Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense to Cisco ASA

    Scheduled Pinned Locked Moved
    IPsec
    2
    2
    4.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scourtney2000
      last edited by

      I am trying to get a site to site VPN going between a pfSense firewall and a Cisco ASA.  It seems that phase 1 works, but phase 2 fails.

      Here is my error log from pfSense:

      Nov 8 15:11:00 racoon: ERROR: failed to pre-process packet.
      Nov 8 15:11:00 racoon: ERROR: failed to get sainfo.
      Nov 8 15:11:00 racoon: ERROR: failed to get sainfo.
      Nov 8 15:11:00 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
      Nov 8 15:11:00 racoon: []: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>yyy.yyy.yyy.yyy[0]

      Here is my error log from Cisco:

      4 Nov 08 2007 10:06:17 113019 Group = xxx.xxx.xxx.xxx, Username = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Error
      3 Nov 08 2007 10:06:17 713902 Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Removing peer from correlator table failed, no match!
      1 Nov 08 2007 10:06:17 713900 Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
      3 Nov 08 2007 10:06:17 713902 Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, QM FSM error (P2 struct &0xd5b62858, mess id 0x9ddc5616)!

      Here is my pfSense config:

      • <ipsec><preferredoldsa>- <tunnel><interface>wan</interface>
      • <local-subnet><address>192.168.13.0/24</address></local-subnet>
          <remote-subnet>192.168.0.0/24</remote-subnet>
          <remote-gateway>yyy.yyy.yyy.yyy</remote-gateway>
      • <p1><mode>aggressive</mode>
      • <myident><myaddress></myaddress></myident>
          <encryption-algorithm>3des</encryption-algorithm>
          <hash-algorithm>sha1</hash-algorithm>
          <dhgroup>2</dhgroup>
          <lifetime>28800</lifetime>
          <pre-shared-key>KEY</pre-shared-key>
          <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
      • <p2><protocol>esp</protocol>
          <encryption-algorithm-option>des</encryption-algorithm-option>
          <encryption-algorithm-option>3des</encryption-algorithm-option>
          <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
          <hash-algorithm-option>hmac_md5</hash-algorithm-option>
          <pfsgroup>0</pfsgroup>
          <lifetime>86400</lifetime></p2>
          <descr><pinghost>10</pinghost></descr></tunnel>
          <enable></enable></preferredoldsa></ipsec>

      Here is my Cisco config:

      : Saved
      :
      ASA Version 8.0(2)
      !
      hostname fw
      domain-name pixia.com
      enable password LTFd9GMmqnbHlQ9Q encrypted
      names

      ! Defines outside interface. Security-level must be set to a number lower than the inside Interface
      ! Security-level is higher the closer you get to the network that is being protected
      interface Ethernet0/0
      nameif outside
      security-level 10
      ip address yyy.yyy.yyy.yyy 255.255.255.224

      ! Defines inside interface. Security-level is set to a number higher than the outside interface
      interface Ethernet0/1
      nameif inside
      security-level 90
      ip address 192.168.0.1 255.255.255.0

      !
      interface Ethernet0/2
      shutdown
      no nameif
      no security-level
      no ip address

      !
      interface Ethernet0/3
      shutdown
      no nameif
      no security-level
      no ip address

      ! Defines management network
      interface Management0/0
      nameif management
      security-level 100
      ip address 192.168.1.1 255.255.255.0
      management-only

      !
      passwd 2KFQnbNIdI.2KYOU encrypted
      ftp mode passive
      clock timezone EST -5
      clock summer-time EDT recurring
      dns server-group DefaultDNS
      domain-name pixia.com
      object-group protocol TCPUDP
      protocol-object udp
      protocol-object tcp

      ! Traffic sourced from local LAN with destination of remote site local LAN
      access-list REMOTE_SITE_100_VPN extended permit ip 192.168.0.0 255.255.255.0 192.168.13.0 255.255.255.0

      ! All the traffic which will be encapsulated by IPsec VPNs (persistent, or demand-dial)
      access-list NO_NAT extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
      access-list NO_NAT extended permit ip 192.168.0.0 255.255.255.0 192.168.13.0 255.255.255.0

      ! L2TP uses UDP port 1701 to establish a connection. An access-group later in this config references this ACL for allowing inbound L2TP session connections.
      access-list INBOUND extended permit udp any yyy.yyy.yyy.yyy eq 1701

      ! Allows a TCP or UDP connection to port 80 on the outside interface
      access-list INBOUND extended permit object-group TCPUDP any host yyy.yyy.yyy.yyy eq www

      pager lines 24
      logging enable
      logging asdm informational
      mtu management 1500
      mtu inside 1500
      mtu outside 1500

