Cisco ASA 9.X <-> pfSense 2.3.X [SOLVED]



  • I have a support ticket opened on this ons, but it doesn't hurt to get more input as well :)

    So the first question: Is anyone running IPSec between Cisco ASA and pfSense? We had a hard time getting it to run, but now it runs "not stable enough" with the following settings:

    P1: IKEv1
    Key: PSK
    Enc: AES-256
    Hash: SHA1
    Lifetime: 28 800
    DH: 2
    DPD = ON

    P2:
    Enc: AES-256
    Hash: SHA1
    Lifetime: 3600
    PFS: 2

    Most often we loose 2 pings when rekeying. But in some cases it takes 15-20 seconds, something that the users dislike to be diplomatic. And the worst thing is that i "rare" (once a week so far) the rekey fails totally. With those entrys bombing the logs:

    2017-04-03 16:14:29 daemon.info charon: 13[IKE] <con2000|19541>received NO_PROPOSAL_CHOSEN error notify
    2017-04-03 16:14:29 daemon.info charon: 05[KNL] creating acquire job for policy x.x.x.x/32|/0 === y.y.y.y/32|/0 with reqid {2}
    2017-04-03 16:14:29 daemon.info charon: 09[ENC] <con2000|19541>generating QUICK_MODE request 1125863774 [ HASH SA No KE ID ID ]
    2017-04-03 16:14:29 daemon.info charon: 09[NET] <con2000|19541>sending packet: from x.x.x.x[500] to y.y.y.y[500] (316 bytes)
    2017-04-03 16:14:29 daemon.info charon: 09[NET] <con2000|19541>received packet: from y.y.y.y[500] to x.x.x.x[500] (92 bytes)
    2017-04-03 16:14:29 daemon.info charon: 09[ENC] <con2000|19541>parsed INFORMATIONAL_V1 request 2378104355 [ HASH N(NO_PROP) ]</con2000|19541></con2000|19541></con2000|19541></con2000|19541></con2000|19541>

    On top of this, the IPSec connection can feel "laggy". Like in this video: https://www.youtube.com/watch?v=1l4IJ60CTpw (not that brutal, and not with disconnects).

    The Internet connection is rock solid. 1Gb line with own VLAN to the IPSec destination (Cisco ASA). Running a Netgate XG-2758, and on an office with 50-60 users that is 100 times more than enough hardware vise.

    Any input is good input :) thanks!



  • Solved, netgate suport found dynamic peers on same crypto map on Cisco side. Please buy them a beer from me :D


Log in to reply