IPSec VPN Between Cisco 881 and Pfsense 2.1.3 not working
I have this setup:
Remote Site (192.168.2.0/24) –-Cisco 881 (LAN .1, WAN 181.177.xxx.xxxx) ---- Internet --- Pfsense (WAN 190.12.xxx.xxx, LAN .1) --- Local Site (192.168.1.0/24).
Seems a pretty simple setup. We are trying to achieve an IPSec VPN here...it's been 2 days and we have no way of TX/RX packets from the VPN.
Configuration on the Remote Site (Cisco)
XXXXX#sh run Building configuration... Current configuration : 2523 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname XXXXXXX ! boot-start-marker boot-end-marker ! logging message-counter syslog enable secret 5 xxxxxxx ! no aaa new-model ! ! ip source-route ip dhcp excluded-address 192.168.2.1 192.168.2.100 ! ip dhcp pool Miraflores2_DHCPPool import all network 192.168.2.0 255.255.255.0 dns-server 192.168.1.252 default-router 192.168.2.1 ! ! ip cef no ip domain lookup ip domain name xxxxxxx ! ! license boot module c880-data level advsecurity ! ! username xxxxx password 0 xxxxxx ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 28800 crypto isakmp key MYKEY address 190.12.xxx.xxx ! ! crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac ! crypto map pfsense 15 ipsec-isakmp set peer 190.12.xxx.xxx set transform-set AES256-SHA set pfs group2 match address acl_vpn ! archive log config hidekeys ! ! ip ssh time-out 60 ip ssh authentication-retries 2 ! ! ! interface FastEthernet0 spanning-tree portfast ! interface FastEthernet1 spanning-tree portfast ! interface FastEthernet2 spanning-tree portfast ! interface FastEthernet3 spanning-tree portfast ! interface FastEthernet4 description WAN INTERFACE ip address 181.177.xxx.xxx 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map pfsense ! interface Vlan1 description LAN INTERFACE ip address 192.168.2.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 181.177.xxx.xxx ip route 192.168.1.0 255.255.255.0 184.108.40.206 no ip http server no ip http secure-server ! ! ip access-list extended acl_nat permit ip 192.168.2.0 0.0.0.255 any deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ip access-list extended acl_vpn permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ! ! ! ! ! control-plane ! ! line con 0 password XXXXXX login no modem enable line aux 0 line vty 0 4 access-class 1 in exec-timeout 30 0 privilege level 15 password XXXXX login local transport preferred ssh transport input ssh ! scheduler max-task-time 5000 end
Logs on PFSense
Last 300 IPsec log entries May 15 10:36:03 racoon: [LAN2LAN - Fase 1 - Miraflores 1 a Miraflores 2]: INFO: IPsec-SA established: ESP 190.12.xxx.xxx->181.177.xxx.xxx spi=535795823(0x1fef986f) May 15 10:36:03 racoon: [LAN2LAN - Fase 1 - Miraflores 1 a Miraflores 2]: INFO: IPsec-SA established: ESP 190.12.xxx.xxx->181.177.xxx.xxx spi=181901907(0xad79a53) May 15 10:36:03 racoon: WARNING: attribute has been modified. May 15 10:36:03 racoon: INFO: received RESPONDER-LIFETIME: 4608000 kbytes May 15 10:36:03 racoon: [LAN2LAN - Fase 1 - Miraflores 1 a Miraflores 2]: INFO: initiate new phase 2 negotiation: 190.12.xxx.xxx<=>181.177.xxx.xxx May 15 10:35:17 racoon: INFO: purged IPsec-SA proto_id=ESP spi=4031659779\.
So, until now tunnel is up (Checked SAs, SPs and logs on both sides says pretty the same). But I can't ping either side.
I use VPN for mobile users, btw. IPSec based.
Remote site is new, there is nothing connected to the local switch (so, int is down). I tried creating a loopbak int int the Cisco, but no result. I have been trying to set this up from a remote console.
dsvj1977 last edited by
When I ran into traffic problems across the VPN, I had to create firewall rules in the IPSec section of my pfSense. And the admin on the other side also had to create firewall rules to allow traffic. I would suggest you start there if you haven't already.
Hi Daniel, thanks for the reply. I have already a rule on the PfSense IPsec tab. Also, the router has the ACLs set correctly.
Makes me wonder if there is a routing problem within PfSense.
well, I managed to get it working.
I had to add rules not only in the IPSEC tab of the firewall, also to the LAN.
I.e.: local network 192.168.1.0/24, remote 192.168.2.0/24.
Had to créate three rules:
one for IPSEC where is any / any.
The other two in the LAN, with source: local / desto: remote and vice-versa.
Tunnel is working now. Just to let you know guys in case you are stuck like I was.
don't forget to check you tcpdump -n esp to view if VPN traffic is passing, at least. Firewall ogs are your friend, too.
Just to let you know…
after tinkering with rules and testing, I just came up with this:
One rule, Lan to IPSec Subnet in the LAN tab.
The other rule, any to any in the IPSec tab.
and I just got the DHCP ip helper address working...so I'm using my DHCP server. :D.