PfSense and Cisco 1841 site-to-site help?

unguzov

I want to test site-to-site connection between pfSense and cisco 1841 (c1841-adventerprisek9-mz.124-24.T3) using IPSec. I have a friend that wants to help me with his cisco 1841, but something is wrong and tunnel does not work.

Configuration:

pfSense (LAN: 192.168.130.0/24, WAN: 93.152.XX.XX)
– internet --
cisco 1841 (LAN: 10.100.100.0/24, WAN: 95.111.XX.XX)

pfSense log (in reverse order):

Aug 18 12:53:31 	racoon: [Cisco]: ERROR: 95.111.xx.xx give up to get IPsec-SA due to time up to wait.
Aug 18 12:53:01 	racoon: ERROR: Message: '4 '.
Aug 18 12:53:01 	racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Aug 18 12:53:01 	racoon: [Cisco]: INFO: initiate new phase 2 negotiation: 93.152.xx.xx[0]<=>95.111.xx.xx[0]
Aug 18 12:52:47 	racoon: [Cisco]: ERROR: 95.111.xx.xx give up to get IPsec-SA due to time up to wait.
Aug 18 12:52:17 	racoon: ERROR: Message: '4 '.
Aug 18 12:52:17 	racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Aug 18 12:52:17 	racoon: [Cisco]: INFO: initiate new phase 2 negotiation: 93.152.xx.xx[500]<=>95.111.xx.x[500]
Aug 18 12:52:16 	racoon: [Cisco]: INFO: ISAKMP-SA established 93.152.xx.xx[500]-95.111.xx.x[500] spi:78f9f6b8ed3a4e56:d4a1d4dc9bf1516f
Aug 18 12:52:16 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Aug 18 12:52:16 	racoon: INFO: received Vendor ID: DPD
Aug 18 12:52:16 	racoon: INFO: received Vendor ID: CISCO-UNITY
Aug 18 12:52:16 	racoon: INFO: begin Identity Protection mode.
Aug 18 12:52:16 	racoon: [Cisco]: INFO: initiate new phase 1 negotiation: 93.152.xx.xx[500]<=>95.111.xx.x[500]
Aug 18 12:52:16 	racoon: [Cisco]: INFO: IPsec-SA request for 95.111.xx.x queued due to no phase1 found.
Aug 18 12:40:25 	racoon: [Self]: INFO: 93.152.xx.xx[500] used as isakmp port (fd=18)
Aug 18 12:40:25 	racoon: [Self]: INFO: 192.168.12.254[500] used as isakmp port (fd=17)
Aug 18 12:40:25 	racoon: [Self]: INFO: 192.168.130.254[500] used as isakmp port (fd=16)
Aug 18 12:40:25 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Aug 18 12:40:25 	racoon: [Self]: INFO: 10.10.11.2[500] used as isakmp port (fd=14)
Aug 18 12:40:25 	racoon: INFO: unsupported PF_KEY message REGISTER

pfSense settings:
Interface: WAN
Local subnet: LAN subnet
Remote subnet: 10.100.100.0/24
Remote gateway: 95.111.xx.xx
Phase1:
Negotiation mode: main
My identifier: My IP Address
Encryption algorithm: 3DES
Hash algorithm: SHA1
DH key group: 2
Lifetime: 28800
Authentication method: Pre-shared key
Pre-Shared Key: xxxx

Phase 2
Protocol: ESP
Encryption algorithms: 3DES
Hash algorithms: SHA1
PFS key group: 2
Lifetime: 3600

Cisco 1841 configuration:

cisco_router_rtr#sh cry ipsec sa

interface: FastEthernet0/1
    Crypto map tag: vpn, local addr 95.111.xx.xx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.100.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.130.0/255.255.255.0/0/0)
   current_peer 93.152.xx.xx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 45, #recv errors 0

     local crypto endpt.: 95.111.xx.xx, remote crypto endpt.: 93.152.xx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

unguzov

The problem was on Cisco side - when pfSense site-to-site is not the first connection in config file tunel does not work.