site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working

getcom

Following setup was given from the Cisco admin:

IKE: IKEv2
Authentication: pre-shared key
Diffie Hellmann: Group 20 (nist ecp384)
Encryption: 256-bit AES (aes-cbc-256)
Hash: SHA-256
Lifetime (sec): 86400

IPSec
Transform Type: ESP
Encryption: AES-256
Hash: SHA-256
SA Lifetime: 3600
Perfect Forward Secrecy (PFS): Group 20 (nist ecp384)

Local network is 10.242.62.128/26 (VLAN 101)
Remote network is 172.18.0.0/21
I created a pre-shared key and send it to the Cisco admin.

Phase 1 is connecting, phase 2 is not.
IPsec log:

It does not find the IKE config. What could be the root cause?
This is the first time trying to connect to a Cisco router, all other site-2-site VPNs between pfSense boxes are running without any issue.
Has anybody a running site-2-site IPSec IKEv2 VPN to this kind of Cisco routers? Is there anything special?

Konstanti

@getcom said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working:

IKE: IKEv2
Authentication: pre-shared key

hi
You need to check the settings on both sides of the tunnel, they must be identical
For example, I see

Following setup was given from the Cisco admin:
IKE: IKEv2

and Cisco is trying to establish an IKEv1 connection

getcom

@Konstanti

I assume that "...looking for an IKEv1 config..." is a fallback on pfSense side.

On Cisco they setup this which includes IKEv2:
From my perspective they should change that here to: set transform-set esp-sha-hmac esp-aes 256 which they denied (argument was "It works like this everywhere...")

additional they have a generic protocol definition:

The Cisco log:

Debug log on pfSense side:

Phase 1:

Phase 2:

viragomann

@getcom
Is your identifier in the phase 1 equal to the IP behind the "remote" of the Cisco log?

Is your pfSense behind a NAT router?
If so try to force "NAT Traversal" in P1.

getcom

@viragomann said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working:

@getcom
Is your identifier in the phase 1 equal to the IP behind the "remote" of the Cisco log?

Yes, it is identical. Phase 1 is working.

Is your pfSense behind a NAT router?

No, the pfSense is directly connected (PPPoE).

If so try to force "NAT Traversal" in P1.

This does not make sense here.

viragomann

@getcom
Did you try to enhance the log level?

I had to troubleshoot an "N(TS_UNACCEPT) N(TS_UNACCEPT)" response from the remote site too in the past. After enhancing the log level, pfSense logged things like "proposing traffic selectors for us: " and "proposing traffic selectors for other: ", which differ. With this output, the remote admin believed me then, that the failure is on his site. ^^

getcom

@viragomann said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working:

@getcom
Did you try to enhance the log level?

I had to troubleshoot an "N(TS_UNACCEPT) N(TS_UNACCEPT)" response from the remote site too in the past. After enhancing the log level, pfSense logged things like "proposing traffic selectors for us: " and "proposing traffic selectors for other: ", which differ. With this output, the remote admin believed me then, that the failure is on his site. ^^

I have this already done for IKE SA and IKE Child SA. What did you additionally enhance? Message encoding?

viragomann

@getcom
I don't know anymore. That war 2 y ago.

Maybe the docs can help: Troubleshooting IPsec VPNs

I would try "Configuration backend", because the helpful entries were logged with "[CFG]".

Konstanti

@getcom

Hi, you have an error with traffic selectors (TS) on the Cisco side when establishing PHASE-2 , which is strange, since everything seems to be configured correctly, both the access list and the reverse mask. If possible, show the entire connection log on the PF side (phase-1 and phase-2)

getcom

@Konstanti said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working:

If possible, show the entire connection log on the PF side (phase-1 and phase-2)

This is the debug log : https://pastes.io/gcas2bfucl
I hopefully removed the second (working) tunnel log entries completely...
The public IPs are masked except the first digit to get a better overview.
Is the CIDR "|/0" in the local and remote network maybe the root cause?

Konstanti

@getcom

It is difficult to say anything affirmatively , there is a lot of unnecessary information in the logs (such a high level of logging ,in my opinion, it is unnecessary) . now, unfortunately, I can 't look at the log again right now ( the service issues an error )
, But in the morning I saw that the traffic selectors on your side are configured correctly
If I were you, I would talk to the Cisco admin again so that he checks all the settings

3 22:23:00 pfsense1 charon[98668]: 01[CFG] <con3|7> proposing traffic selectors for us:
Apr 3 22:23:00 pfsense1 charon[98668]: 01[CFG] <con3|7> 10.242.62.128/26|/0
reverse mask 0.0.0.63

Apr 3 22:23:00 pfsense1 charon[98668]: 01[CFG] <con3|7> proposing traffic selectors for other:
Apr 3 22:23:00 pfsense1 charon[98668]: 01[CFG] <con3|7> 172.18.0.0/21|/0
reverse mask 0.0.7.255

It is necessary to check the ACL configured by the Cisco admin,
The screenshot shows that everything is configured correctly

But maybe some settings were saved incorrectly.

for example, there is an error in the ACL name

viragomann

@Konstanti said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working:

If I were you, I would talk to the Cisco admin again so that he checks all the settings

Agree with this. Since his site is not accepting the traffic selector, it's on him to find out the reason for the issue and resolve it. There should be logs with more details on this.

As mentioned, I was in a similar situation in the past. I got the config settings from the remote admin, set up the tunnel accordingly, but also got "TS_UNACCEPT" from the remote site.
It took me hours to proof that the issue was on his device.

Here is the log section, I sent to him:

His answer was then, he missed a setting, which explicitly excluded our network from the enc domain.
Whatever this means. I don't know his device.

@getcom said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working:

Is the CIDR "|/0" in the local and remote network maybe the root cause?

No, I don't think. I use also "abnormal" subnets and all tunnels work well.

getcom

@viragomann
Same here. We have also plenty of tunnels running without any issue, also with different subnets. But this is also on their side. Their tunnels are also running without any issues.
I will get back to him. If I have any news, I will let you know.
pastes.io with my logfile link is not working anymore. It redirects now to pastebin.ai : https://pastebin.ai/gcas2bfucl

getcom

Last outcome is that the Cisco admin will check every setting.
I told him to check if any ACL has a deny condition for the used subnets (e.g. overlapping) and he also should check if there is any typo in ACL naming.
Additionally I setup the pfSense to responder only to see what traffic selectors is coming from his side. I assume that he is not able to connect phase 2 because of a mistake on his side. We will see...

getcom

After ten months the Cisco admin found out that he had a typo in one of his profiles...
The site to site VPN is working now as expected.

viragomann

@getcom

I guess, it is an unerring admin of a big company likewise it was in my case.

getcom

@viragomann said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working:

@getcom

I guess, it is an unerring admin of a big company likewise it was in my case.

a 150% admin...and yes a big company.
I sent him the log extracts in April and told him that I thought the problem might be a typo in the profile. Of course, he didn't believe me. Then we had a long, detailed e-mail ping-pong until he understood that he needed to look more closely at his Cisco router...