PF firewall NAT and Windows IPSEC tunnel

[Matthew Grooms]

Nerius,

This sounds like a DPD timeout. The Cisco VPN client or Cisco gateway is 
probably not configured to use NAT-T or you are blocking UDP port 4500. 
Using the static-port trick will help in some instances where a client 
doesn't support NAT-T, but it also prevents multiple clients behind the 
pf firewall from communicating with the same gateway simultaneously. If 
thats not the case then no big deal. If so, its best to just NAT UDP 
port 4500 outbound normally for Cisco clients unless the Cisco gateway 
has NAT-T disabled.

In legacy IPsec fashion, the client will establish its IKE session on 
the standard UDP port 500 and then pass ESP transport packets. With 
NAT-T enabled, the client will initiate IKE on port 500 and then switch 
to port 4500 if NAT is detected. ESP packets will be encapsulated in UDP 
and passed on port 4500 as well which is easier for NAT firewalls to 
deal with. The client should also issue keep-alive packets to prevent 
firewall state from being culled. Without this, no traffic would be sent 
while the client is idle and pf would drop state after 60secs by default.

udp.first                    60s
udp.single                   30s
udp.multiple                 60s
other.first                  60s
other.single                 30s
other.multiple               60s

If you don't see traffic on port 4500 but you do see ESP traffic, the 
other thing to try would be to increase the state lifetime for UDP port 
500 and ESP traffic. Assuming DPD is enabled on the Cisco gateway, this 
would help avoid state timeout so that the client has more time between 
sending or receiving notifications. ESP shouldn't be too troublesome as 
there are no ports to translate ... unless you have multiple clients 
behind the same firewall trying to talk to the same gateway. But thats 
what NAT-T is for.

Hope this helps,

-Matthew