2.1.5 only acts as IPSec initiator, not responder to Cisco ASA



  • Hello,

    I am trying to being up an IPSec VPN with multiple Phase2s between a pfSense 2.1.5 router and a Cisco ASA.

    When I ping hosts on the other side, the first ping drops, but the following pings respond OK.  If I try again about an hour later, the first ping again drops and the others respond OK.  After the tunnel is up the other side can ping OK as well.

    After a few hours, though, hosts on the Cisco ASA aren't able to get any reply when they try to ping.  The admin on the other side says he sees the tunnel as up and that traffic is going through, but getting no response in return.  The pfSense Status–>IPSec shows all Phase2's as down at this point.

    Here is what the other admin gave me:

    
    crypto isakmp policy 60
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    
    crypto map vpn-tag 615 ipsec-isakmp      
    crypto map vpn-tag 615 match address vpn-tunnel-name
    crypto map vpn-tag 615 set peer my.en.po.nt 
    crypto map vpn-tag 615 set transform-set set2 set4
    
      Crypto map tag: vpn-tag, seq num: 615, local addr: Re.mo.en.pt
    
        access-list vpn-tunnel-name permit ip host rem.te.ho.st host m.y.ho.st
        local ident (addr/mask/prot/port): (rem.te.ho.st/255.255.255.255/0/0)
        remote ident (addr/mask/prot/port): (m.y.ho.st/255.255.255.255/0/0)
        current_peer: my.en.po.nt
    
        #pkts encaps: 122, #pkts encrypt: 122, #pkts digest: 122
        #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 122, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
    
        local crypto endpt.: Re.mo.en.pt, remote crypto endpt.: my.en.po.nt
    
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 027C77CC
    
      inbound esp sas:
        spi: 0x09C9756A (164197738)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 251940864, crypto-map: vpn-tag
           sa timing: remaining key lifetime (kB/sec): (3914999/21087)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000003
      outbound esp sas:
        spi: 0x027C77CC (41711564)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 251940864, crypto-map: vpn-tag
           sa timing: remaining key lifetime (kB/sec): (3914989/21087)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
    
    

    I have tried toggling NAT Traversal, toggling DPD, and changing proposal checking from Default to Obey without any success.

    This is my config:

    
                    <phase1><ikeid>45</ikeid>
                            <interface>wan_vip1</interface>
                            <remote-gateway>Re.mo.en.pt</remote-gateway>
                            <mode>main</mode>
                            <protocol>inet</protocol>
                            <myid_type>myaddress</myid_type>
                            <myid_data><peerid_type>peeraddress</peerid_type>
                            <peerid_data><encryption-algorithm><name>aes</name>
                                    <keylen>256</keylen></encryption-algorithm> 
                            <hash-algorithm>sha1</hash-algorithm>
                            <dhgroup>2</dhgroup>
                            <lifetime>86400</lifetime>
                            <pre-shared-key>My-psk-Key</pre-shared-key>
                            <private-key><caref></caref>
                            <authentication_method>pre_shared_key</authentication_method>
                            <generate_policy><proposal_check>obey</proposal_check>
    
                            <nat_traversal>off</nat_traversal></generate_policy></private-key></peerid_data></myid_data></phase1> 
    
                    <phase2><ikeid>45</ikeid>
                            <mode>tunnel</mode>
                            <localid><type>address</type>
    
    <address>m.y.ho.st</address></localid> 
                            <remoteid><type>address</type>
    
    <address>rem.te.ho.st</address></remoteid> 
                            <protocol>esp</protocol>
                            <encryption-algorithm-option><name>aes</name>
                                    <keylen>256</keylen></encryption-algorithm-option> 
                            <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                            <pfsgroup>0</pfsgroup>
                            <lifetime>28000</lifetime></phase2> 
                    <phase2><ikeid>45</ikeid>
                            <mode>tunnel</mode>
                            <localid><type>address</type>
    
    <address>m.y.ho.st</address></localid> 
                            <remoteid><type>address</type>
    
