Problem IPSec pfSense x ASA



  • Dear friends, good afternoon.

    I'm trying to close an IPSec vpn with CISCO ASA box because it leased a system in the cloud and need to close the vpn with our pfsense, however when attempting to close the connection gives the following message:

    Dec 9 14:02:44  racoon: [IPSEC ALOG]: INFO: ISAKMP-SA established xxx.xx.x.xxx[500]-xxx.xx.x.xxx[500] spi:77eeb2a5608820e9:f7e1a78ee8a9e2f3
    Dec 9 14:02:45  racoon: [IPSEC ALOG]: INFO: initiate new phase 2 negotiation: xxx.xx.x.xxx[500]<=>xxx.xx.x.xxx[500]
    Dec 9 14:02:45  racoon: [IPSEC ALOG]: [xxx.xx.x.xxx] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
    Dec 9 14:02:45  racoon: [IPSEC ALOG]: [xxx.xx.x.xxx] ERROR: error message: '$ q e]c 0 $ p {d ( E '.
    Dec 9 14:02:45  racoon: [IPSEC ALOG]: INFO: ISAKMP-SA expired xxx.xx.x.xxx[500]-xxx.xx.x.xxx[500] spi:77eeb2a5608820e9:f7e1a78ee8a9e2f3
    Dec 9 14:02:45  racoon: [IPSEC ALOG]: INFO: ISAKMP-SA deleted xxx.xx.x.xxx[500]-xxx.xx.x.xxx[500]
    spi:77eeb2a5608820e9:f7e1a78ee8a9e2f3

    I do not have access to the other end, but gave me the following settings to close the VPN:

    PHASE 1:

    Protocolo para troca de chaves  IKE
    Método de Autenticação  RSA ou PSK (Específicar)
    Chave Utilizada:  CHAVEXXXX
    Algoritmo de Criptografia  3DES
    Algoritmo de Integridade  MD5
    Grupo Diffie-Hellman 
    IKE Lifetime  3.600 s
    Modo de Negociação  Main Mode
    Perfect Forward Secrecy – PFS  Não – Desabilitado

    PHASE 2

    Protocolo para Autenticação  ESP
    Protocolo para Criptografia  ESP
    Algoritmo de Criptografia  3DES
    Algoritmo de Integridade  MD5
    IPSEC Lifetime  28.800 s

    Note: I've seen similar topics but not be able to get in the solution

    In advance, thanks for your help.



  • felipe2k2:

    It seems to me that the nature of IPSec VPN tunnels are that if Site A has traffic for Site B, the firewall at Site A is going to try to establish a tunnel with Site B to pass that traffic across.

    If you are at Site B (with pfSense) and you disable the Phase 2's and Phase 1 for the tunnel to Site A (that has the Cisco ASA), no traffic will be able to pass from Site A to Site B, which is the goal.

    Site A (which you have stated you do not have access to) is going to continue to try to establish a tunnel to Site B as it has traffic. As long as the tunnel config at Site B is disabled, though, you have nothing to worry about.

    If the traffic from Site A is bothering you, you might consider creating a Block rule on the firewall where the source is Site A's IP address and the Destination is your WAN address. You can set the protocol to Any and block all the traffic, not just the IPSec traffic.

    Hope this helps!


Log in to reply