Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with IPSEC Error (Give up to get IPsec-SA due to time up to wait)

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zathu
      last edited by

      Hello! Thanks for reading.

      I'm having a hell of a time configuring my new pfSense box (1.2.3-RELEASE) to replace an old Cisco PIX 506e. I need to re-establish a IPSEC tunnel, but I'm not having any luck. The log contains the message "ERROR: <dest gateway="">give up to get IPsec-SA due to time up to wait"  every 30 seconds.

      Here are the crypto & isakmp configs currently running on the PIX 506e that I'm replacing:

      crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
      crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
      crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
      crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
      crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
      crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
      crypto dynamic-map cisco-client 40 set transform-set ESP-3DES-MD5
      crypto map outside_map 20 ipsec-isakmp
      crypto map outside_map 20 match address outside_cryptomap_20
      crypto map outside_map 20 set pfs group2
      crypto map outside_map 20 set peer <dest gateway="">
      crypto map outside_map 20 set transform-set ESP-AES-256-SHA
      crypto map outside_map 40 ipsec-isakmp dynamic cisco-client
      crypto map outside_map client configuration address initiate
      crypto map outside_map client authentication RADIUS
      crypto map outside_map interface outside
      isakmp enable outside
      isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
      isakmp key ******** address <dest gateway=""> netmask 255.255.255.255
      isakmp identity address
      isakmp keepalive 10 10
      isakmp nat-traversal 20
      isakmp log 10
      isakmp policy 30 authentication pre-share
      isakmp policy 30 encryption aes
      isakmp policy 30 hash sha
      isakmp policy 30 group 2
      isakmp policy 30 lifetime 28800
      isakmp policy 40 authentication pre-share
      isakmp policy 40 encryption 3des
      isakmp policy 40 hash md5
      isakmp policy 40 group 2
      isakmp policy 40 lifetime 86400</dest></dest>
      

      And here is my tunnel config:
      </dest>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.