PfSense IPSec to Cisco ASA5500
-
Hi all.
I have tried to make a Lan-to-Lan IPSec tunnel between my pfSense 1.2.3 and a Cisco ASA 7.2, but keeping getting the message on phase 2 (ASA log):
All IPSec SA proposals found unacceptable!Have anyone managed to establish a IPSec VPN Lan-to-Lan connection and have config for both the ASA and pfSense
I have also tried to search this board and did not find anything.
Help needed… ???
-
The ASA config is covered in the book, but I don't recall if it was 100% tested or not.
If your proposal isn't matching, check the phase 2 settings on both sides, specifically your transform set on the Cisco, and the items checked on the pfSense side. Set everything explicitly, don't assume defaults (especially on the Cisco).
Usually the IPsec log on pfSense is quite verbose about a mismatch though. Can you paste the entire log here from a connection attempt?
-
The ASA config is covered in the book, but I don't recall if it was 100% tested or not.
Where do I find this book…?
Regards
Knudsen -
http://blog.pfsense.org/?p=509
-
http://blog.pfsense.org/?p=509
Not quite the answer I expected… a printed BOOK...! :o Can't remember last time I saw a printed book... ;D
Anyways - I have checked all settings and verified they are the same... and no default setting - All options set by me...! - And yes I have tried google search, and I can conclude many have the same problems - So it might be nice if anyone have a working template for site-to-site VPN for a pfSense and Cisco ASA...
The pfSense log:
Feb 12 20:17:47 racoon: [IPSec tunnel Test ASA]: INFO: IPsec-SA request for xx.xx.xx.xx queued due to no phase1 found.
Feb 12 20:17:47 racoon: [IPSec tunnel Test ASA]: INFO: initiate new phase 1 negotiation: yy.yy.yy.yy[500]<=>xx.xx.xx.xx[500]
Feb 12 20:17:47 racoon: INFO: begin Identity Protection mode.
Feb 12 20:17:47 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 12 20:17:48 racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 12 20:17:48 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 12 20:17:48 racoon: [IPSec tunnel Test ASA]: INFO: ISAKMP-SA established yy.yy.yy.yy[500]-xx.xx.xx.xx[500] spi:7da9912b3b25e229:53ff666a4b23a207
Feb 12 20:17:49 racoon: [IPSec tunnel Test ASA]: INFO: initiate new phase 2 negotiation: yy.yy.yy.yy[500]<=>xx.xx.xx.xx[500]
Feb 12 20:17:49 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Feb 12 20:17:49 racoon: ERROR: Message: 'WS'. -
Not quite the answer I expected… a printed BOOK...! :o Can't remember last time I saw a printed book... ;D
I prefer print, but I'm old school that way. :-)
Feb 12 20:17:49 racoon: [IPSec tunnel Test ASA]: INFO: initiate new phase 2 negotiation: yy.yy.yy.yy[500]<=>xx.xx.xx.xx[500]
Feb 12 20:17:49 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.That still suggests that phase 2 is not matching in some way. Hard to say how, it usually logs something about why, but it may even be a mismatch in the subnet definitions on either end for the internal networks.
Can you post a listing of the ASA config and screenshots of the pfSense side?
-
That still suggests that phase 2 is not matching in some way. Hard to say how, it usually logs something about why, but it may even be a mismatch in the subnet definitions on either end for the internal networks.
Can you post a listing of the ASA config and screenshots of the pfSense side?
You is almost spot on…
I did som debugging on the ASA and discovered a very interesting thing:
The access-list for matching interesting traffic was made by the WEB-GUI and was like this:
access-list OFFICE_nat0_outbound extended permit interface OFFICE-LAN 192.168.2.0 255.255.255.0
Changed this to the ip-address instead, and it worked - just like this:
access-list OFFICE_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.2.0 255.255.255.0According to log address-mask was not matching when using interface-name in access-lists, but mask was the same all over on interfaces (ie. /24)...!
Log from ASA was showing (when I did ICMP ping from pfSense toward ASA):
Static Crypto Map check, map = outside_map, seq = 20, ACL does not match proxy IDs src:192.168.1.0 dst:192.168.6.0This is RIGHT...! But the ASA dont like it at all... ;D So I changed the interface name to the actual address and mask - and then it worked like a charm...!
Thanx for help everyone...
Regards
Knudsen
