IPSec troubles
-
@cmb:
The source of the issue is definitely the "Crypto Map Policy not found for remote traffic selector" log from the ASA. As to why, probably a better question for a Cisco forum. Your crypto map looks like it matches what the ASA claims doesn't match.
Any input on this? It looks like the traffic selector being sent by StrongSwan is different based on how the tunnel is initiated, which seems like a bug. I'd open a bug but am not sure I could describe it in sufficient detail to ensure a resolution, as I've no experience with StrongSwan.
-
edit: no, misread that.
-
@cmb:
That's this. https://redmine.pfsense.org/issues/4129
I only have the single phase 2 entry; does it still apply to me? Thanks.
-
No it doesn't in that case, I mis-read your last post. I'm doing some IPsec testing with an ASA right now, will see if that's replicable.
-
@cmb:
No it doesn't in that case, I mis-read your last post. I'm doing some IPsec testing with an ASA right now, will see if that's replicable.
Any luck with this? Anything more I can do to help narrow it down?
-
Did you test new snapshots?
There have been fixes put in place for various issues especially on IPsec. -
@ermal:
Did you test new snapshots?
There have been fixes put in place for various issues especially on IPsec.No improvements with this morning's build. Tunnels have to be manually started or the wrong traffic selector is sent.
-
What's wrong about it? It looks like it's sending what you have configured and the ASA is rejecting it. The only issue with interoperability with Cisco IPsec that I'm aware of is this. https://redmine.pfsense.org/issues/4178 Which only applies to IKEv1 and isn't what you're seeing here.
-
@cmb:
What's wrong about it? It looks like it's sending what you have configured and the ASA is rejecting it.
Please reread my earlier post at https://forum.pfsense.org/index.php?topic=84934.msg469407#msg469407. When pfSense tries to bring up the tunnel automatically, it sends a different traffic selector than when the tunnel is manually started from the status page.
-
The latest strongswan release (5.2.1->5.2.2) went into today's snapshots, please retry after upgrading to something from the 7th or newer and report back.
-
@cmb:
The latest strongswan release (5.2.1->5.2.2) went into today's snapshots, please retry after upgrading to something from the 7th or newer and report back.
Just updated. Tunnel still does not come up on boot, but a subsequent ping test from the pfSense did eventually bring up P1 and P2 successfully. Will do further testing and advise tomorrow, but looks like it's usable now. Thanks a lot!
-
Glad to hear. Tunnels never come up unless there is traffic triggering them, or you have the "Automatically ping host" set in the P2, so sounds like that's the expected end result.