<![CDATA[IPSec to Cisco ASR 1013]]>Hi. I am trying to connect a IPSec tunnel to a 3rd party service. I've connected to Cisco ASA before, but nut ASR - Not even familiar with them

Hoping someone here can make sense of this. I've tried a pile of variations. The other side is pretty confident they have their end correct as they have multiple clients connected (this is the first pfsense they are aware of though)

Here is config we have in place at the Cisco (what I was given). I changed s few things for privacy

A0040NtEpsBpr03#show run | section 922
vrf definition M922S
description MBS_M922S
!
address-family ipv4
route-replicate from vrf FVRF unicast static route-map rm_Default_Only
exit-address-family
peer MBS_M922S
address XXX.XXX.212.30
pre-shared-key 1234
crypto ikev2 profile IKEv2_Profile_MBS_M922S
match fvrf FVRF
match identity remote address XXX.XXX.212.30 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local IKEv2_KEY
ivrf M922S
track 922 ip sla 922 reachability
delay down 180 up 180
crypto map Map1 922 ipsec-isakmp
description MBS_M922S
set peer XXX.XXX.212.30
set transform-set Esp_aes256-sha256
set ikev2-profile IKEv2_Profile_MBS_M922S
match address acl_MBS_M922S
interface Loopback922
vrf forwarding M922S
ip address 10.51.0.1 255.255.255.255
interface Tunnel922
description MBS_vrf:M922S-A0040_EPGW_Tunnel
vrf forwarding M922S
ip address XXX.XXX.245.240 255.255.255.254
ip tcp adjust-mss 1363
load-interval 30
tunnel source Loopback99
tunnel destination 10.4.216.94
ip route vrf M922S 10.51.0.0 255.255.254.0 Tunnel922
ip access-list extended acl_MBS_M922S
remark Mobile to Server
permit ip 10.51.0.0 0.0.1.255 any
remark Monitoring
permit ip host XXX.XXX.245.240 host 10.50.3.254

A0040NtEpsBpr03#show crypto session ivrf M922S detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: GigabitEthernet0/0/0 GigabitEthernet3/0/0
Session status: DOWN
Peer: XXX.XXX.212.30 port 500 fvrf: FVRF ivrf: M922S
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 10.51.0.0/255.255.254.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 18 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host XXX.XXX.245.240 host 10.50.3.254
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 64 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 64 drop 17829 life (KB/Sec) 0/0

In pfSense:
P1 General Information
Key Exchange version = IKEv2
Internet Protocol = IPv4
Interface = WAN
Remote Gateway = XXX.XXX.245.222

Phase 1 Proposal (Authentication)
Authentication Method = Mutual PSK
My identifier = My IP Address (I've tried just 'IP Address' with my public IP as well)
Peer identifier = Peer IP Address (I've tried 'Any' and 'IP Address' as well)
Pre-Shared Key = 1234

Phase 1 Proposal (Encryption Algorithm)
Encryption Algorithm
Algorithm = AES
Key length = 256 bits
Hash = SHA256
DH Group = 16 (4096 bit)

Lifetime (Seconds) = 86400

Advanced Options
Disable rekey Disables renegotiation when a connection is about to expire. = OFF
Margintime (Seconds) = BLANK
Disable Reauth
Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done. = OFF
Responder Only
Enable this option to never initiate this connection from this side, only respond to incoming requests. = OFF

MOBIKE = Disable
Set this option to control the use of MOBIKE
Split connections
Enable this to split connection entries with multiple phase 2 configurations. Required for remote endpoints that support only a single traffic selector per child SA. = ON
Dead Peer Detection Enable DPD = ON
Delay = 10
Max failures = 5

There are 2 P2’s in play here
Monitoring:
Mode = Tunnel IPv4
Local Network Type = Address
Address = 10.50.3.254
NAT/BINAT translation = None
Remote Network Type = Address
Address = XXX.XXX.245.240

P2 Proposal
Encryption Algorithms = AES 256 bits
Hash Algorithms = SHA256
PFS key group = off
Lifetime = 3600
Automatically Pin host = BLANK

Tunneled IPs:
Mode = Tunnel IPv4
Local Network Type = Network
Address = 10.50.3.0/24
NAT/BINAT translation = None
Remote Network Type = Network
Address = 10.51.0.0/23

P2 Proposal
Encryption Algorithms = AES 256 bits
Hash Algorithms = SHA256
PFS key group = off
Lifetime = 3600
Automatically Pin host = BLANK

Now for the logs (oldest at the top) are attached. This is one with my IP not forced and the other with it forced. I can see there is an Authentication error, but I don't see a misalignment anywhere. There is also a complaint about the vendor id, I don't know what that exactly means here either though

Any insight here would be fantastic!

]]>https://forum.netgate.com/topic/142040/ipsec-to-cisco-asr-1013RSS for NodeSun, 14 Jun 2026 07:08:40 GMTThu, 28 Mar 2019 20:47:44 GMT60<![CDATA[Reply to IPSec to Cisco ASR 1013 on Fri, 29 Mar 2019 15:29:48 GMT]]>@Konstanti
Ya, I can't tell you how many times I verified the IPSec settings
Magically, the connection was established last night as I left it on while doing some other work. When I returned to have another look, the connection was made. I tried this current configuration multiple times to no avail, so I am baffled as to what the resolution was

I'm booking a meeting with a guy at the other side to start pulling parts and pieces apart to determine the issue

One thing I noticed is that the initial attempts to connect were using port 4500 and the established tunnel is on 500 (I have no firewall logs blocking this and I have rules on WAN in place explicitly allowing UDP 500/4500 and ESP.

Perhaps their end isn't liking the 4500 (they told me they are good with the UDP 4500 mind you)

Sort of feels like Cisco just not wanting to play nice in the sandbox with the other kids.

I'll update with any resolution(s) or comments here

]]>https://forum.netgate.com/post/833849https://forum.netgate.com/post/833849Fri, 29 Mar 2019 15:29:48 GMT<![CDATA[Reply to IPSec to Cisco ASR 1013 on Fri, 29 Mar 2019 10:45:27 GMT]]>@tgreen
Hey

You should check IPSEC settings ( phase 1) (My identifier / Remote identifier)
The logs say that is not found preshared-key

fb424782-b753-4994-a747-4ea7fddeb57e-image.png charon: 13[IKE] <con3000|1> authentication of 'XXX.XXX.212.30' (myself) with pre-shared key
charon: 13[IKE] <con3000|1> no shared key found for 'XXX.XXX.212.30' - 'XXX.XXX.245.222'

73ba7734-2274-4785-b939-0ae7b0b81e2e-image.png 28.03.2019 13:40 charon: 12[CFG] <con3000|17> selected peer config 'con3000'
28.03.2019 13:40 charon: 12[IKE] <con3000|17> no shared key found for '%any' - 'XXX.XXX.245.222'

]]>https://forum.netgate.com/post/833773https://forum.netgate.com/post/833773Fri, 29 Mar 2019 10:45:27 GMT<![CDATA[Reply to IPSec to Cisco ASR 1013 on Thu, 28 Mar 2019 20:52:18 GMT]]>@tgreen The logs are being marked as spam for some reason
IPsec Logs.7z

]]>https://forum.netgate.com/post/833668https://forum.netgate.com/post/833668Thu, 28 Mar 2019 20:52:18 GMT