Help with IPSEC Error (Give up to get IPsec-SA due to time up to wait)

Zathu

Hello! Thanks for reading.

I'm having a hell of a time configuring my new pfSense box (1.2.3-RELEASE) to replace an old Cisco PIX 506e. I need to re-establish a IPSEC tunnel, but I'm not having any luck. The log contains the message "ERROR: <dest gateway="">give up to get IPsec-SA due to time up to wait"  every 30 seconds.

Here are the crypto & isakmp configs currently running on the PIX 506e that I'm replacing:

crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map cisco-client 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer <dest gateway="">
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 40 ipsec-isakmp dynamic cisco-client
crypto map outside_map client configuration address initiate
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address <dest gateway=""> netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 10
isakmp nat-traversal 20
isakmp log 10
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400</dest></dest>

And here is my tunnel config:
</dest>