Howdy, folks,
I'm looking for advice with a couple of problems I'm having with a
point-to-point IPsec VPN.
(1) I can't seem to convince the two sides to speak 3DES to each other
in Phase 2 (SA/Key Exchange) - only single-DES (you know, basically
plaintext). Both 3DES and single-DES work in Phase 1, but only
single-DES works in Phase 2.
The PIX is licensed for 3DES, and the configs seem to allow it, but it
won't work unless I configure pfSense to use single-DES.
The same was true when I tried with m0n0wall<->Cisco rather than
pfSense<->Cisco, leading me to suspect it's something I'm doing wrong
on the Cisco side.
m0n0wall/pfSense<->m0n0wall/pfSense point-to-point IPsec connections
work just fine, not only with 3DES but also with Blowfish, AES, and
other encryption methods with interesting names.
(2) Once the PIX<->pfSense VPN (using DES in Phase 2) is established,
it generally works but after a short while we start experiencing
packet loss of approximately 5-10% (pinging from one host behind the
pfSense to another host behind the PIX) and the pfSense Security
Association Database (SAD) table fills up with dozens and dozens of
apparently-stale associations (Source: PIX public IP, Dest: pfSense
public IP, each with a unique SPI).
If I stop and restart the IPsec service on pfSense, things are peachy
again... for a short while.
Here's our setup in a nutshell. All utilization figures were
observed in the middle of the day during a period of relatively
moderate usage. I didn't include IPsec details due to security
concerns, but hopefully someone can still give me some pointers
without that info. If need be, I'll sanitize and post the IPsec
config details as well. I set this up by following the instructions
at this URL: http://doc.m0n0.ch/handbook/examplevpn.html
office: pfSense 1.2-RELEASE on a Lenovo Pentium-4 desktop PC
Typical state table size: 1305/10000
Typical MBUF usage: 323 /9735
Typical CPU usage: 6%
Typical memory usage: 9%
Typical swap usage: <1%
Typical disk usage: <1%
datacenter: Cisco PIX
CPU utilization for 5 seconds: 0%; 1 minute: 0%; 5 minutes: 0%
Free memory: ~40MB (of ~60MB)
Used memory: ~20MB (of ~60MB)
# show version
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)
Compiled on Fri 02-Jul-04 00:07 by morlee
pix01 up 70 days 5 hours
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:
1.9, FW:6.5)
0: ethernet0: address is [elided], irq 10
1: ethernet1: address is [elided], irq 11
2: ethernet2: address is [elided], irq 11
3: ethernet3: address is [elided], irq 10
4: ethernet4: address is [elided], irq 9
5: ethernet5: address is [elided], irq 5
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces: 10
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has an Unrestricted (UR) license.
Any pointers?
thanks!
Graham Freeman
[EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
