PfSense to Cisco ASA



  • I am trying to get a site to site VPN going between a pfSense firewall and a Cisco ASA.  It seems that phase 1 works, but phase 2 fails.

    Here is my error log from pfSense:

    Nov 8 15:11:00 racoon: ERROR: failed to pre-process packet.
    Nov 8 15:11:00 racoon: ERROR: failed to get sainfo.
    Nov 8 15:11:00 racoon: ERROR: failed to get sainfo.
    Nov 8 15:11:00 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    Nov 8 15:11:00 racoon: []: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>yyy.yyy.yyy.yyy[0]

    Here is my error log from Cisco:

    4 Nov 08 2007 10:06:17 113019 Group = xxx.xxx.xxx.xxx, Username = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Error
    3 Nov 08 2007 10:06:17 713902 Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Removing peer from correlator table failed, no match!
    1 Nov 08 2007 10:06:17 713900 Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
    3 Nov 08 2007 10:06:17 713902 Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, QM FSM error (P2 struct &0xd5b62858, mess id 0x9ddc5616)!

    Here is my pfSense config:

    • <ipsec><preferredoldsa>- <tunnel><interface>wan</interface>
    • <local-subnet><address>192.168.13.0/24</address></local-subnet>
        <remote-subnet>192.168.0.0/24</remote-subnet>
        <remote-gateway>yyy.yyy.yyy.yyy</remote-gateway>
    • <p1><mode>aggressive</mode>
    • <myident><myaddress></myaddress></myident>
        <encryption-algorithm>3des</encryption-algorithm>
        <hash-algorithm>sha1</hash-algorithm>
        <dhgroup>2</dhgroup>
        <lifetime>28800</lifetime>
        <pre-shared-key>KEY</pre-shared-key>
        <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
    • <p2><protocol>esp</protocol>
        <encryption-algorithm-option>des</encryption-algorithm-option>
        <encryption-algorithm-option>3des</encryption-algorithm-option>
        <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
        <hash-algorithm-option>hmac_md5</hash-algorithm-option>
        <pfsgroup>0</pfsgroup>
        <lifetime>86400</lifetime></p2>
        <descr><pinghost>10</pinghost></descr></tunnel>
        <enable></enable></preferredoldsa></ipsec>

    Here is my Cisco config:

    : Saved
    :
    ASA Version 8.0(2)
    !
    hostname fw
    domain-name pixia.com
    enable password LTFd9GMmqnbHlQ9Q encrypted
    names

    ! Defines outside interface. Security-level must be set to a number lower than the inside Interface
    ! Security-level is higher the closer you get to the network that is being protected
    interface Ethernet0/0
    nameif outside
    security-level 10
    ip address yyy.yyy.yyy.yyy 255.255.255.224

    ! Defines inside interface. Security-level is set to a number higher than the outside interface
    interface Ethernet0/1
    nameif inside
    security-level 90
    ip address 192.168.0.1 255.255.255.0

    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address

    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address

    ! Defines management network
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only

    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name pixia.com
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp

    ! Traffic sourced from local LAN with destination of remote site local LAN
    access-list REMOTE_SITE_100_VPN extended permit ip 192.168.0.0 255.255.255.0 192.168.13.0 255.255.255.0

    ! All the traffic which will be encapsulated by IPsec VPNs (persistent, or demand-dial)
    access-list NO_NAT extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list NO_NAT extended permit ip 192.168.0.0 255.255.255.0 192.168.13.0 255.255.255.0

    ! L2TP uses UDP port 1701 to establish a connection. An access-group later in this config references this ACL for allowing inbound L2TP session connections.
    access-list INBOUND extended permit udp any yyy.yyy.yyy.yyy eq 1701

    ! Allows a TCP or UDP connection to port 80 on the outside interface
    access-list INBOUND extended permit object-group TCPUDP any host yyy.yyy.yyy.yyy eq www

    pager lines 24
    logging enable
    logging asdm informational
    mtu management 1500
    mtu inside 1500
    mtu outside 1500

    ! Pool of IP addresses for demand-dial VPN Clients
    ip local pool CLIENT_VPN_IP_POOL 192.168.0.20-192.168.0.29

    icmp unreachable rate-limit 1 burst-size 1

    ! Allow the inside interface to respond to all icmp requests
    icmp permit any inside

    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400

    ! Do port-address-translation (PAT) for all traffic with source IP of 192.168.0.0/24 with destination off-link
    global (outside) 101 interface
    nat (management) 101 0.0.0.0 0.0.0.0
    nat (inside) 101 192.168.0.0 255.255.255.0

    ! Don’t NAT IPsec traffic
    nat (inside) 0 access-list NO_NAT

    ! Create a hole in the firewall mapping a specific port from the outside interface to a computer on the inside network
    static (inside,outside) tcp interface www 192.168.0.121 www netmask 255.255.255.255

    ! Allow L2TP establishment to the outside interface of the PIX
    access-group INBOUND in interface outside

    ! Route traffic to the gateway
    route outside 0.0.0.0 0.0.0.0 216.132.116.97 1

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL

    ! Don’t make VPN traffic subject to ACL filtering
    sysopt connection permit-vpn

    ! enable server, enable server management on both the inside and management networks
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 management

