Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec to Cisco ASR 1013

    IPsec
    2
    4
    696
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tgreen
      last edited by tgreen

      Hi. I am trying to connect a IPSec tunnel to a 3rd party service. I've connected to Cisco ASA before, but nut ASR - Not even familiar with them

      Hoping someone here can make sense of this. I've tried a pile of variations. The other side is pretty confident they have their end correct as they have multiple clients connected (this is the first pfsense they are aware of though)

      Here is config we have in place at the Cisco (what I was given). I changed s few things for privacy

      A0040NtEpsBpr03#show run | section 922
      vrf definition M922S
      description MBS_M922S
      !
      address-family ipv4
      route-replicate from vrf FVRF unicast static route-map rm_Default_Only
      exit-address-family
      peer MBS_M922S
      address XXX.XXX.212.30
      pre-shared-key 1234
      crypto ikev2 profile IKEv2_Profile_MBS_M922S
      match fvrf FVRF
      match identity remote address XXX.XXX.212.30 255.255.255.255
      authentication local pre-share
      authentication remote pre-share
      keyring local IKEv2_KEY
      ivrf M922S
      track 922 ip sla 922 reachability
      delay down 180 up 180
      crypto map Map1 922 ipsec-isakmp
      description MBS_M922S
      set peer XXX.XXX.212.30
      set transform-set Esp_aes256-sha256
      set ikev2-profile IKEv2_Profile_MBS_M922S
      match address acl_MBS_M922S
      interface Loopback922
      vrf forwarding M922S
      ip address 10.51.0.1 255.255.255.255
      interface Tunnel922
      description MBS_vrf:M922S-A0040_EPGW_Tunnel
      vrf forwarding M922S
      ip address XXX.XXX.245.240 255.255.255.254
      ip tcp adjust-mss 1363
      load-interval 30
      tunnel source Loopback99
      tunnel destination 10.4.216.94
      ip route vrf M922S 10.51.0.0 255.255.254.0 Tunnel922
      ip access-list extended acl_MBS_M922S
      remark Mobile to Server
      permit ip 10.51.0.0 0.0.1.255 any
      remark Monitoring
      permit ip host XXX.XXX.245.240 host 10.50.3.254

      A0040NtEpsBpr03#show crypto session ivrf M922S detail
      Crypto session current status

      Code: C - IKE Configuration mode, D - Dead Peer Detection
      K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
      X - IKE Extended Authentication, F - IKE Fragmentation
      R - IKE Auto Reconnect

      Interface: GigabitEthernet0/0/0 GigabitEthernet3/0/0
      Session status: DOWN
      Peer: XXX.XXX.212.30 port 500 fvrf: FVRF ivrf: M922S
      Desc: (none)
      Phase1_id: (none)
      IPSEC FLOW: permit ip 10.51.0.0/255.255.254.0 0.0.0.0/0.0.0.0
      Active SAs: 0, origin: crypto map
      Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
      Outbound: #pkts enc'ed 0 drop 18 life (KB/Sec) 0/0
      IPSEC FLOW: permit ip host XXX.XXX.245.240 host 10.50.3.254
      Active SAs: 0, origin: crypto map
      Inbound: #pkts dec'ed 64 drop 0 life (KB/Sec) 0/0
      Outbound: #pkts enc'ed 64 drop 17829 life (KB/Sec) 0/0

      In pfSense:
      P1 General Information
      Key Exchange version = IKEv2
      Internet Protocol = IPv4
      Interface = WAN
      Remote Gateway = XXX.XXX.245.222

      Phase 1 Proposal (Authentication)
      Authentication Method = Mutual PSK
      My identifier = My IP Address (I've tried just 'IP Address' with my public IP as well)
      Peer identifier = Peer IP Address (I've tried 'Any' and 'IP Address' as well)
      Pre-Shared Key = 1234

