Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.2 to ASA 8.2 site to site not passing traffic

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bdinger
      last edited by

      Greetings,
      A bit of an annoying issue - I'm attempting to setup a site to site VPN between a pfSense 2.2 install and a Cisco ASA 5505 running ASA 8.2.  Failing everything, I went directly with the config suggested in the latest pfSense book which is 3des, sha1, etc etc.  Ensured that on my Firewall rules the IPSec tab was allowing everything, and ensured the correct nat statements were in the asa.

      In other words, I followed the book verbatim after failing on my own.

      So now my problem is - I can bring up the tunnel, and it stays up.  I just can't pass any traffic either way.  Both sides try to send, but nothing gets back.  I've triple checked settings on both sides, and both sides are trying to route out their respective firewalls to get over the VPN - so that's good.

      On the ipSec tab of the firewall settings in pfSense:
      ID Proto Source Port Destination Port Gateway Queue Schedule Description
      delete selected rules add
      icon
      icon   IPv4 * * * * * * none

      So.. wide open!  I'm at a loss on this one.  I'm on my way to getting rid of the ASAs completely in favor of pfSense - but I have to keep the one in question for at least the next 30-60 days.

      Any ideas?  Words of wisdom?

      1 Reply Last reply Reply Quote 0
      • F
        filnko
        last edited by

        Have you tried today's snapshots?
        There have been some recent problems with IPsec under 2.2

        1 Reply Last reply Reply Quote 0
        • B
          bdinger
          last edited by

          Okay that got me closer - or rather, got me to the point where I'm at when using 2.1.5.  So for whatever reason, this is an error I keep getting on the ASA:
          3 Oct 10 2014 11:25:01 305005 192.xxx.xxx.x No translation group found for icmp src outside:192.x.x.x dst inside:192.xxx.xxx.x (type 8, code 0)

          Now if I add the example nonat acl mentioned in the pfSense 2.1 book I can pass traffic.. but it kills my other site-to-sites that terminate on that particular ASA.  I remove it, and no joy.  I've triple checked that all IP's matched, and NAT-T is disabled on both ends.

          More perplexing?  Aside from algorithm this is an identical tunnel config to what I have on that particular ASA for 12 other tunnels that are going to el-cheap Zywalls.

          1 Reply Last reply Reply Quote 0
          • B
            bdinger
            last edited by

            @filnko:

            Have you tried today's snapshots?
            There have been some recent problems with IPsec under 2.2

            Sure enough, one more reboot - did it.  That's exactly what seems to have cured my issue, for whatever reason the NAT statement solved itself after a second reboot.

            THANK YOU.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.