Let me explain something here since I'm not making the problem clear.
The problem has -nothing- at all to do with the Cisco firewall. The
setsockopt errors occur -well before- any communication with the other
end-point of the VPN tunnel. Case in point, I can set the other
end-point of the tunnel to be a non-existent IP address and I still get
the setsockopt errors. I tried making a tunnel to non-Cisco firewalls,
same result. Furthermore, ISAKMP NAT Transversal is definitely disabled
on the Cisco firewall as per default.
The fact of the matter is there is a disagreement of some sort between
web-configuration GUI front-end and the kernel's network back-end. The
whole IPSEC_NAT_T thing may be a redherring, but from what I can see
IPSEC_NAT_T is required for the UDP_ENCAP_ESPINUDP_NON_IKE socket option
which is in turn required for network-to-network VPN tunnels with
pre-shared keys. Software within pfSense--racoon--is trying to set an
unsupported socket option well before any communication with the remote
VPN end-point. Thus the problem is definitely within pfSense somewhere,
be it the kernel lacking support of a needed option or racoon setting a
bad socket option. I even switched from ESP to AH on Phase2, but it
still tried doing the UDP_ENCAP_ESPINUDP_NON_IKE socket option and
actually stopped the pfSense firewall from doing any NAT at all for a
minute or so.
From the quote below, it sounds like I'm the first person to try a
network-to-network VPN tunnel using a pre-shared key on the pfSense
firewall. Can anyone confirm successfully setting up a
network-to-network VPN tunnel with pre-shared key between a pfSense
firewall and any other non-pfSense firewall? If I'm missing something
let me know, but all signs point to a problem in pfSense.
Thanks again,
-ryan
Bill Marquette wrote:
Geee, sure wish people had tested IPSec NAT Traversal when we asked
for testers. We got no positive (or negative) feedback and it was
pulled - too late in the release phase to leave it in for long. I
don't know anything about the Cisco side of things, hopefully someone
else can help you get it configured. But NAT-T on the Cisco side
certainly seems to be the source of your problems.
--Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
