Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem IPSec pfSense x ASA

    IPsec
    2
    2
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      felipe2k2
      last edited by

      Dear friends, good afternoon.

      I'm trying to close an IPSec vpn with CISCO ASA box because it leased a system in the cloud and need to close the vpn with our pfsense, however when attempting to close the connection gives the following message:

      Dec 9 14:02:44  racoon: [IPSEC ALOG]: INFO: ISAKMP-SA established xxx.xx.x.xxx[500]-xxx.xx.x.xxx[500] spi:77eeb2a5608820e9:f7e1a78ee8a9e2f3
      Dec 9 14:02:45  racoon: [IPSEC ALOG]: INFO: initiate new phase 2 negotiation: xxx.xx.x.xxx[500]<=>xxx.xx.x.xxx[500]
      Dec 9 14:02:45  racoon: [IPSEC ALOG]: [xxx.xx.x.xxx] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
      Dec 9 14:02:45  racoon: [IPSEC ALOG]: [xxx.xx.x.xxx] ERROR: error message: '$ q e]c 0 $ p {d ( E '.
      Dec 9 14:02:45  racoon: [IPSEC ALOG]: INFO: ISAKMP-SA expired xxx.xx.x.xxx[500]-xxx.xx.x.xxx[500] spi:77eeb2a5608820e9:f7e1a78ee8a9e2f3
      Dec 9 14:02:45  racoon: [IPSEC ALOG]: INFO: ISAKMP-SA deleted xxx.xx.x.xxx[500]-xxx.xx.x.xxx[500]
      spi:77eeb2a5608820e9:f7e1a78ee8a9e2f3

      I do not have access to the other end, but gave me the following settings to close the VPN:

      PHASE 1:

      Protocolo para troca de chaves  IKE
      Método de Autenticação  RSA ou PSK (Específicar)
      Chave Utilizada:  CHAVEXXXX
      Algoritmo de Criptografia  3DES
      Algoritmo de Integridade  MD5
      Grupo Diffie-Hellman 
      IKE Lifetime  3.600 s
      Modo de Negociação  Main Mode
      Perfect Forward Secrecy – PFS  Não – Desabilitado

      PHASE 2

      Protocolo para Autenticação  ESP
      Protocolo para Criptografia  ESP
      Algoritmo de Criptografia  3DES
      Algoritmo de Integridade  MD5
      IPSEC Lifetime  28.800 s

      Note: I've seen similar topics but not be able to get in the solution

      In advance, thanks for your help.

      1 Reply Last reply Reply Quote 0
      • A
        anomaly0617
        last edited by

        felipe2k2:

        It seems to me that the nature of IPSec VPN tunnels are that if Site A has traffic for Site B, the firewall at Site A is going to try to establish a tunnel with Site B to pass that traffic across.

        If you are at Site B (with pfSense) and you disable the Phase 2's and Phase 1 for the tunnel to Site A (that has the Cisco ASA), no traffic will be able to pass from Site A to Site B, which is the goal.

        Site A (which you have stated you do not have access to) is going to continue to try to establish a tunnel to Site B as it has traffic. As long as the tunnel config at Site B is disabled, though, you have nothing to worry about.

        If the traffic from Site A is bothering you, you might consider creating a Block rule on the firewall where the source is Site A's IP address and the Destination is your WAN address. You can set the protocol to Any and block all the traffic, not just the IPSec traffic.

        Hope this helps!

        Hope this Helps!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post