Historically Cisco doesn't play well with anything but cisco. I have tried on several occasions to connect to cisco vpn devices with things other than cisco and hae either had connectivity issues that made the connections very unstable or have not been able to connect at all. YMMV, Good Luck.
On Thu, Oct 16, 2008 at 10:00 PM, Graham Freeman <[EMAIL PROTECTED]>wrote: > Howdy, folks, > > I'm looking for advice with a couple of problems I'm having with a > point-to-point IPsec VPN. > > > (1) I can't seem to convince the two sides to speak 3DES to each other in > Phase 2 (SA/Key Exchange) - only single-DES (you know, basically plaintext). > Both 3DES and single-DES work in Phase 1, but only single-DES works in > Phase 2. > > The PIX is licensed for 3DES, and the configs seem to allow it, but it > won't work unless I configure pfSense to use single-DES. > > The same was true when I tried with m0n0wall<->Cisco rather than > pfSense<->Cisco, leading me to suspect it's something I'm doing wrong on the > Cisco side. > > m0n0wall/pfSense<->m0n0wall/pfSense point-to-point IPsec connections work > just fine, not only with 3DES but also with Blowfish, AES, and other > encryption methods with interesting names. > > > (2) Once the PIX<->pfSense VPN (using DES in Phase 2) is established, it > generally works but after a short while we start experiencing packet loss of > approximately 5-10% (pinging from one host behind the pfSense to another > host behind the PIX) and the pfSense Security Association Database (SAD) > table fills up with dozens and dozens of apparently-stale associations > (Source: PIX public IP, Dest: pfSense public IP, each with a unique SPI). > > If I stop and restart the IPsec service on pfSense, things are peachy > again... for a short while. > > > Here's our setup in a nutshell. All utilization figures were observed in > the middle of the day during a period of relatively moderate usage. I > didn't include IPsec details due to security concerns, but hopefully someone > can still give me some pointers without that info. If need be, I'll > sanitize and post the IPsec config details as well. I set this up by > following the instructions at this URL: > http://doc.m0n0.ch/handbook/examplevpn.html > > > office: pfSense 1.2-RELEASE on a Lenovo Pentium-4 desktop PC > Typical state table size: 1305/10000 > Typical MBUF usage: 323 /9735 > Typical CPU usage: 6% > Typical memory usage: 9% > Typical swap usage: <1% > Typical disk usage: <1% > > > datacenter: Cisco PIX > CPU utilization for 5 seconds: 0%; 1 minute: 0%; 5 minutes: 0% > Free memory: ~40MB (of ~60MB) > Used memory: ~20MB (of ~60MB) > > # show version > > Cisco PIX Firewall Version 6.3(4) > Cisco PIX Device Manager Version 3.0(2) > > Compiled on Fri 02-Jul-04 00:07 by morlee > > pix01 up 70 days 5 hours > > Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz > Flash E28F128J3 @ 0x300, 16MB > BIOS Flash AM29F400B @ 0xfffd8000, 32KB > > Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM: 1.9, > FW:6.5) > 0: ethernet0: address is [elided], irq 10 > 1: ethernet1: address is [elided], irq 11 > 2: ethernet2: address is [elided], irq 11 > 3: ethernet3: address is [elided], irq 10 > 4: ethernet4: address is [elided], irq 9 > 5: ethernet5: address is [elided], irq 5 > Licensed Features: > Failover: Enabled > VPN-DES: Enabled > VPN-3DES-AES: Enabled > Maximum Physical Interfaces: 6 > Maximum Interfaces: 10 > Cut-through Proxy: Enabled > Guards: Enabled > URL-filtering: Enabled > Inside Hosts: Unlimited > Throughput: Unlimited > IKE peers: Unlimited > > This PIX has an Unrestricted (UR) license. > > > > Any pointers? > > thanks! > > Graham Freeman > [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Dennis Miller - "A recent police study found that you're much more likely to get shot by a fat cop if you run."
