these are the bugs I was able to find right off the release notes as having been fixed in 6.3.5 that relate to IPSEC.
Note that you do have the VAC card in your 515e CSCec86400 Yes PIX traceback after issuing show isakmp sa detail CSCef10485 Yes PIX assigns the first time wrong IP address to VPNclient CSCef17703 Yes Premature invalid SPI with dynamic crypto map CSCef57566 Yes PIX PMTUD implementation for IPSec vulnerable to spoofed CSCef75987 Yes Packets corrupted and spurious invalid SPI with VAC under CSCeg20248 Yes PIX 501 crashes when VPN to VPN 3030 concentrator using CSCeh33341 Yes FastEthernet driver might corrupt packets under extreme CSCeh96286 Yes Deadlock of vac poll and interface threads with VAC card CSCei09184 Yes L2TP over IPSEC NAT-T not working with WindowsXP -----Original Message----- From: Graham Freeman [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2008 10:00 PM To: [email protected] Subject: [pfSense Support] Problems with Cisco<->pfSense IPsec VPN Howdy, folks, I'm looking for advice with a couple of problems I'm having with a point-to-point IPsec VPN. (1) I can't seem to convince the two sides to speak 3DES to each other in Phase 2 (SA/Key Exchange) - only single-DES (you know, basically plaintext). Both 3DES and single-DES work in Phase 1, but only single-DES works in Phase 2. The PIX is licensed for 3DES, and the configs seem to allow it, but it won't work unless I configure pfSense to use single-DES. The same was true when I tried with m0n0wall<->Cisco rather than pfSense<->Cisco, leading me to suspect it's something I'm doing wrong on the Cisco side. m0n0wall/pfSense<->m0n0wall/pfSense point-to-point IPsec connections work just fine, not only with 3DES but also with Blowfish, AES, and other encryption methods with interesting names. (2) Once the PIX<->pfSense VPN (using DES in Phase 2) is established, it generally works but after a short while we start experiencing packet loss of approximately 5-10% (pinging from one host behind the pfSense to another host behind the PIX) and the pfSense Security Association Database (SAD) table fills up with dozens and dozens of apparently-stale associations (Source: PIX public IP, Dest: pfSense public IP, each with a unique SPI). If I stop and restart the IPsec service on pfSense, things are peachy again... for a short while. Here's our setup in a nutshell. All utilization figures were observed in the middle of the day during a period of relatively moderate usage. I didn't include IPsec details due to security concerns, but hopefully someone can still give me some pointers without that info. If need be, I'll sanitize and post the IPsec config details as well. I set this up by following the instructions at this URL: http://doc.m0n0.ch/handbook/examplevpn.html office: pfSense 1.2-RELEASE on a Lenovo Pentium-4 desktop PC Typical state table size: 1305/10000 Typical MBUF usage: 323 /9735 Typical CPU usage: 6% Typical memory usage: 9% Typical swap usage: <1% Typical disk usage: <1% datacenter: Cisco PIX CPU utilization for 5 seconds: 0%; 1 minute: 0%; 5 minutes: 0% Free memory: ~40MB (of ~60MB) Used memory: ~20MB (of ~60MB) # show version Cisco PIX Firewall Version 6.3(4) Cisco PIX Device Manager Version 3.0(2) Compiled on Fri 02-Jul-04 00:07 by morlee pix01 up 70 days 5 hours Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz Flash E28F128J3 @ 0x300, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM: 1.9, FW:6.5) 0: ethernet0: address is [elided], irq 10 1: ethernet1: address is [elided], irq 11 2: ethernet2: address is [elided], irq 11 3: ethernet3: address is [elided], irq 10 4: ethernet4: address is [elided], irq 9 5: ethernet5: address is [elided], irq 5 Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 6 Maximum Interfaces: 10 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited This PIX has an Unrestricted (UR) license. Any pointers? thanks! Graham Freeman [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
