Unable to establish tunnel from remote side…



  • Hi,

    Trying to set up an IPsec connection with a remote peer (Cisco ASA) which fails when the remote peer tries to initiate the tunnel.

    The log states:

    Apr 16 10:56:02SEBHCFW01racoon:INFO: respond new phase 1 negotiation: local peer ip[500]<=>remote peer ip[500]
    Apr 16 10:56:02SEBHCFW01racoon:INFO: begin Identity Protection mode.
    Apr 16 10:56:02SEBHCFW01racoon:INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Apr 16 10:56:02SEBHCFW01racoon:INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Apr 16 10:56:02SEBHCFW01racoon:INFO: received Vendor ID: RFC 3947
    Apr 16 10:56:02SEBHCFW01racoon:INFO: received broken Microsoft ID: FRAGMENTATION
    Apr 16 10:56:02SEBHCFW01racoon:[remote peer ip] INFO: Selected NAT-T version: RFC 3947
    Apr 16 10:56:02SEBHCFW01racoon:ERROR: no suitable proposal found.
    Apr 16 10:56:02SEBHCFW01racoon:[remote peer ip] ERROR: failed to get valid proposal.
    Apr 16 10:56:02SEBHCFW01racoon:[remote peer ip] ERROR: failed to pre-process ph1 packet (side: 1, status 1).
    Apr 16 10:56:02SEBHCFW01racoon:[remote peer ip] ERROR: phase1 negotiation failed.

    As seen in the logs above I tried enabling NAT-T just to ensure that there was no device between the two peers that where interfering with the traffic.

    Any suggestions on this?

    Regards,
    Anders



  • Just a quick update with the solution and thanks to cmb and jimp for the assistance (through commercial support).

    Apparently, the configuration of the Cisco device did not enforce it to use the Phase1 protocols defined and since proposal checking on the pfSense device was set to "strict" the negotiation failed.
    Changing proposal checking to "obey" did the trick.

    Also, it is recommended to keep SA lifetime on phase1 to 86400 as the Cisco devices are not to happy about changing this unless it is done 110% correctly.


Log in to reply