Cisco ASA 9.X <-> pfSense 2.3.X [SOLVED]
-
I have a support ticket opened on this ons, but it doesn't hurt to get more input as well :)
So the first question: Is anyone running IPSec between Cisco ASA and pfSense? We had a hard time getting it to run, but now it runs "not stable enough" with the following settings:
P1: IKEv1
Key: PSK
Enc: AES-256
Hash: SHA1
Lifetime: 28 800
DH: 2
DPD = ONP2:
Enc: AES-256
Hash: SHA1
Lifetime: 3600
PFS: 2Most often we loose 2 pings when rekeying. But in some cases it takes 15-20 seconds, something that the users dislike to be diplomatic. And the worst thing is that i "rare" (once a week so far) the rekey fails totally. With those entrys bombing the logs:
2017-04-03 16:14:29 daemon.info charon: 13[IKE] <con2000|19541>received NO_PROPOSAL_CHOSEN error notify
2017-04-03 16:14:29 daemon.info charon: 05[KNL] creating acquire job for policy x.x.x.x/32|/0 === y.y.y.y/32|/0 with reqid {2}
2017-04-03 16:14:29 daemon.info charon: 09[ENC] <con2000|19541>generating QUICK_MODE request 1125863774 [ HASH SA No KE ID ID ]
2017-04-03 16:14:29 daemon.info charon: 09[NET] <con2000|19541>sending packet: from x.x.x.x[500] to y.y.y.y[500] (316 bytes)
2017-04-03 16:14:29 daemon.info charon: 09[NET] <con2000|19541>received packet: from y.y.y.y[500] to x.x.x.x[500] (92 bytes)
2017-04-03 16:14:29 daemon.info charon: 09[ENC] <con2000|19541>parsed INFORMATIONAL_V1 request 2378104355 [ HASH N(NO_PROP) ]</con2000|19541></con2000|19541></con2000|19541></con2000|19541></con2000|19541>On top of this, the IPSec connection can feel "laggy". Like in this video: https://www.youtube.com/watch?v=1l4IJ60CTpw (not that brutal, and not with disconnects).
The Internet connection is rock solid. 1Gb line with own VLAN to the IPSec destination (Cisco ASA). Running a Netgate XG-2758, and on an office with 50-60 users that is 100 times more than enough hardware vise.
Any input is good input :) thanks!
-
Solved, netgate suport found dynamic peers on same crypto map on Cisco side. Please buy them a beer from me :D