Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1085
Views
0
Helpful
1
Replies

Site-to-site IPSec VPN between Cisco 2901 and PFSense

Tom Ribbens
Level 1
Level 1

‎12-30-2015 08:18 AM - edited ‎03-05-2019 03:02 AM

Hi all,

I'm trying to set up a site-to-site vpn between a cisco 2901 and a pfsense router.

Cisco side local networks: 192.168.0.0/17

PFsense side local networks: 192.168.128.0/17

On the cisco side, I see this

jenny#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
<CiscoPubIP>    <PFSensePubIP>  QM_IDLE           1001 ACTIVE

While this does seem that phase 1 is up, I find it very strange that the dst and src are reversed.

jenny#show crypto ipsec sa 

interface: GigabitEthernet0/0
    Crypto map tag: PFSVPN, local addr <CiscoPubIP>

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.128.0/255.255.128.0/0/0)
   current_peer <PFSensePubIP> port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: <CiscoPubIP>, remote crypto endpt.: <PFSensePubIP>
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xC85DBC9F(3361586335)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0xE883B563(3900945763)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: PFSVPN
        sa timing: remaining key lifetime (k/sec): (4257664/3021)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC85DBC9F(3361586335)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: PFSVPN
        sa timing: remaining key lifetime (k/sec): (4257664/3021)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Here you can see no packets have gone over the network. Anybody have any idea why this is not working?

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎12-30-2015 08:26 AM

The fact that you have both ISAKMP and IPsec SAs does indicate that the negotiation has been successful. But no traffic is going through the tunnel. In my experience there are a couple of things that can cause this symptom. Are you sure that there is a correct route from the devices in your 192.168.0.0/17 to 192.168.128.0/17 that goes through your Gog0/0 interface? Is it possible that the traffic is being translated (you generally want the traffic going through the VPN to be exempt from translation)?

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card