Help with IPSEC Error (Give up to get IPsec-SA due to time up to wait)

  • Hello! Thanks for reading.

    I'm having a hell of a time configuring my new pfSense box (1.2.3-RELEASE) to replace an old Cisco PIX 506e. I need to re-establish a IPSEC tunnel, but I'm not having any luck. The log contains the message "ERROR: <dest gateway="">give up to get IPsec-SA due to time up to wait"  every 30 seconds.

    Here are the crypto & isakmp configs currently running on the PIX 506e that I'm replacing:

    crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map cisco-client 40 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set pfs group2
    crypto map outside_map 20 set peer <dest gateway="">
    crypto map outside_map 20 set transform-set ESP-AES-256-SHA
    crypto map outside_map 40 ipsec-isakmp dynamic cisco-client
    crypto map outside_map client configuration address initiate
    crypto map outside_map client authentication RADIUS
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address netmask
    isakmp key ******** address <dest gateway=""> netmask
    isakmp identity address
    isakmp keepalive 10 10
    isakmp nat-traversal 20
    isakmp log 10
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption aes
    isakmp policy 30 hash sha
    isakmp policy 30 group 2
    isakmp policy 30 lifetime 28800
    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption 3des
    isakmp policy 40 hash md5
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 86400</dest></dest>

    And here is my tunnel config:

Log in to reply