IPSec VPN Between Cisco 881 and Pfsense 2.1.3 not working



  • Hi Everybody.

    I have this setup:

    Remote Site (192.168.2.0/24) –-Cisco 881 (LAN .1, WAN 181.177.xxx.xxxx) ---- Internet --- Pfsense (WAN 190.12.xxx.xxx, LAN .1) --- Local Site (192.168.1.0/24).

    Seems a pretty simple setup. We are trying to achieve an IPSec VPN here...it's been 2 days and we have no way of TX/RX packets from the VPN.

    Configuration on the Remote Site (Cisco)

    XXXXX#sh run
    Building configuration...
    
    Current configuration : 2523 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname XXXXXXX
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    enable secret 5 xxxxxxx
    !
    no aaa new-model
    !
    !
    ip source-route
    ip dhcp excluded-address 192.168.2.1 192.168.2.100
    !
    ip dhcp pool Miraflores2_DHCPPool
       import all
       network 192.168.2.0 255.255.255.0
       dns-server 192.168.1.252
       default-router 192.168.2.1
    !
    !
    ip cef
    no ip domain lookup
    ip domain name xxxxxxx
    !
    !
    license boot module c880-data level advsecurity
    !
    !
    username xxxxx password 0 xxxxxx
    !
    !
    crypto isakmp policy 10
     encr aes 256
     authentication pre-share
     group 2
     lifetime 28800
    crypto isakmp key MYKEY address 190.12.xxx.xxx
    !
    !
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
    !
    crypto map pfsense 15 ipsec-isakmp
     set peer 190.12.xxx.xxx
     set transform-set AES256-SHA
     set pfs group2
     match address acl_vpn
    !
    archive
     log config
      hidekeys
    !
    !
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    !
    !
    
    interface FastEthernet0
     spanning-tree portfast
    !
    interface FastEthernet1
     spanning-tree portfast
    !
    interface FastEthernet2
     spanning-tree portfast
    !
    interface FastEthernet3
     spanning-tree portfast
    !
    interface FastEthernet4
     description WAN INTERFACE
     ip address 181.177.xxx.xxx 255.255.255.248
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
     crypto map pfsense
    !
    interface Vlan1
     description LAN INTERFACE
     ip address 192.168.2.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 181.177.xxx.xxx
    ip route 192.168.1.0 255.255.255.0 190.12.82.163
    no ip http server
    no ip http secure-server
    !
    !
    ip access-list extended acl_nat
     permit ip 192.168.2.0 0.0.0.255 any
     deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    ip access-list extended acl_vpn
     permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
     permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    !
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
     password XXXXXX
     login
     no modem enable
    line aux 0
    line vty 0 4
     access-class 1 in
     exec-timeout 30 0
     privilege level 15
     password XXXXX
     login local
     transport preferred ssh
     transport input ssh
    !
    scheduler max-task-time 5000
    end
    
    

    Logs on PFSense

    Last 300 IPsec log entries 
    May 15 10:36:03 racoon: [LAN2LAN - Fase 1 - Miraflores 1 a Miraflores 2]: INFO: IPsec-SA established: ESP 190.12.xxx.xxx[500]->181.177.xxx.xxx[500] spi=535795823(0x1fef986f) 
    May 15 10:36:03 racoon: [LAN2LAN - Fase 1 - Miraflores 1 a Miraflores 2]: INFO: IPsec-SA established: ESP 190.12.xxx.xxx[500]->181.177.xxx.xxx[500] spi=181901907(0xad79a53) 
    May 15 10:36:03 racoon: WARNING: attribute has been modified. 
    May 15 10:36:03 racoon: INFO: received RESPONDER-LIFETIME: 4608000 kbytes 
    May 15 10:36:03 racoon: [LAN2LAN - Fase 1 - Miraflores 1 a Miraflores 2]: INFO: initiate new phase 2 negotiation: 190.12.xxx.xxx[500]<=>181.177.xxx.xxx[500] 
    May 15 10:35:17 racoon: INFO: purged IPsec-SA proto_id=ESP spi=4031659779\. 
    

    So, until now tunnel is up (Checked SAs, SPs and logs on both sides says pretty the same). But I can't ping either side.

    I use VPN for mobile users, btw. IPSec based.

    Remote site is new, there is nothing connected to the local switch (so, int is down). I tried creating a loopbak int int the Cisco, but no result. I have been trying to set this up from a remote console.

    Please help…



  • Hi there!

    When I ran into traffic problems across the VPN, I had to create firewall rules in the IPSec section of my pfSense. And the admin on the other side also had to create firewall rules to allow traffic.  I would suggest you start there if you haven't already.

    Daryl



  • Hi Daniel, thanks for the reply. I have already a rule on the PfSense IPsec tab. Also, the router has the ACLs set correctly.

    Makes me wonder if there is a routing problem within PfSense.



  • well, I managed to get it working.

    I had to add rules not only in the IPSEC tab of the firewall, also to the LAN.

    I.e.: local network 192.168.1.0/24, remote 192.168.2.0/24.

    Had to créate three rules:

    one for IPSEC where is any / any.

    The other two in the LAN, with source: local / desto: remote and vice-versa.

    Tunnel is working now. Just to let you know guys in case you are stuck like I was.

    don't forget to check you tcpdump -n esp to view if VPN traffic is passing, at least. Firewall ogs are your friend, too.



  • Just to let you know…

    after tinkering with rules and testing, I just came up with this:

    One rule, Lan to IPSec Subnet in the LAN tab.
    The other rule, any to any in the IPSec tab.

    and I just got the DHCP ip helper address working...so I'm using my DHCP server. :D.


Log in to reply