IPSec VPN Between Cisco 881 and Pfsense 2.1.3 not working

  • Hi Everybody.

    I have this setup:

    Remote Site ( –-Cisco 881 (LAN .1, WAN 181.177.xxx.xxxx) ---- Internet --- Pfsense (WAN 190.12.xxx.xxx, LAN .1) --- Local Site (

    Seems a pretty simple setup. We are trying to achieve an IPSec VPN here...it's been 2 days and we have no way of TX/RX packets from the VPN.

    Configuration on the Remote Site (Cisco)

    XXXXX#sh run
    Building configuration...
    Current configuration : 2523 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname XXXXXXX
    logging message-counter syslog
    enable secret 5 xxxxxxx
    no aaa new-model
    ip source-route
    ip dhcp excluded-address
    ip dhcp pool Miraflores2_DHCPPool
       import all
    ip cef
    no ip domain lookup
    ip domain name xxxxxxx
    license boot module c880-data level advsecurity
    username xxxxx password 0 xxxxxx
    crypto isakmp policy 10
     encr aes 256
     authentication pre-share
     group 2
     lifetime 28800
    crypto isakmp key MYKEY address 190.12.xxx.xxx
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
    crypto map pfsense 15 ipsec-isakmp
     set peer 190.12.xxx.xxx
     set transform-set AES256-SHA
     set pfs group2
     match address acl_vpn
     log config
    ip ssh time-out 60
    ip ssh authentication-retries 2
    interface FastEthernet0
     spanning-tree portfast
    interface FastEthernet1
     spanning-tree portfast
    interface FastEthernet2
     spanning-tree portfast
    interface FastEthernet3
     spanning-tree portfast
    interface FastEthernet4
     description WAN INTERFACE
     ip address 181.177.xxx.xxx
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
     crypto map pfsense
    interface Vlan1
     description LAN INTERFACE
     ip address
     ip nat inside
     ip virtual-reassembly
    ip forward-protocol nd
    ip route 181.177.xxx.xxx
    ip route
    no ip http server
    no ip http secure-server
    ip access-list extended acl_nat
     permit ip any
     deny   ip
    ip access-list extended acl_vpn
     permit ip
     permit ip
    line con 0
     password XXXXXX
     no modem enable
    line aux 0
    line vty 0 4
     access-class 1 in
     exec-timeout 30 0
     privilege level 15
     password XXXXX
     login local
     transport preferred ssh
     transport input ssh
    scheduler max-task-time 5000

    Logs on PFSense

    Last 300 IPsec log entries 
    May 15 10:36:03 racoon: [LAN2LAN - Fase 1 - Miraflores 1 a Miraflores 2]: INFO: IPsec-SA established: ESP 190.12.xxx.xxx[500]->181.177.xxx.xxx[500] spi=535795823(0x1fef986f) 
    May 15 10:36:03 racoon: [LAN2LAN - Fase 1 - Miraflores 1 a Miraflores 2]: INFO: IPsec-SA established: ESP 190.12.xxx.xxx[500]->181.177.xxx.xxx[500] spi=181901907(0xad79a53) 
    May 15 10:36:03 racoon: WARNING: attribute has been modified. 
    May 15 10:36:03 racoon: INFO: received RESPONDER-LIFETIME: 4608000 kbytes 
    May 15 10:36:03 racoon: [LAN2LAN - Fase 1 - Miraflores 1 a Miraflores 2]: INFO: initiate new phase 2 negotiation: 190.12.xxx.xxx[500]<=>181.177.xxx.xxx[500] 
    May 15 10:35:17 racoon: INFO: purged IPsec-SA proto_id=ESP spi=4031659779\. 

    So, until now tunnel is up (Checked SAs, SPs and logs on both sides says pretty the same). But I can't ping either side.

    I use VPN for mobile users, btw. IPSec based.

    Remote site is new, there is nothing connected to the local switch (so, int is down). I tried creating a loopbak int int the Cisco, but no result. I have been trying to set this up from a remote console.

    Please help…

  • Hi there!

    When I ran into traffic problems across the VPN, I had to create firewall rules in the IPSec section of my pfSense. And the admin on the other side also had to create firewall rules to allow traffic.  I would suggest you start there if you haven't already.


  • Hi Daniel, thanks for the reply. I have already a rule on the PfSense IPsec tab. Also, the router has the ACLs set correctly.

    Makes me wonder if there is a routing problem within PfSense.

  • well, I managed to get it working.

    I had to add rules not only in the IPSEC tab of the firewall, also to the LAN.

    I.e.: local network, remote

    Had to créate three rules:

    one for IPSEC where is any / any.

    The other two in the LAN, with source: local / desto: remote and vice-versa.

    Tunnel is working now. Just to let you know guys in case you are stuck like I was.

    don't forget to check you tcpdump -n esp to view if VPN traffic is passing, at least. Firewall ogs are your friend, too.

  • Just to let you know…

    after tinkering with rules and testing, I just came up with this:

    One rule, Lan to IPSec Subnet in the LAN tab.
    The other rule, any to any in the IPSec tab.

    and I just got the DHCP ip helper address working...so I'm using my DHCP server. :D.

Log in to reply