Help with IPSEC Error (Give up to get IPsec-SA due to time up to wait)
-
Hello! Thanks for reading.
I'm having a hell of a time configuring my new pfSense box (1.2.3-RELEASE) to replace an old Cisco PIX 506e. I need to re-establish a IPSEC tunnel, but I'm not having any luck. The log contains the message "ERROR: <dest gateway="">give up to get IPsec-SA due to time up to wait" every 30 seconds.
Here are the crypto & isakmp configs currently running on the PIX 506e that I'm replacing:
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map cisco-client 40 set transform-set ESP-3DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set pfs group2 crypto map outside_map 20 set peer <dest gateway=""> crypto map outside_map 20 set transform-set ESP-AES-256-SHA crypto map outside_map 40 ipsec-isakmp dynamic cisco-client crypto map outside_map client configuration address initiate crypto map outside_map client authentication RADIUS crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp key ******** address <dest gateway=""> netmask 255.255.255.255 isakmp identity address isakmp keepalive 10 10 isakmp nat-traversal 20 isakmp log 10 isakmp policy 30 authentication pre-share isakmp policy 30 encryption aes isakmp policy 30 hash sha isakmp policy 30 group 2 isakmp policy 30 lifetime 28800 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash md5 isakmp policy 40 group 2 isakmp policy 40 lifetime 86400</dest></dest>And here is my tunnel config:
</dest>