Site to site ipsec with cisco router



  • hi guys im facing strange problem. im trying to set up site to site ipse tunnel with a cisco device.

    i have latest pfsense 2.1 running on a box with around 10 site-to-site ipsec tunnels to various devices (mostly sonicwall, a couple of other pfsense boxes and juniper). i have access to most endpoints of the tunnel however with this pfsense <-> cisco tunnel i dont have control over the other end.

    here's what i'm getting in the log when i try to initiate the tunnel.

    i tried checking off NAT-T, DPD, also prefer older IPSec SAA (Advanced > Misc > IP Security) as suggested in some other threads with no success. i also tried to restart racoon service, delete this particular ipsec entry (p1 n p2 ) and recreate them and everytime im getting this in the log.

    Dec 4 21:42:09 racoon: [1978]: INFO: IPsec-SA request for remip.x.x.x queued due to no phase1 found.
    Dec 4 21:42:09 racoon: [1978]: INFO: initiate new phase 1 negotiation: myip.x.x.x[500]<=>remip.x.x.x[500]
    Dec 4 21:42:09 racoon: INFO: begin Aggressive mode.
    Dec 4 21:42:09 racoon: INFO: received Vendor ID: CISCO-UNITY
    Dec 4 21:42:09 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Dec 4 21:42:09 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Dec 4 21:42:09 racoon: WARNING: port 500 expected, but 0
    Dec 4 21:42:09 racoon: [1978]: [remip.x.x.x] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Dec 4 21:42:09 racoon: ERROR: HASH mismatched
    Dec 4 21:42:19 racoon: INFO: received Vendor ID: CISCO-UNITY
    Dec 4 21:42:19 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Dec 4 21:42:19 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Dec 4 21:42:19 racoon: WARNING: port 500 expected, but 0
    Dec 4 21:42:19 racoon: [1978]: [remip.x.x.x] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Dec 4 21:42:19 racoon: ERROR: HASH mismatched
    Dec 4 21:42:29 racoon: INFO: received Vendor ID: CISCO-UNITY
    Dec 4 21:42:29 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Dec 4 21:42:29 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Dec 4 21:42:29 racoon: WARNING: port 500 expected, but 0
    Dec 4 21:42:29 racoon: [1978]: [remip.x.x.x] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Dec 4 21:42:29 racoon: ERROR: HASH mismatched
    Dec 4 21:42:39 racoon: INFO: received Vendor ID: CISCO-UNITY
    Dec 4 21:42:39 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Dec 4 21:42:39 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Dec 4 21:42:39 racoon: WARNING: port 500 expected, but 0
    Dec 4 21:42:39 racoon: [1978]: [remip.x.x.x] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Dec 4 21:42:39 racoon: ERROR: HASH mismatched
    Dec 4 21:42:40 racoon: [1978]: [remip.x.x.x] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP remip.x.x.x[0]->myip.x.x.x[0]
    Dec 4 21:42:40 racoon: INFO: delete phase 2 handler.

    im able to ping the remote peer just fine. any ideas would be highly appreciated. thanks

    yaboc



  • Dec 4 21:42:09    racoon: ERROR: HASH mismatched

    Your P1 hash type is mismatched on pfSense and the Cisco router. Post your Cisco config and pfSense Phase 1 config here.