      ! Pool of IP addresses for demand-dial VPN Clients
      ip local pool CLIENT_VPN_IP_POOL 192.168.0.20-192.168.0.29

      icmp unreachable rate-limit 1 burst-size 1

      ! Allow the inside interface to respond to all icmp requests
      icmp permit any inside

      asdm image disk0:/asdm-602.bin
      no asdm history enable
      arp timeout 14400

      ! Do port-address-translation (PAT) for all traffic with source IP of 192.168.0.0/24 with destination off-link
      global (outside) 101 interface
      nat (management) 101 0.0.0.0 0.0.0.0
      nat (inside) 101 192.168.0.0 255.255.255.0

      ! Don’t NAT IPsec traffic
      nat (inside) 0 access-list NO_NAT

      ! Create a hole in the firewall mapping a specific port from the outside interface to a computer on the inside network
      static (inside,outside) tcp interface www 192.168.0.121 www netmask 255.255.255.255

      ! Allow L2TP establishment to the outside interface of the PIX
      access-group INBOUND in interface outside

      ! Route traffic to the gateway
      route outside 0.0.0.0 0.0.0.0 216.132.116.97 1

      timeout xlate 3:00:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout uauth 0:05:00 absolute
      dynamic-access-policy-record DfltAccessPolicy
      aaa authentication enable console LOCAL
      aaa authentication http console LOCAL
      aaa authentication serial console LOCAL
      aaa authentication ssh console LOCAL
      aaa authentication telnet console LOCAL

      ! Don’t make VPN traffic subject to ACL filtering
      sysopt connection permit-vpn

      ! enable server, enable server management on both the inside and management networks
      http server enable
      http 192.168.0.0 255.255.255.0 inside
      http 192.168.1.0 255.255.255.0 management

      no snmp-server location
      no snmp-server contact
      snmp-server enable traps snmp authentication linkup linkdown coldstart

      ! Transforms for supporting both demand-dial and persistent (transport-mode & tunnel-mode) IPsec VPNs
      ! 3DES is the common cypher supported by both XP and Vista.
      crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
      crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
      crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
      crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
      crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
      crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
      crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
      crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
      crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
      crypto ipsec transform-set L2TP-IPSEC esp-3des esp-md5-hmac
      crypto ipsec transform-set L2TP-IPSEC mode transport
      crypto ipsec transform-set IPSEC-AES esp-aes-256 esp-sha-hmac

      ! crypto dynamic-map for demand-dial vpn connections: L2TP, Cisco
      ! L2TP demand-dial using IPsec transport-mode, while Cisco VPN software (and hardware clients) uses IPsec tunnel-mode, hence the dynamic map (which is used for all demand-dial VPN clients) must include both.
      crypto dynamic-map DYN_MAP 10 set transform-set L2TP-IPSEC IPSEC-AES ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
      crypto dynamic-map DYN_MAP 10 set security-association lifetime seconds 86400

      ! Only a single crypto map can be applied to an interface.
      ! This shows how a single crypto map can handle multiple persistent and demand-dial VPNs concurrently.
      ! 10 is for persistent site-to-site tunnels
      ! 30 is for demand-dial connections
      ! Any number of persistent connection maps can be added here (e.g. site-to-site); however, only a single dynamic map can be applied to support demand-dial clients.
      crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
      crypto map OUTSIDE_MAP 10 match address REMOTE_SITE_100_VPN
      crypto map OUTSIDE_MAP 10 set connection-type originate-only
      crypto map OUTSIDE_MAP 10 set peer xxx.xxx.xxx.xxxx
      crypto map OUTSIDE_MAP 10 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
      crypto map OUTSIDE_MAP 10 set security-association lifetime seconds 86400
      crypto map OUTSIDE_MAP 10 set phase1-mode aggressive
      crypto map OUTSIDE_MAP 30 ipsec-isakmp dynamic DYN_MAP
      crypto map OUTSIDE_MAP interface outside

      crypto isakmp identity address
      crypto isakmp enable outside
      crypto isakmp nat-transversal

