site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working
-
@viragomann said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working:
@getcom
Is your identifier in the phase 1 equal to the IP behind the "remote" of the Cisco log?Yes, it is identical. Phase 1 is working.
Is your pfSense behind a NAT router?
No, the pfSense is directly connected (PPPoE).
If so try to force "NAT Traversal" in P1.
This does not make sense here.
-
@getcom
Did you try to enhance the log level?I had to troubleshoot an "N(TS_UNACCEPT) N(TS_UNACCEPT)" response from the remote site too in the past. After enhancing the log level, pfSense logged things like "proposing traffic selectors for us: " and "proposing traffic selectors for other: ", which differ. With this output, the remote admin believed me then, that the failure is on his site. ^^
-
@viragomann said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working:
@getcom
Did you try to enhance the log level?I had to troubleshoot an "N(TS_UNACCEPT) N(TS_UNACCEPT)" response from the remote site too in the past. After enhancing the log level, pfSense logged things like "proposing traffic selectors for us: " and "proposing traffic selectors for other: ", which differ. With this output, the remote admin believed me then, that the failure is on his site. ^^
I have this already done for IKE SA and IKE Child SA. What did you additionally enhance? Message encoding?
-
@getcom
I don't know anymore. That war 2 y ago.Maybe the docs can help: Troubleshooting IPsec VPNs
I would try "Configuration backend", because the helpful entries were logged with "[CFG]".
-
Hi, you have an error with traffic selectors (TS) on the Cisco side when establishing PHASE-2 , which is strange, since everything seems to be configured correctly, both the access list and the reverse mask. If possible, show the entire connection log on the PF side (phase-1 and phase-2)
-
@Konstanti said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working:
If possible, show the entire connection log on the PF side (phase-1 and phase-2)
This is the debug log : https://pastes.io/gcas2bfucl
I hopefully removed the second (working) tunnel log entries completely...
The public IPs are masked except the first digit to get a better overview.
Is the CIDR "|/0" in the local and remote network maybe the root cause? -
It is difficult to say anything affirmatively , there is a lot of unnecessary information in the logs (such a high level of logging ,in my opinion, it is unnecessary) . now, unfortunately, I can 't look at the log again right now ( the service issues an error )
, But in the morning I saw that the traffic selectors on your side are configured correctly
If I were you, I would talk to the Cisco admin again so that he checks all the settings3 22:23:00 pfsense1 charon[98668]: 01[CFG] <con3|7> proposing traffic selectors for us:
Apr 3 22:23:00 pfsense1 charon[98668]: 01[CFG] <con3|7> 10.242.62.128/26|/0
reverse mask 0.0.0.63Apr 3 22:23:00 pfsense1 charon[98668]: 01[CFG] <con3|7> proposing traffic selectors for other:
Apr 3 22:23:00 pfsense1 charon[98668]: 01[CFG] <con3|7> 172.18.0.0/21|/0
reverse mask 0.0.7.255It is necessary to check the ACL configured by the Cisco admin,
The screenshot shows that everything is configured correctly
But maybe some settings were saved incorrectly.for example, there is an error in the ACL name
-
@Konstanti said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working:
If I were you, I would talk to the Cisco admin again so that he checks all the settings
Agree with this. Since his site is not accepting the traffic selector, it's on him to find out the reason for the issue and resolve it. There should be logs with more details on this.
As mentioned, I was in a similar situation in the past. I got the config settings from the remote admin, set up the tunnel accordingly, but also got "TS_UNACCEPT" from the remote site.
It took me hours to proof that the issue was on his device.Here is the log section, I sent to him:
His answer was then, he missed a setting, which explicitly excluded our network from the enc domain.
Whatever this means. I don't know his device.@getcom said in site to site VPN between pfSense 2.7.0 and Cisco ASR1001-X (1NG): phase 2 not working:
Is the CIDR "|/0" in the local and remote network maybe the root cause?
No, I don't think. I use also "abnormal" subnets and all tunnels work well.
-
@viragomann
Same here. We have also plenty of tunnels running without any issue, also with different subnets. But this is also on their side. Their tunnels are also running without any issues.
I will get back to him. If I have any news, I will let you know.
pastes.io with my logfile link is not working anymore. It redirects now to pastebin.ai : https://pastebin.ai/gcas2bfucl -
Last outcome is that the Cisco admin will check every setting.
I told him to check if any ACL has a deny condition for the used subnets (e.g. overlapping) and he also should check if there is any typo in ACL naming.
Additionally I setup the pfSense to responder only to see what traffic selectors is coming from his side. I assume that he is not able to connect phase 2 because of a mistake on his side. We will see...