ASA 5505 / pfsense only one Phase 2 traffic passing at a time; swaps
-
Should be no problem. Maybe the access-list in the crypto map on the ASA is wrong.
Split connections should only matter on IKEv2. Is this IKEv2?
-
Yes the connection is using IKEv2.
Here is the ASA side. I would think if the access-list was wrong then neither of the subnets could communicate at all.
-
That is configured for 192.168.1.0/24 -> 10.2.0.0/16
There is nothing there for 10.1.0.0/16
Like @JeGr I am also confused about exactly what you are trying to accomplish.
If they want to NAT 192.168.1.0/24 to something else, they have to do that on the ASA side.
-
Also: crypto settings. I see wildly configured cipher/enc sets all over the place and an ASA screen saying IKE2 (nice) but 3DES? And SHA1? Please fix that (phase1/2) first, otherwise you have a tunnel, but if that is any "private" at all is doubtful.
-
Site B has the 10.1.0.0/16 and the 192.168.1.0/24. Yes they are connected to each other and i can pass traffic to them all day long. Site A only has the 10.2.0.0/16. Yes the ASA only shows a tunnel right now to 10.2.0.0 and 192.168.1.0. I can easily switch them however by either reconnecting the VPN and passing traffic between 10.2.0.0/16 and 10.1.0.0/16 or just ping the 10.1.0.0/16 enough and the tunnel "flops" and connects.
ASA VPN settings
As far as the crypto settings, yes I am aware that its "unsecure" but I was trying to follow the instructions listed in the pfsense manual for connecting the ASA and the pfsense through IPSec. Once I could get it to pass traffic then I would worry about turning security up. I'm just trying to make it work at this point.[Connecting to Cisco PIX/ASA Devices with IPsec] (https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/connecting-to-cisco-pix-asa-devices-with-ipsec.html
-
I do not see anything on the pfSense side to prevent 10.2.0.0/16 from communicating with both 192.168.1.0/24 and 10.1.0.0/16.
Look on the ASA side.
Or better-describe what you are looking to do.
Packet capture on the pfSense IPsec interface. Is the traffic going out?
-
@Derelict said in ASA 5505 / pfsense only one Phase 2 traffic passing at a time; swaps:
I do not see anything on the pfSense side to prevent 10.2.0.0/16 from communicating with both 192.168.1.0/24 and 10.1.0.0/16.
That is describing what I'm looking to do. You are right, it DOESN'T make sense why it won't send traffic out. The VPN connection is setup exactly the same as our others on the ASA side. The only difference is those are VPNs across to ASA 5505s and this one is trying to use a pfsense appliance. Is there anything that would prevent the ASA from allowing the pfsense to allow multiple phase 2s? I always seems like its some check box somewhere.
This is an example of another tunnel we have that is between a ASA 5505 and a 5508.
-
How about you post the show running for the pertinent IPsec parts instead of the ASDM screenshots. Makes it MUCH easier to see what's up.
Did you packet capture to verify the traffic isn't being sent out?
-
You absolutely need split tunneling enabled to do multiple IKEv2 selectors to an ASA. The ASA is the reason that checkbox exists in the first place. So leave that enabled.
-
@Derelict said in ASA 5505 / pfsense only one Phase 2 traffic passing at a time; swaps:
How about you post the show running for the pertinent IPsec parts instead of the ASDM screenshots. Makes it MUCH easier to see what's up.
Did you packet capture to verify the traffic isn't being sent out?
I'll get the config on the ASA out.
Packet capture shows traffic passing depending on which phase 2 is connected. It fails to see anything on the one that is not.
-
@Derelict said in ASA 5505 / pfsense only one Phase 2 traffic passing at a time; swaps:
You absolutely need split tunneling enabled to do multiple IKEv2 selectors to an ASA. The ASA is the reason that checkbox exists in the first place. So leave that enabled.
I figured as much and haven't turned this off.
