Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec tunnel mode with ASR

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 467 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trifly
      last edited by

      Hello eveyrone,

      I want to build a IPSec Tunnel with an ASR.

      ASR router is configured with IPSec tunnel method (tunnel protection) because the tunnel has to be mounted from a specific VRF (so crypto map is not possible)

      Here is the sanitized configuration of the ASR :

      hostname ASR
      !
      vrf definition INTERCO
       rd 10.107.254.18:1
       !
       address-family ipv4
        route-target export 10.107.254.18:1
        route-target import 10.107.254.18:1
       exit-address-family
      !
      !
      crypto ikev2 proposal aes-cbc-256-proposal
       encryption aes-cbc-256
       integrity sha512
       group 24
      !
      crypto ikev2 policy policy_pfsense
       proposal aes-cbc-256-proposal
      !
      crypto ikev2 keyring mykeys-pfsense
       peer pfsense
        address 5.5.5.6
        pre-shared-key ##########
      !
      crypto ikev2 profile pfsense
       description IKEv2 profile
       match identity remote address 5.5.5.6 255.255.255.255
       identity local address 5.5.5.5
       authentication remote pre-share
       authentication local pre-share
       keyring local mykeys-pfsense
       lifetime 3600
      !
      crypto ikev2 dpd 10 2 on-demand
      !
      crypto logging ikev2
      !
      crypto ipsec transform-set ESP-AES256-SHA512 esp-aes 256 esp-sha512-hmac
       mode tunnel
      !
      crypto ipsec profile pfsense
       set transform-set ESP-AES256-SHA512
       set ikev2-profile pfsense
      !
      interface Loopback1
       vrf forwarding INTERCO
       ip address 10.15.30.140 255.255.255.128
      !
      interface Tunnel100
       vrf forwarding INTERCO
       no ip address
       tunnel source GigabitEthernet2
       tunnel destination 5.5.5.6
       tunnel protection ipsec profile pfsense
      !
      !
      interface GigabitEthernet2
       ip address 5.5.5.5 255.255.255.252
       negotiation auto
       no mop enabled
       no mop sysid
      !
      !
      !
      ip route vrf INTERCO 172.16.5.0 255.255.255.0 Tunnel100
      !
      line con 0
       stopbits 1
      line vty 0 4
       login local
       transport input ssh
      end
      

      The IPsec configuration of PfSense is in tunnel IPv4 and the local network is the LAN subnet (172.16.5.0/24) and the remote network is 10.15.30.128/25
      0_1529918158028_pfsense_ipsec_phase_2.png

      In debug mode on the ASR, i have the error : "Failed to find a matching policy" and the IKEv2 SA is flapping between UP & DOWN...

      If I disable the IPsec Phase 2 entrie on PfSense, the IKEv2 and the interface tunnel 100 on the ASR turns to UP.

      I think it's because of the ACL sent by the Pfsense with the remote network and local network but i can't be sure of this...

      With a crypto map, we can make matching the IPSec traffic to an ACL but how can we do the same thing with the tunnel profile method ?

      Is anyone have an idea ? (or had already got the same problem ?)

      If you need more informations, feel free to ask me ! ;)

      Thanks to you !

      Trif

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.