IPSEC tunnel between pfsense and Cisco VTI



  • I need to set the IPSEC tunnel between PFSense and Cisco router. On the Cisco side I have to use configuration with vti (virtual tunnel interfaces).
    Phase 1 is established but pase 2 failed with error:
    "racoon: ERROR: no suitable proposal found."
    Cisco send to PFsense proposal with 0.0.0.0 network.
    Is it possible to configure pf sens to get it works?
    I need to reach one 24 bit network behind the Cisco router



  • Hi,

    plz provide more details.

    How your phase1 and 2 looks like?

    cya



  • @spiritbreaker:

    Hi,

    plz provide more details.

    How your phase1 and 2 looks like?

    cya

    Hi;
    Cisco config looks like this:

    interface Tunnel115
    ip vrf forwarding apsdtp
    ip address 192.168.115.1 255.255.255.0
    tunnel source FastEthernet0/1
    tunnel destination PUBLIC_IP_SITEB
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile s2s-ap
    end

    crypto ipsec profile s2s-ap
    set transform-set s2s-TSET

    crypto isakmp key KEEEY address 78.x.x.x5 no-xauth

    On the pfsense I have used ordinary IPSEC configuration which work without any problem when the IPSEC tunnel is termineted on physically interface not vti

    PFsens:
    May 11 17:54:19 racoon: [do-tsp-monitoring]: INFO: IPsec-SA established: ESP 78.x.x.x5[500]->194.x.x.2xx[500] spi=4174818755(0xf8d6adc3)
    May 11 17:55:07 racoon: [do-tsp-monitoring]: INFO: respond new phase 2 negotiation: 78.x.x.x5[500]<=>194.x.x.2xx[500]
    May 11 17:55:07 racoon: ERROR: failed to get sainfo. May 11 17:55:07 racoon: ERROR: failed to get sainfo.
    May 11 17:55:07 racoon: [do-tsp-monitoring]: [194.x.x.2xx] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

    on the cisco:
    Interface: Tunnel115
    Session status: UP-ACTIVE
    Peer: 78.x.x.x5 port 500
      IKE SA: local 194.x.x.2xx/500 remote 78.x.x.x5/500 Active
      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
            Active SAs: 0, origin: crypto map
      IPSEC FLOW: permit ip 192.168.115.0/255.255.255.0 192.168.1.0/255.255.255.0
            Active SAs: 2, origin: crypto map

