IPSEC tunnel to Cisco ASA 5510 won't work



  • Hi, i'm trying to setup a IPSEC Tunnel from a pfsense box 2.1.1 to a Cisco ASA 5510 without much success. Status error but The logs say nada

    Unless the routes that already exist when you restart the racoon service.

    It doesn't even try to negotiate.. Why ? Tried 2 diffrent pfsense boxes just to be sure it wasn't some corrupted base config

    Settings provided from the cisco host

    Phase1. ISAKMP: IKEv1 Main Mode, pre-share-aes-256-sha, Diffie-Hellmann 5, Lifetime 86400 sec

    Phase2: IPSecESP-AES-256-SHA, ESP-AES-256-MD5, PFS Group 5, Lifetime 28800 sec bzw. 4.608.00 kB

    Apr 10 12:29:17 racoon: [Self]: INFO: 213.xxx.xxx.xxx[500] used as isakmp port (fd=15)
    Apr 10 12:29:17 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 10 12:29:17 racoon: DEBUG: got pfkey X_SPDDUMP message
    Apr 10 12:29:17 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 10 12:29:17 racoon: DEBUG: got pfkey X_SPDDUMP message
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 172.18.5.0/24[0] 172.19.8.0/24[0] proto=any dir=in
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447490: 192.168.111.0/24[0] 192.168.111.1/32[0] proto=any dir=in
    Apr 10 12:29:17 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 10 12:29:17 racoon: DEBUG: got pfkey X_SPDDUMP message
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 192.168.111.1/32[0] 192.168.111.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447490: 192.168.111.0/24[0] 192.168.111.1/32[0] proto=any dir=in
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 192.168.111.1/32[0] 192.168.111.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447610: 172.18.5.0/24[0] 172.19.8.0/24[0] proto=any dir=in
    Apr 10 12:29:17 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 10 12:29:17 racoon: DEBUG: got pfkey X_SPDDUMP message
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 172.19.8.0/24[0] 172.18.5.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447490: 192.168.111.0/24[0] 192.168.111.1/32[0] proto=any dir=in
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 172.19.8.0/24[0] 172.18.5.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447610: 172.18.5.0/24[0] 172.19.8.0/24[0] proto=any dir=in
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 172.19.8.0/24[0] 172.18.5.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447790: 192.168.111.1/32[0] 192.168.111.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 10 12:29:17 racoon: DEBUG: got pfkey REGISTER message
    Apr 10 12:29:17 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 10 12:29:17 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 10 12:29:17 racoon: DEBUG: got pfkey X_SPDADD message
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 192.168.111.1/32[0] 192.168.111.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447490: 192.168.111.0/24[0] 192.168.111.1/32[0] proto=any dir=in
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 192.168.111.1/32[0] 192.168.111.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447610: 172.18.5.0/24[0] 172.19.8.0/24[0] proto=any dir=in
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 192.168.111.1/32[0] 192.168.111.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447790: 192.168.111.1/32[0] 192.168.111.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: ERROR: such policy already exists. anyway replace it: 192.168.111.1/32[0] 192.168.111.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 10 12:29:17 racoon: DEBUG: got pfkey X_SPDADD message
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 192.168.111.0/24[0] 192.168.111.1/32[0] proto=any dir=in
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447490: 192.168.111.0/24[0] 192.168.111.1/32[0] proto=any dir=in
    Apr 10 12:29:17 racoon: ERROR: such policy already exists. anyway replace it: 192.168.111.0/24[0] 192.168.111.1/32[0] proto=any dir=in
    Apr 10 12:29:17 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 10 12:29:17 racoon: DEBUG: got pfkey X_SPDADD message
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 172.19.8.0/24[0] 172.18.5.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447610: 172.18.5.0/24[0] 172.19.8.0/24[0] proto=any dir=in
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 172.19.8.0/24[0] 172.18.5.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447910: 172.19.8.0/24[0] 172.18.5.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: ERROR: such policy already exists. anyway replace it: 172.19.8.0/24[0] 172.18.5.0/24[0] proto=any dir=out
    Apr 10 12:29:17 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 10 12:29:17 racoon: DEBUG: got pfkey X_SPDADD message
    Apr 10 12:29:17 racoon: DEBUG: sub:0x7fffffffe560: 172.18.5.0/24[0] 172.19.8.0/24[0] proto=any dir=in
    Apr 10 12:29:17 racoon: DEBUG: db :0x801447610: 172.18.5.0/24[0] 172.19.8.0/24[0] proto=any dir=in
    Apr 10 12:29:17 racoon: ERROR: such policy already exists. anyway replace it: 172.18.5.0/24[0] 172.19.8.0/24[0] proto=any dir=in



  • Ipsec VPN works with an ASA 5505, I am not sure what the difference is between 5505 and 5510.

    I use 3des, md5 and DH2, PFS enabled, no NAT Traversal set with Peer to Peer, i use these settings initially to get a working tunnel. then play about with aes nd sha



  • What about the proxy-id (encryption domain)?
    The cisco products checks the presence of the proxy id, unlike other vendors as Fortinet or Juniper.
    Could you post your Phase 2 entries?


Log in to reply