Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec tunnel mode with ASR

    Scheduled Pinned Locked Moved
    IPsec
    1
    1
    405
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trifly
      last edited by

      Hello eveyrone,

      I want to build a IPSec Tunnel with an ASR.

      ASR router is configured with IPSec tunnel method (tunnel protection) because the tunnel has to be mounted from a specific VRF (so crypto map is not possible)

      Here is the sanitized configuration of the ASR :

      hostname ASR
!
vrf definition INTERCO
 rd 10.107.254.18:1
 !
 address-family ipv4
  route-target export 10.107.254.18:1
  route-target import 10.107.254.18:1
 exit-address-family
!
!
crypto ikev2 proposal aes-cbc-256-proposal
 encryption aes-cbc-256
 integrity sha512
 group 24
!
crypto ikev2 policy policy_pfsense
 proposal aes-cbc-256-proposal
!
crypto ikev2 keyring mykeys-pfsense
 peer pfsense
  address 5.5.5.6
  pre-shared-key ##########
!
crypto ikev2 profile pfsense
 description IKEv2 profile
 match identity remote address 5.5.5.6 255.255.255.255
 identity local address 5.5.5.5
 authentication remote pre-share
 authentication local pre-share
 keyring local mykeys-pfsense
 lifetime 3600
!
crypto ikev2 dpd 10 2 on-demand
!
crypto logging ikev2
!
crypto ipsec transform-set ESP-AES256-SHA512 esp-aes 256 esp-sha512-hmac
 mode tunnel
!
crypto ipsec profile pfsense
 set transform-set ESP-AES256-SHA512
 set ikev2-profile pfsense
!
interface Loopback1
 vrf forwarding INTERCO
 ip address 10.15.30.140 255.255.255.128
!
interface Tunnel100
 vrf forwarding INTERCO
 no ip address
 tunnel source GigabitEthernet2
 tunnel destination 5.5.5.6
 tunnel protection ipsec profile pfsense
!
!
interface GigabitEthernet2
 ip address 5.5.5.5 255.255.255.252
 negotiation auto
 no mop enabled
 no mop sysid
!
!
!
ip route vrf INTERCO 172.16.5.0 255.255.255.0 Tunnel100
!
line con 0
 stopbits 1
line vty 0 4
 login local
 transport input ssh
end

      The IPsec configuration of PfSense is in tunnel IPv4 and the local network is the LAN subnet (172.16.5.0/24) and the remote network is 10.15.30.128/25
      0_1529918158028_pfsense_ipsec_phase_2.png

      In debug mode on the ASR, i have the error : "Failed to find a matching policy" and the IKEv2 SA is flapping between UP & DOWN...

      If I disable the IPsec Phase 2 entrie on PfSense, the IKEv2 and the interface tunnel 100 on the ASR turns to UP.

      I think it's because of the ACL sent by the Pfsense with the remote network and local network but i can't be sure of this...

      With a crypto map, we can make matching the IPSec traffic to an ACL but how can we do the same thing with the tunnel profile method ?

      Is anyone have an idea ? (or had already got the same problem ?)

      If you need more informations, feel free to ask me ! ;)

      Thanks to you !

      Trif

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.