    next P2:
    *May 11 17:58:29: ISAKMP:(1244): Creating IPSec SAs
    *May 11 17:58:29:        inbound SA from 78.x.x.x5 to 194.x.x.2xx (f/i)  0/ 0
            (proxy 192.168.1.0 to 192.168.115.0)
    *May 11 17:58:29:        has spi 0xF8D6ADC3 and conn_id 0
    *May 11 17:58:29:        lifetime of 3600 seconds
    *May 11 17:58:29:        outbound SA from 194.x.x.2xx to 78.x.x.x5 (f/i) 0/0
            (proxy 192.168.115.0 to 192.168.1.0)
    *May 11 17:58:29:        has spi  0x72F8D79 and conn_id 0
    *May 11 17:58:29:        lifetime of 3600 seconds
    *May 11 17:58:29: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
    *May 11 17:58:29: ISAKMP:(1244):Sending an IKE IPv4 Packet.
    *May 11 17:58:29: ISAKMP:(1244):Node -393251934, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
    *May 11 17:58:29: ISAKMP:(1244):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
    *May 11 17:58:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel115, changed state to up
    *May 11 17:58:29: ISAKMP (1244): received packet from 78.x.x.x5 dport 500 sport 500 Global (R) QM_IDLE
    *May 11 17:58:29: ISAKMP:(1244):deleting node -393251934 error FALSE reason "QM done (await)"
    *May 11 17:58:29: ISAKMP:(1244):Node -393251934, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    *May 11 17:58:29: ISAKMP:(1244):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
    *May 11 17:58:38: No peer struct to get peer description
    *May 11 17:59:06: No peer struct to get peer description
    *May 11 17:59:07: ISAKMP:(0):purging node -120744098
    *May 11 17:59:07: ISAKMP:(0):purging node 284091442
    *May 11 17:59:17: ISAKMP: set new node 0 to QM_IDLE
    *May 11 17:59:17: SA has outstanding requests  (local 102.143.234.116 port 500, remote 102.143.234.144 port 500)
    *May 11 17:59:17: ISAKMP:(1244): sitting IDLE. Starting QM immediately (QM_IDLE      )
    *May 11 17:59:17: ISAKMP:(1244):beginning Quick Mode exchange, M-ID of 667183992
    *May 11 17:59:17: ISAKMP:(1244):QM Initiator gets spi
    *May 11 17:59:17: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
    *May 11 17:59:17: ISAKMP:(1244):Sending an IKE IPv4 Packet.
    *May 11 17:59:17: ISAKMP:(1244):Node 667183992, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    *May 11 17:59:17: ISAKMP:(1244):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    *May 11 17:59:17: ISAKMP:(0):purging SA., sa=6692985C, delme=6692985C
    *May 11 17:59:19: ISAKMP:(1244):purging node -393251934
    *May 11 17:59:27: ISAKMP:(1244): retransmitting phase 2 QM_IDLE      667183992 …
    *May 11 17:59:27: ISAKMP (1244): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
    *May 11 17:59:27: ISAKMP (1244): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
    *May 11 17:59:27: ISAKMP:(1244): retransmitting phase 2 667183992 QM_IDLE
    *May 11 17:59:27: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
    *May 11 17:59:27: ISAKMP:(1244):Sending an IKE IPv4 Packet.
    *May 11 17:59:35: No peer struct to get peer description
    *May 11 17:59:37: ISAKMP:(1244): retransmitting phase 2 QM_IDLE      667183992 ...
    *May 11 17:59:37: ISAKMP (1244): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
    *May 11 17:59:37: ISAKMP (1244): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
    *May 11 17:59:37: ISAKMP:(1244): retransmitting phase 2 667183992 QM_IDLE
    *May 11 17:59:37: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
    *May 11 17:59:37: ISAKMP:(1244):Sending an IKE IPv4 Packet.
    *May 11 17:59:40: No peer struct to get peer description
    *May 11 17:59:47: ISAKMP: set new node 0 to QM_IDLE
    *May 11 17:59:47: SA has outstanding requests  (local 102.143.234.116 port 500, remote 102.143.234.144 port 500)
    *May 11 17:59:47: ISAKMP:(1244): sitting IDLE. Starting QM immediately (QM_IDLE      )
    *May 11 17:59:47: ISAKMP:(1244):beginning Quick Mode exchange, M-ID of -1574076160
    *May 11 17:59:47: ISAKMP:(1244):QM Initiator gets spi
    *May 11 17:59:47: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
    *May 11 17:59:47: ISAKMP:(1244):Sending an IKE IPv4 Packet.
    *May 11 17:59:47: ISAKMP:(1244):Node -1574076160, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    *May 11 17:59:47: ISAKMP:(1244):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    *May 11 17:59:47: ISAKMP:(1244): retransmitting phase 2 QM_IDLE      667183992 ...
    *May 11 17:59:47: ISAKMP (1244): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
    *May 11 17:59:47: ISAKMP (1244): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
    *May 11 17:59:47: ISAKMP:(1244): retransmitting phase 2 667183992 QM_IDLE
    *May 11 17:59:47: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
    *May 11 17:59:47: ISAKMP:(1244):Sending an IKE IPv4 Packet.
    *May 11 17:59:57: ISAKMP:(1244): retransmitting phase 2 QM_IDLE      -1574076160 ...
    *May 11 17:59:57: ISAKMP (1244): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
    *May 11 17:59:57: ISAKMP (1244): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
    *May 11 17:59:57: ISAKMP:(1244): retransmitting phase 2 -1574076160 QM_IDLE
    *May 11 17:59:57: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
    *May 11 17:59:57: ISAKMP:(1244):Sending an IKE IPv4 Packet.
    *May 11 17:59:57: ISAKMP:(1244): retransmitting phase 2 QM_IDLE      667183992 ...
    *May 11 17:59:57: ISAKMP (1244): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
    *May 11 17:59:57: ISAKMP (1244): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
    *May 11 17:59:57: ISAKMP:(1244): retransmitting phase 2 667183992 QM_IDLE
    *May 11 17:59:57: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
    *May 11 17:59:57: ISAKMP:(1244):Sending an IKE IPv4 Packet.
    *May 11 18:00:07: ISAKMP:(1244): retransmitting phase 2 QM_IDLE      -1574076160 ...
    *May 11 18:00:07: ISAKMP:(1244):peer does not do paranoid keepalives.

    *May 11 18:00:07: ISAKMP:(1244):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE      (peer 78.x.x.x5)

    on the end I have
    Interface: Tunnel115
    Session status: UP-NO-IKE
    Peer: 78.x.x.x5 port 500
      IKE SA: local 194.x.x.2xx/500 remote 78.x.x.x5/500 Inactive
      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
            Active SAs: 0, origin: crypto map
      IPSEC FLOW: permit ip 192.168.115.0/255.255.255.0 192.168.1.0/255.255.255.0
            Active SAs: 2, origin: crypto map


Log in to reply