a wishy-washy might work sometimes type of manner. This won't work for me, it has to be rock solid from the get go or I have to abandon my plans to use pfsense on my home network

                Say it ain't so......please?  I really wanted to upgrade from my Asus router to pfsense....

                If this is beating a dead horse, sorry for resurrecting the thread, and if setting this up is just plain not going to work does anyone have a better suggestion?  Setup a linux iptables based firewall maybe?

                Thanks,

                Joe

                Joe-
                  This thread isn't suggesting that the cisco client won't work behind a pfSense firewall, it's suggesting the pfSense firewall can't be configured out of the box to accept connections IN from that client.  We're discussing if your wife's new employer was using pfSense as the tunnel endpoint, not if you were using it as a firewall from home.

                1 Reply Last reply Reply Quote 0
                • V
                  vibenation last edited by

                  @iced98lx:

                  Joe-
                    This thread isn't suggesting that the cisco client won't work behind a pfSense firewall, it's suggesting the pfSense firewall can't be configured out of the box to accept connections IN from that client.  We're discussing if your wife's new employer was using pfSense as the tunnel endpoint, not if you were using it as a firewall from home.

                  Apparently I need to go to the Zoolander reading school….Thank you for clearing that up for me.  I suppose thats what I get for trying to burn both ends of the candle at once!

                  I will attempt the deployment this weekend when I can test it without impacting her normal work routine.

                  Joe

                  1 Reply Last reply Reply Quote 0
                  • I
                    iced98lx last edited by

                    @vibenation:

                    @iced98lx:

                    Joe-
                      This thread isn't suggesting that the cisco client won't work behind a pfSense firewall, it's suggesting the pfSense firewall can't be configured out of the box to accept connections IN from that client.  We're discussing if your wife's new employer was using pfSense as the tunnel endpoint, not if you were using it as a firewall from home.

                    Apparently I need to go to the Zoolander reading school….Thank you for clearing that up for me.  I suppose thats what I get for trying to burn both ends of the candle at once!

                    I will attempt the deployment this weekend when I can test it without impacting her normal work routine.

                    Joe

                    No worries, I don't expect you'll hit any snags connecting, I used cisco vpn software behind pfSense for a long time.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense Plus
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy