Netgate SG-1000 microFirewall

Author Topic: pfSense + Cisco  (Read 1905 times)

0 Members and 1 Guest are viewing this topic.

Offline ATI

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
pfSense + Cisco
« on: July 17, 2012, 10:02:26 pm »
Hi all,
I'm stuck in a configuration of a tunnel between a Cisco router and a pfSense 2.0.1... well at least stuck with phase2 network definition / or routes.
Let me explain:

schema ------------- publicIP 1 ----((internet))--------publicIP 2 -------------  :  Linux server is
                        Cisco                                                                      pfSense

In fact the tunnel is up and running: status UP
the SAD shows some traffic from the Cisco router. 120B each time I ping from Cisco router a server behind pfSense.

publicIP 2    publicIP 1    ESP    c29780f7    3des-cbc    hmac-md5    66880 B    
publicIP 1    publicIP 2    ESP    0cddecca    3des-cbc    hmac-md5    1800 B

This linux box does receive perfectly the ping and replies correclty, as show ip table log I create to test that:
Jul 18 03:26:15 linuxserver kernel: [354768.967481] PING_IN__linuxserver : IN=eth0 OUT= MAC=xxx SRC= DST= LEN=100 TOS=0x00 PREC=0x00 TTL=254 ID=466 PROTO=ICMP TYPE=8 CODE=0 ID=39 SEQ=3
Jul 18 03:26:15 linuxserver kernel: [354768.967515] PING_OUT_linuxserver : IN= OUT=eth0 SRC= DST= LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=40066 PROTO=ICMP TYPE=0 CODE=0 ID=39 SEQ=3

What I don't get is that even if SAD traffic from pfSense is growing, and the tunnel is up, the other side receives nothing

I have also 2 IPSec firewall rules in pfSense to allow traffic both ways: I activated the log to understand better
*    LAN net    *    *    *    none         2to1 in IPSEC_FW_RULE     
*    *    LAN net    *    *    none         1to2 in IPSEC_FW_RULE 

I can see in logs the 1to2 rule triggered, and never the 2to1 (eg: when the linux server replies to the ping)....

What am I missing ?

Thanks for your help

Offline ATI

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: pfSense + Cisco
« Reply #1 on: July 18, 2012, 12:10:12 pm »
here is an update:

as said above, I can't see the IPSEC Firewall rule triggered when replies to a ping request.
In fact, I can see a LAN Firewall rule triggered if I log ICMP from my test server
pass  Jul 18 13:09:02    LAN           ICMP   // ping started from
pass   Jul 18 13:08:15            enc0      ICMP   // ping started from

So the problem seems to be that the route to IPSec tunnel does not exist: traffic to 10.19.x.x does NOT go to tunnel interface.
I checked my phase2 settings:
LOCAL Network = LAN Subnet
REMOTE Network = Network / 16

((NB: I tried to put manually / 24 in LOCAL Network, but I have the same results))

I though routes created by the IPSec tunnel were created automatically (I read this in my searches).
Isn't it the case ?
How can I check this point as there is no place to see Tunnel Automatically created routes ?

Offline Lazyhead

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: pfSense + Cisco
« Reply #2 on: July 25, 2012, 02:50:15 am »

About the routes, i thought the same thing, that they were created automatically...
Just for the test i create a route "tunnel virtual IP ------wangw" and then the reply icmp packet were allowed so try it.

Do you try to do some captures in pfsense GUI when you ping your lan and wan from the cisco router ? it helps a lot.

To check routes on the pfsense, go in the diagnostic section then "routes" you can see all the pfsense routes (manually and automatically created)