      ! The cypher/hash pair the initiating client requests has to match one of these pairs. Each will be tried in order until a match is found
      crypto isakmp policy 5
      authentication pre-share
      encryption aes-256
      hash sha
      group 2
      lifetime 28800
      crypto isakmp policy 10
      authentication pre-share
      encryption 3des
      hash sha
      group 2
      lifetime 28800
      crypto isakmp policy 15
      authentication pre-share
      encryption 3des
      hash md5
      group 2
      lifetime 28800

      client-update enable
      no vpn-addr-assign aaa
      no vpn-addr-assign dhcp
      telnet 192.168.0.0 255.255.255.0 inside
      telnet timeout 5
      ssh 192.168.0.0 255.255.255.0 inside
      ssh timeout 60
      ssh version 2
      console timeout 0
      dhcpd address 192.168.1.2-192.168.1.254 management
      dhcpd enable management
      !
      threat-detection basic-threat
      threat-detection statistics access-list
      !
      class-map inspection_default
      match default-inspection-traffic
      !
      !
      policy-map type inspect dns preset_dns_map
      parameters
        message-length maximum 512
      policy-map global_policy
      class inspection_default
        inspect dns preset_dns_map
        inspect ftp
        inspect h323 h225
        inspect h323 ras
        inspect rsh
        inspect rtsp
        inspect esmtp
        inspect sqlnet
        inspect skinny
        inspect sunrpc
        inspect xdmcp
        inspect sip
        inspect netbios
        inspect tftp
      !
      service-policy global_policy global
      ntp server 192.168.0.17 source inside prefer
      group-policy DfltGrpPolicy attributes
      dns-server value 192.168.0.2
      vpn-tunnel-protocol IPSec l2tp-ipsec
      default-domain value pixia.com
      address-pools value CLIENT_VPN_IP_POOL
      group-policy CISCO_CLIENT_VPN_POLICY internal
      group-policy CISCO_CLIENT_VPN_POLICY attributes
      dns-server value 192.168.0.2
      vpn-idle-timeout 30
      vpn-tunnel-protocol IPSec
      default-domain value pixia.com
      address-pools value CLIENT_VPN_IP_POOL

      username pakulas password nx4VQfcMfAOEe5iQdGi8cQ== nt-encrypted privilege 15
      username admin password VfjI1SIZacDuk19Y encrypted privilege 15
      username wangj password axeYWHYjyZ57TCR16KVVqw== nt-encrypted
      username user password V9WDqkbVcVAqrUu3rqCccA== nt-encrypted
      username thakkarr password RBdmPmK/OV4QMS0Qede1fA== nt-encrypted
      username courtneys password G9vyte4t9TOhggD8L/2h4Q== nt-encrypted privilege 15
      username soods password BI5t1P4KsWB6r/wIOyPq9w== nt-encrypted
      username jensenk password oYo1okpfD/2N1fmAwEadgA== nt-encrypted

      ! Tunnel-group for servicing demand-dial L2TP clients
      ! User-specified groups are not supported for L2TP, only DefaultRAGroup
      tunnel-group DefaultRAGroup general-attributes
      address-pool CLIENT_VPN_IP_POOL
      authorization-server-group LOCAL
      authorization-required
      tunnel-group DefaultRAGroup ipsec-attributes
      pre-shared-key *
      tunnel-group DefaultRAGroup ppp-attributes
      no authentication chap
      authentication ms-chap-v2
      tunnel-group DefaultWEBVPNGroup ppp-attributes
      no authentication chap
      no authentication ms-chap-v1

      ! Tunnel-group for supporting Cisco client software and hardware VPN clients
      tunnel-group CISCO_CLIENT_VPN_GROUP type remote-access
      tunnel-group CISCO_CLIENT_VPN_GROUP general-attributes
      address-pool CLIENT_VPN_IP_POOL
      default-group-policy CISCO_CLIENT_VPN_POLICY
      tunnel-group CISCO_CLIENT_VPN_GROUP ipsec-attributes
      pre-shared-key *
      tunnel-group CISCO_CLIENT_VPN_GROUP ppp-attributes
      authentication ms-chap-v2

      ! For persistent connections, the tunnel-group name has to be the same as the peer IP address
      tunnel-group xxx.xxx.xxx.xxxx type ipsec-l2l
      tunnel-group xxx.xxx.xxx.xxxx ipsec-attributes
      pre-shared-key *

      prompt hostname context
      Cryptochecksum:7422f35c0785c96cc89efedd3ccede09
      : end

      1 Reply Last reply Reply Quote 0
      • C
        clamasters
        last edited by

        Let's try to narrow down a few things.  What ASA Model and OS version are you running?  I would suggest limiting the protocol/encryption/hash to ESP-3DES-MD5 and disable or disallow all the others.  When phase 1 completes on the Cisco side and you try to ping through from the Cisco LAN to the pfSense LAN, does anything change (TTL?, RTT?)?

        I will lab this up with one of my work ASA's to my home pfSense to offer some additional assistance.

        http://www.curtis-lamasters.com
        http://www.builtnetworks.com

        1 Reply Last reply Reply Quote 0
        • First post
          Last post