IPsec connection to commercial CISCO VPN?

  • Hi guys,

    Let me first say I'm not a highly technical user when it comes to networking – I've lived in a pretty "cushy" life of home-consumer grade routers so the move to pfSense has been a learning experience for me (but I'm still far from knowledgeable, so please be gentle).

    Second, the matter is relatively complex to explain succinctly, so I apologise for the length of the post.

    With that out of the way -- I need to connect to a Cisco VPN hardware device in a remote office. On other hardware (a D-Link DGL-4300 router) I've had no problems with the factory-enabled IPsec pass-through on my client reaching and maintaining communication with the remote server. The only thing that has changed between then and now is that I have removed the D-Link and replaced it with a WRAP running pfSense (currently running Beta 2, although the same problem occured with Beta 1).

    Connecting through the WRAP router to the VPN host from the Windows-based Cisco VPN client still works "out of the box" with pfSense, but the reason I'm posting is because it doesn't stay that way -- The connection invariably times out after 4-8 minutes; the client complains, "Secure VPN Connection terminated locally by the Client. Reason 412: The remote peer is no longer responding."

    Inbound port 500 (UDP) has a NAT entry to the VPN client machine and a rule allowing (and monitoring) both inbound and outbound UDP traffic over port 500 from the client (actually, the rule allows any traffic at all from the host IP to make matters simpler); the packets are all passing through fine from what I can tell from the logs. At somewhere around 3-6 minutes into a new connection, the client sends out some kind of "keepalive" signal over UDP port 500 to the server, to which the server responds immediately, but directed to some higher port (usually >45000 and <60000, also via UPD) back to the client. Again, the entire port range I have seen used has a NAT entry to forward and ruleset to allow the UPD datagram to pass back through to the client machine, which the logs report as being successful.

    The only other (presumably) relevant setting I can think to mention is that Outbound NAT is currently set to "Advanced" mode -- meaning "Enable IPsec passthru" is of course not enabled (as the two settings appear to be mutually exclusive by design). The reason for this choice is because I have two WAN connections – the chief reason for my making the move to pfSense in the first place (and the functionality provided as such is highly satisfactory and not something I'm willing to sacrifice). However, in the interest of testing, I have switched this setting over to "Enable IPsec passthru" (thus disabling the second WAN connection) but I experienced no change in behaviour as a result.

    I'm hoping there's still some hope of getting a reliable VPN connection up and running from my network to my workplace; I've gone so far as to locate a guide to get racoon to talk to a Cisco PIX, hoping it might help guide me to the appropriate pfSense settings to create a VPN connection using racoon on the WRAP itself, but my efforts have evidently been unsuccessful to date.

    Can anyone offer any suggestions to help me out? Thanks in advance!

  • Hello,

    can you show a picture of your IPSec configuration to an Cisco VPN? I want to test the same thing: connect a WRAP board with pfsense to an Cisco VPN Concentrator. But i need some help for the setup and maybe a picture of the webinterface of your configuration may help me. thx.


  • This is a client VPN, not site to site, right?  You have the latest Cisco VPN client?  There were a number of people having what sounds like the same issue with older Cisco VPN clients on the m0n0wall list a while back.  Granted, that's a completely different firewall, but this is the same issue so I'd try upgrading your client first.

  • @MdeWendt:

    I want to test the same thing: connect a WRAP board with pfsense to an Cisco VPN Concentrator. But i need some help for the setup and maybe a picture of the webinterface of your configuration may help me. thx.

    If this is a VPN concentrator set up strictly for VPN client connections, you can't do a site to site connection (which is what you're describing).  That requires xauth, which I don't believe is possible at all, and certainly isn't possible at this time.  Manuel, m0n0wall founder, looked at adding a Cisco VPN client into m0n0wall to do this, but it can't happily coexist with racoon, so that wouldn't work.

    You can do site to site IPsec with Cisco devices that are configured to do so, but not ones that are configured for VPN client connections.  Two diff things.

  • Thanks CMB, it's possible my client is out of date on the machine so I'll upgrade it over the next or two and post my findings back.