      Phase 1 Proposal (Encryption Algorithm)
      Encryption Algorithm
      Algorithm = AES
      Key length = 256 bits
      Hash = SHA256
      DH Group = 16 (4096 bit)

      Lifetime (Seconds) = 86400

      Advanced Options
      Disable rekey Disables renegotiation when a connection is about to expire. = OFF
      Margintime (Seconds) = BLANK
      Disable Reauth
      Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done. = OFF
      Responder Only
      Enable this option to never initiate this connection from this side, only respond to incoming requests. = OFF

      MOBIKE = Disable
      Set this option to control the use of MOBIKE
      Split connections
      Enable this to split connection entries with multiple phase 2 configurations. Required for remote endpoints that support only a single traffic selector per child SA. = ON
      Dead Peer Detection Enable DPD = ON
      Delay = 10
      Max failures = 5

      There are 2 P2’s in play here
      Monitoring:
      Mode = Tunnel IPv4
      Local Network Type = Address
      Address = 10.50.3.254
      NAT/BINAT translation = None
      Remote Network Type = Address
      Address = XXX.XXX.245.240

      P2 Proposal
      Encryption Algorithms = AES 256 bits
      Hash Algorithms = SHA256
      PFS key group = off
      Lifetime = 3600
      Automatically Pin host = BLANK

      Tunneled IPs:
      Mode = Tunnel IPv4
      Local Network Type = Network
      Address = 10.50.3.0/24
      NAT/BINAT translation = None
      Remote Network Type = Network
      Address = 10.51.0.0/23

      P2 Proposal
      Encryption Algorithms = AES 256 bits
      Hash Algorithms = SHA256
      PFS key group = off
      Lifetime = 3600
      Automatically Pin host = BLANK

      Now for the logs (oldest at the top) are attached. This is one with my IP not forced and the other with it forced. I can see there is an Authentication error, but I don't see a misalignment anywhere. There is also a complaint about the vendor id, I don't know what that exactly means here either though

      Any insight here would be fantastic!

      T 1 Reply Last reply Reply Quote 0
      • T
        tgreen @tgreen
        last edited by

        @tgreen The logs are being marked as spam for some reason
        IPsec Logs.7z

        K 1 Reply Last reply Reply Quote 0
        • K
          Konstanti @tgreen
          last edited by Konstanti

          @tgreen
          Hey

          You should check IPSEC settings ( phase 1) (My identifier / Remote identifier)
          The logs say that is not found preshared-key

          fb424782-b753-4994-a747-4ea7fddeb57e-image.png charon: 13[IKE] <con3000|1> authentication of 'XXX.XXX.212.30' (myself) with pre-shared key
          charon: 13[IKE] <con3000|1> no shared key found for 'XXX.XXX.212.30' - 'XXX.XXX.245.222'

          73ba7734-2274-4785-b939-0ae7b0b81e2e-image.png 28.03.2019 13:40 charon: 12[CFG] <con3000|17> selected peer config 'con3000'
          28.03.2019 13:40 charon: 12[IKE] <con3000|17> no shared key found for '%any' - 'XXX.XXX.245.222'

          T 1 Reply Last reply Reply Quote 0
          • T
            tgreen @Konstanti
            last edited by tgreen

            @Konstanti
            Ya, I can't tell you how many times I verified the IPSec settings
            Magically, the connection was established last night as I left it on while doing some other work. When I returned to have another look, the connection was made. I tried this current configuration multiple times to no avail, so I am baffled as to what the resolution was

            I'm booking a meeting with a guy at the other side to start pulling parts and pieces apart to determine the issue

            One thing I noticed is that the initial attempts to connect were using port 4500 and the established tunnel is on 500 (I have no firewall logs blocking this and I have rules on WAN in place explicitly allowing UDP 500/4500 and ESP.

            Perhaps their end isn't liking the 4500 (they told me they are good with the UDP 4500 mind you)

            Sort of feels like Cisco just not wanting to play nice in the sandbox with the other kids.

            I'll update with any resolution(s) or comments here

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.