    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart

    ! Transforms for supporting both demand-dial and persistent (transport-mode & tunnel-mode) IPsec VPNs
    ! 3DES is the common cypher supported by both XP and Vista.
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set L2TP-IPSEC esp-3des esp-md5-hmac
    crypto ipsec transform-set L2TP-IPSEC mode transport
    crypto ipsec transform-set IPSEC-AES esp-aes-256 esp-sha-hmac

    ! crypto dynamic-map for demand-dial vpn connections: L2TP, Cisco
    ! L2TP demand-dial using IPsec transport-mode, while Cisco VPN software (and hardware clients) uses IPsec tunnel-mode, hence the dynamic map (which is used for all demand-dial VPN clients) must include both.
    crypto dynamic-map DYN_MAP 10 set transform-set L2TP-IPSEC IPSEC-AES ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map DYN_MAP 10 set security-association lifetime seconds 86400

    ! Only a single crypto map can be applied to an interface.
    ! This shows how a single crypto map can handle multiple persistent and demand-dial VPNs concurrently.
    ! 10 is for persistent site-to-site tunnels
    ! 30 is for demand-dial connections
    ! Any number of persistent connection maps can be added here (e.g. site-to-site); however, only a single dynamic map can be applied to support demand-dial clients.
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map OUTSIDE_MAP 10 match address REMOTE_SITE_100_VPN
    crypto map OUTSIDE_MAP 10 set connection-type originate-only
    crypto map OUTSIDE_MAP 10 set peer xxx.xxx.xxx.xxxx
    crypto map OUTSIDE_MAP 10 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map OUTSIDE_MAP 10 set security-association lifetime seconds 86400
    crypto map OUTSIDE_MAP 10 set phase1-mode aggressive
    crypto map OUTSIDE_MAP 30 ipsec-isakmp dynamic DYN_MAP
    crypto map OUTSIDE_MAP interface outside

    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp nat-transversal

    ! The cypher/hash pair the initiating client requests has to match one of these pairs. Each will be tried in order until a match is found
    crypto isakmp policy 5
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 28800
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    crypto isakmp policy 15
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 28800

    client-update enable
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    telnet 192.168.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.0.0 255.255.255.0 inside
    ssh timeout 60
    ssh version 2
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    !
    service-policy global_policy global
    ntp server 192.168.0.17 source inside prefer
    group-policy DfltGrpPolicy attributes
    dns-server value 192.168.0.2
    vpn-tunnel-protocol IPSec l2tp-ipsec
    default-domain value pixia.com
    address-pools value CLIENT_VPN_IP_POOL
    group-policy CISCO_CLIENT_VPN_POLICY internal
    group-policy CISCO_CLIENT_VPN_POLICY attributes
    dns-server value 192.168.0.2
    vpn-idle-timeout 30
    vpn-tunnel-protocol IPSec
    default-domain value pixia.com
    address-pools value CLIENT_VPN_IP_POOL

    username pakulas password nx4VQfcMfAOEe5iQdGi8cQ== nt-encrypted privilege 15
    username admin password VfjI1SIZacDuk19Y encrypted privilege 15
    username wangj password axeYWHYjyZ57TCR16KVVqw== nt-encrypted
    username user password V9WDqkbVcVAqrUu3rqCccA== nt-encrypted
    username thakkarr password RBdmPmK/OV4QMS0Qede1fA== nt-encrypted
    username courtneys password G9vyte4t9TOhggD8L/2h4Q== nt-encrypted privilege 15
    username soods password BI5t1P4KsWB6r/wIOyPq9w== nt-encrypted
    username jensenk password oYo1okpfD/2N1fmAwEadgA== nt-encrypted

    ! Tunnel-group for servicing demand-dial L2TP clients
    ! User-specified groups are not supported for L2TP, only DefaultRAGroup
    tunnel-group DefaultRAGroup general-attributes
    address-pool CLIENT_VPN_IP_POOL
    authorization-server-group LOCAL
    authorization-required
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    authentication ms-chap-v2
    tunnel-group DefaultWEBVPNGroup ppp-attributes
    no authentication chap
    no authentication ms-chap-v1

    ! Tunnel-group for supporting Cisco client software and hardware VPN clients
    tunnel-group CISCO_CLIENT_VPN_GROUP type remote-access
    tunnel-group CISCO_CLIENT_VPN_GROUP general-attributes
    address-pool CLIENT_VPN_IP_POOL
    default-group-policy CISCO_CLIENT_VPN_POLICY
    tunnel-group CISCO_CLIENT_VPN_GROUP ipsec-attributes
    pre-shared-key *
    tunnel-group CISCO_CLIENT_VPN_GROUP ppp-attributes
    authentication ms-chap-v2

    ! For persistent connections, the tunnel-group name has to be the same as the peer IP address
    tunnel-group xxx.xxx.xxx.xxxx type ipsec-l2l
    tunnel-group xxx.xxx.xxx.xxxx ipsec-attributes
    pre-shared-key *

    prompt hostname context
    Cryptochecksum:7422f35c0785c96cc89efedd3ccede09
    : end



  • Let's try to narrow down a few things.  What ASA Model and OS version are you running?  I would suggest limiting the protocol/encryption/hash to ESP-3DES-MD5 and disable or disallow all the others.  When phase 1 completes on the Cisco side and you try to ping through from the Cisco LAN to the pfSense LAN, does anything change (TTL?, RTT?)?

    I will lab this up with one of my work ASA's to my home pfSense to offer some additional assistance.


Log in to reply