Hi, everyone,
I'm still in the process of learning about Cisco, but I'm now tasked with a problem that I'm stuck on and up against a time limit to fix.
At our home office, we have a pfSense box providing IPSec tunnels to some remote locations and these are working fine. We're now setting up a new remote office and we're wanting to put a Cisco 1921 there as the IPSec endpoint because a couple of months from now, we hope to have this location added to our MPLS and the Cisco should be able to handle that. Temporarily, we'll be having a cable modem connection to provide Internet service and want to VPN back to the home office as well as provide general Internet services for the office people.
Right now, my connection to the remote office LAN is on G0/0 of the 1921. It has an IP of 10.23.10.1 and is providing DHCP services to the LAN. I have plugged a computer into G0/0 and confirmed DHCP is working. The 1921 is currently in our home office while I set it up, so for testing, I plugged a cable into G0/1 that was for an outside connection to the Internet. In this configuration, I was able to confirm that my test computer could get out to the internet through the 1921 after I added a default static route. So, at this point, everything seemed to be working fine.
Then I began to working on the VPN between the Cisco and pfSense using this article as a guide: https://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS For the most part this worked, although I made an error in the Phase 2 portion, but thought I had it fixed. However, while the tunnel does appear to be established, no traffic is passing. Also, no Internet traffic is passing either, so this is clearly not doing a split-tunnel.
This is what the debug for IPSec is showing:
*Feb 18 15:56:09.987: IPSEC(validate_proposal_request): proposal part #1
*Feb 18 15:56:09.987: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 205.237.121.4:0, remote= 205.237.121.1:0,
local_proxy= 10.23.0.0/255.255.240.0/256/0,
remote_proxy= 10.0.0.0/255.248.0.0/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Feb 18 15:56:09.987: Crypto mapdb : proxy_match
src addr : 10.23.0.0
dst addr : 10.0.0.0
protocol : 0
src port : 0
dst port : 0
*Feb 18 15:56:10.039: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 18 15:56:10.039: Crypto mapdb : proxy_match
src addr : 10.23.0.0
dst addr : 10.0.0.0
protocol : 256
src port : 0
dst port : 0
*Feb 18 15:56:10.039: IPSEC(crypto_ipsec_create_ipsec_sas): Map found PFSVPN
*Feb 18 15:56:10.039: IPSEC(create_sa): sa created,
(sa) sa_dest= 205.237.121.4, sa_proto= 50,
sa_spi= 0xDB886A86(3683150470),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2007
sa_lifetime(k/sec)= (4608000/3600)
*Feb 18 15:56:10.039: IPSEC(create_sa): sa created,
(sa) sa_dest= 205.237.121.1, sa_proto= 50,
sa_spi= 0x73DE9E8(121498088),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2008
sa_lifetime(k/sec)= (4608000/3600)
*Feb 18 15:56:10.043: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 18 15:56:10.043: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Feb 18 15:56:10.043: IPSEC: Expand action denied, notify RP
So, at this point, I'm a bit stuck as to what's wrong. First, I need to get the VPN working and passing traffic. Secondly, I need to configure this as a split-tunnel so only traffic destined for the home office goes over the VPN and everything destined for the Internet does not.
Any suggestions? I'm attaching the config for the 1921.
Thanks!
Brett
P.S. Just one note about the config....At our home office, we have multiple subnets in the 10.x.x.x ranges. We want traffic that is destined for any of them to traverse the VPN.