    <address>rem.te.ho.s2</address></remoteid> 
                            <protocol>esp</protocol>
                            <encryption-algorithm-option><name>aes</name>
                                    <keylen>256</keylen></encryption-algorithm-option> 
                            <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                            <pfsgroup>0</pfsgroup>
                            <lifetime>28800</lifetime></phase2> 
                    <phase2><ikeid>45</ikeid>
                            <mode>tunnel</mode>
                            <localid><type>address</type>
    
    <address>m.y.ho.st</address></localid> 
                            <remoteid><type>address</type>
    
    <address>rem.te.ho.s3</address></remoteid> 
                            <protocol>esp</protocol>
                            <encryption-algorithm-option><name>aes</name>
                                    <keylen>256</keylen></encryption-algorithm-option> 
                            <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                            <pfsgroup>0</pfsgroup>
                            <lifetime>28800</lifetime></phase2> 
                    <phase2><ikeid>45</ikeid>
                            <mode>tunnel</mode>
                            <localid><type>address</type>
    
    <address>m.y.ho.st</address></localid> 
                            <remoteid><type>address</type>
    
    <address>rem.te.ho.s4</address></remoteid> 
                            <protocol>esp</protocol>
                            <encryption-algorithm-option><name>aes</name>
                                    <keylen>256</keylen></encryption-algorithm-option> 
                            <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                            <pfsgroup>0</pfsgroup>
                            <lifetime>28800</lifetime></phase2> 
                    <phase2><ikeid>45</ikeid>
                            <mode>tunnel</mode>
                            <localid><type>address</type>
    
    <address>m.y.ho.st</address></localid> 
                            <remoteid><type>address</type>
    
    <address>rem.te.ho.s5</address></remoteid> 
                            <protocol>esp</protocol>
                            <encryption-algorithm-option><name>aes</name>
                                    <keylen>256</keylen></encryption-algorithm-option> 
                            <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                            <pfsgroup>0</pfsgroup>
                            <lifetime>28800</lifetime></phase2> 
                    <phase2><ikeid>45</ikeid>
                            <mode>tunnel</mode>
                            <localid><type>address</type>
    
    <address>m.y.ho.st</address></localid> 
                            <remoteid><type>address</type>
    
    <address>rem.te.ho.s6</address></remoteid> 
                            <protocol>esp</protocol>
                            <encryption-algorithm-option><name>aes</name>
                                    <keylen>256</keylen></encryption-algorithm-option> 
                            <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                            <pfsgroup>0</pfsgroup>
                            <lifetime>28800</lifetime></phase2> 
                    <client><enable></enable></client> 
    

    I have the pfSense firewall rules set to allow IPSec traffic from the remote endpoint, and there is nothing in the pfSense firewall logs showing it is blocking any traffic from the other side.

    However, tcpdump shows the other side trying to connect to us over and over again, with no response from the pfSense:

    
    16:57:03.566878 IP Re.mo.en.pt > my.en.po.nt: ESP(spi=0x0a56698d,seq=0x346), length 100
    16:57:09.067285 IP Re.mo.en.pt > my.en.po.nt: ESP(spi=0x0a56698d,seq=0x347), length 100
    16:57:11.257386 IP Re.mo.en.pt > my.en.po.nt: ESP(spi=0x0a56698d,seq=0x348), length 132
    16:57:14.567682 IP Re.mo.en.pt > my.en.po.nt: ESP(spi=0x0a56698d,seq=0x349), length 100
    16:57:20.067952 IP Re.mo.en.pt > my.en.po.nt: ESP(spi=0x0a56698d,seq=0x34a), length 100
    16:57:25.568618 IP Re.mo.en.pt > my.en.po.nt: ESP(spi=0x0a56698d,seq=0x34b), length 100
    
    

    The pfSense shows the tunnel as totally down now, and System Logs–>IPSec has no mention that anyone from the remote endpoint is trying to connect.  As soon as I start generating traffic from my side the tunnel comes up.

    I haven't yet upgraded to version 2.2 because I understand there are still some issues with multiple phase2s and older remote endpoints.



  • When I came in the next morning, the tunnel was up and had been initiated by the remote side.

    I'm thinking Phase1 lifetime expired sometime during the night, forcing the ASA to reinitiate the tunnel. 
    I'm guessing if the other guy had just reset his side manually it would have come up.

    The end result was: NAT-T disabled, DPD disabled, and Proposal checking 'Obey'.


Log in to reply