Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cisco ASA 9.X <-> pfSense 2.3.X [SOLVED]

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 972 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GroundX
      last edited by

      I have a support ticket opened on this ons, but it doesn't hurt to get more input as well :)

      So the first question: Is anyone running IPSec between Cisco ASA and pfSense? We had a hard time getting it to run, but now it runs "not stable enough" with the following settings:

      P1: IKEv1
      Key: PSK
      Enc: AES-256
      Hash: SHA1
      Lifetime: 28 800
      DH: 2
      DPD = ON

      P2:
      Enc: AES-256
      Hash: SHA1
      Lifetime: 3600
      PFS: 2

      Most often we loose 2 pings when rekeying. But in some cases it takes 15-20 seconds, something that the users dislike to be diplomatic. And the worst thing is that i "rare" (once a week so far) the rekey fails totally. With those entrys bombing the logs:

      2017-04-03 16:14:29 daemon.info charon: 13[IKE] <con2000|19541>received NO_PROPOSAL_CHOSEN error notify
      2017-04-03 16:14:29 daemon.info charon: 05[KNL] creating acquire job for policy x.x.x.x/32|/0 === y.y.y.y/32|/0 with reqid {2}
      2017-04-03 16:14:29 daemon.info charon: 09[ENC] <con2000|19541>generating QUICK_MODE request 1125863774 [ HASH SA No KE ID ID ]
      2017-04-03 16:14:29 daemon.info charon: 09[NET] <con2000|19541>sending packet: from x.x.x.x[500] to y.y.y.y[500] (316 bytes)
      2017-04-03 16:14:29 daemon.info charon: 09[NET] <con2000|19541>received packet: from y.y.y.y[500] to x.x.x.x[500] (92 bytes)
      2017-04-03 16:14:29 daemon.info charon: 09[ENC] <con2000|19541>parsed INFORMATIONAL_V1 request 2378104355 [ HASH N(NO_PROP) ]</con2000|19541></con2000|19541></con2000|19541></con2000|19541></con2000|19541>

      On top of this, the IPSec connection can feel "laggy". Like in this video: https://www.youtube.com/watch?v=1l4IJ60CTpw (not that brutal, and not with disconnects).

      The Internet connection is rock solid. 1Gb line with own VLAN to the IPSec destination (Cisco ASA). Running a Netgate XG-2758, and on an office with 50-60 users that is 100 times more than enough hardware vise.

      Any input is good input :) thanks!

      1 Reply Last reply Reply Quote 0
      • G
        GroundX
        last edited by

        Solved, netgate suport found dynamic peers on same crypto map on Cisco side. Please buy them a beer from me :D

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.