PfSense 2.2 to ASA 8.2 site to site not passing traffic



  • Greetings,
    A bit of an annoying issue - I'm attempting to setup a site to site VPN between a pfSense 2.2 install and a Cisco ASA 5505 running ASA 8.2.  Failing everything, I went directly with the config suggested in the latest pfSense book which is 3des, sha1, etc etc.  Ensured that on my Firewall rules the IPSec tab was allowing everything, and ensured the correct nat statements were in the asa.

    In other words, I followed the book verbatim after failing on my own.

    So now my problem is - I can bring up the tunnel, and it stays up.  I just can't pass any traffic either way.  Both sides try to send, but nothing gets back.  I've triple checked settings on both sides, and both sides are trying to route out their respective firewalls to get over the VPN - so that's good.

    On the ipSec tab of the firewall settings in pfSense:
    ID Proto Source Port Destination Port Gateway Queue Schedule Description
    delete selected rules add
    icon
    icon   IPv4 * * * * * * none

    So.. wide open!  I'm at a loss on this one.  I'm on my way to getting rid of the ASAs completely in favor of pfSense - but I have to keep the one in question for at least the next 30-60 days.

    Any ideas?  Words of wisdom?



  • Have you tried today's snapshots?
    There have been some recent problems with IPsec under 2.2



  • Okay that got me closer - or rather, got me to the point where I'm at when using 2.1.5.  So for whatever reason, this is an error I keep getting on the ASA:
    3 Oct 10 2014 11:25:01 305005 192.xxx.xxx.x No translation group found for icmp src outside:192.x.x.x dst inside:192.xxx.xxx.x (type 8, code 0)

    Now if I add the example nonat acl mentioned in the pfSense 2.1 book I can pass traffic.. but it kills my other site-to-sites that terminate on that particular ASA.  I remove it, and no joy.  I've triple checked that all IP's matched, and NAT-T is disabled on both ends.

    More perplexing?  Aside from algorithm this is an identical tunnel config to what I have on that particular ASA for 12 other tunnels that are going to el-cheap Zywalls.



  • @filnko:

    Have you tried today's snapshots?
    There have been some recent problems with IPsec under 2.2

    Sure enough, one more reboot - did it.  That's exactly what seems to have cured my issue, for whatever reason the NAT statement solved itself after a second reboot.

    THANK YOU.


Log in to reply