Ensure that both sides have ISAKMP-IPSEC keepalives enabled and verify that the Cisco side does not have PFS running on either phase 1 or 2.
Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Oct 16, 2008 at 9:00 PM, Graham Freeman <[EMAIL PROTECTED]>wrote: > Howdy, folks, > > I'm looking for advice with a couple of problems I'm having with a > point-to-point IPsec VPN. > > > (1) I can't seem to convince the two sides to speak 3DES to each other in > Phase 2 (SA/Key Exchange) - only single-DES (you know, basically plaintext). > Both 3DES and single-DES work in Phase 1, but only single-DES works in > Phase 2. > > The PIX is licensed for 3DES, and the configs seem to allow it, but it > won't work unless I configure pfSense to use single-DES. > > The same was true when I tried with m0n0wall<->Cisco rather than > pfSense<->Cisco, leading me to suspect it's something I'm doing wrong on the > Cisco side. > > m0n0wall/pfSense<->m0n0wall/pfSense point-to-point IPsec connections work > just fine, not only with 3DES but also with Blowfish, AES, and other > encryption methods with interesting names. > > > (2) Once the PIX<->pfSense VPN (using DES in Phase 2) is established, it > generally works but after a short while we start experiencing packet loss of > approximately 5-10% (pinging from one host behind the pfSense to another > host behind the PIX) and the pfSense Security Association Database (SAD) > table fills up with dozens and dozens of apparently-stale associations > (Source: PIX public IP, Dest: pfSense public IP, each with a unique SPI). > > If I stop and restart the IPsec service on pfSense, things are peachy > again... for a short while. > > > Here's our setup in a nutshell. All utilization figures were observed in > the middle of the day during a period of relatively moderate usage. I > didn't include IPsec details due to security concerns, but hopefully someone > can still give me some pointers without that info. If need be, I'll > sanitize and post the IPsec config details as well. I set this up by > following the instructions at this URL: > http://doc.m0n0.ch/handbook/examplevpn.html > > > office: pfSense 1.2-RELEASE on a Lenovo Pentium-4 desktop PC > Typical state table size: 1305/10000 > Typical MBUF usage: 323 /9735 > Typical CPU usage: 6% > Typical memory usage: 9% > Typical swap usage: <1% > Typical disk usage: <1% > > > datacenter: Cisco PIX > CPU utilization for 5 seconds: 0%; 1 minute: 0%; 5 minutes: 0% > Free memory: ~40MB (of ~60MB) > Used memory: ~20MB (of ~60MB) > > # show version > > Cisco PIX Firewall Version 6.3(4) > Cisco PIX Device Manager Version 3.0(2) > > Compiled on Fri 02-Jul-04 00:07 by morlee > > pix01 up 70 days 5 hours > > Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz > Flash E28F128J3 @ 0x300, 16MB > BIOS Flash AM29F400B @ 0xfffd8000, 32KB > > Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM: 1.9, > FW:6.5) > 0: ethernet0: address is [elided], irq 10 > 1: ethernet1: address is [elided], irq 11 > 2: ethernet2: address is [elided], irq 11 > 3: ethernet3: address is [elided], irq 10 > 4: ethernet4: address is [elided], irq 9 > 5: ethernet5: address is [elided], irq 5 > Licensed Features: > Failover: Enabled > VPN-DES: Enabled > VPN-3DES-AES: Enabled > Maximum Physical Interfaces: 6 > Maximum Interfaces: 10 > Cut-through Proxy: Enabled > Guards: Enabled > URL-filtering: Enabled > Inside Hosts: Unlimited > Throughput: Unlimited > IKE peers: Unlimited > > This PIX has an Unrestricted (UR) license. > > > > Any pointers? > > thanks! > > Graham Freeman > [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
