Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec VPN between pfSense 2.2.2 and Cisco ASA5505 9.2(3)3

    Scheduled Pinned Locked Moved IPsec
    9 Posts 5 Posters 10.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      r4z13l
      last edited by

      Hello all,

      I have some trouble setting up an ipsev vpn between a Cisco ASA an an pfSense.
      The ASA is behind another NAT-Device. Ich have a portforwarding from that Device to the ASA for ESP, UDP/500 and UDP/4500.

      Here is the ASA.cfg:

      
      object network r4VDC
       subnet 10.153.192.0 255.255.255.0
       description r4VDC
      
      access-list inside_access_in extended permit ip 10.64.155.0 255.255.255.0 object r4VDC
      access-list outside_cryptomap_r4VDC extended permit ip 10.64.155.0 255.255.255.0 object r4VDC
      
      nat (inside,outside) source static inside10.64.155.0 inside10.64.155.0 destination static r4VDC r4VDC
      
      crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
      
      crypto map outside_map 1 match address outside_cryptomap_r4VDC
      crypto map outside_map 1 set pfs
      crypto map outside_map 1 set peer 217.xxx.201.xxx
      crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
      crypto map outside_map 1 set security-association lifetime seconds 86400
      
      crypto ikev1 policy 160
       authentication pre-share
       encryption aes-256
       hash sha
       group 5
       lifetime 86400
      
      group-policy GroupPolicy_r4VDC internal
      group-policy GroupPolicy_r4VDC attributes
       vpn-tunnel-protocol ikev1
      
      tunnel-group 217.xxx.201.xxx type ipsec-l2l
      tunnel-group 217.xxx.201.xxx general-attributes
       default-group-policy GroupPolicy_r4VDC
      tunnel-group 217.xxx.201.xxx ipsec-attributes
       ikev1 pre-shared-key test12345
      
      

      Here the pfSense config:

      Phase 1:

      
      Key Exchange version = V1
      Internet Protocol = IPv4
      Interface = WAN
      Remote gateway = r4xxxxx.com
      
      Authentication method = Mutual PSK
      Negotiation mode = Main
      My identifier = My IP address
      Peer identifier = Peer IP address
      Pre-Shared Key = test12345
      
      Encryption algorithm = AES 256bits
      Hash algorithm = SHA1
      DH key group = 2
      Lifetime = 86400
      
      Disable Rekey = unchecked
      Responder Only = unchecked
      NAT Traversal = Auto
      Dead Peer Detection = Enabled (10seconds/5retry)
      
      

      Phase 2:

      
      Phase 2:
      Mode = Tunnel IPv4
      Local Network = 10.153.192.0/24
      Remote Network = 10.64.155.0/24
      
      Protocol = ESP
      Encryption algorithms = AES 256bits
      Hash algorithms = SHA1
      PFS key group = 5
      Lifetime = 86400
      
      

      Log from ASA:

      %ASA-5-713041: IP = 217.xxx.201.xxx, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 217.xxx.201.xxx  local Proxy Address 10.64.155.0, remote Proxy Address 10.153.192.0,  Crypto map (outside_map)
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ISAKMP SA payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 02 payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 03 payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver RFC payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Fragmentation VID + extended capabilities payload
      %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
      %ASA-7-609001: Built local-host outside:217.xxx.201.xxx
      %ASA-6-302015: Built outbound UDP connection 123931 for outside:217.xxx.201.xxx/500 (217.xxx.201.xxx/500) to identity:172.31.31.253/500 (172.31.31.253/500)
      %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 62.xxx.185.xxx:4500
      %ASA-7-713236: IP = 62.xxx.185.xxx, IKE_DECODE RECEIVED Message (msgid=185c8c2f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
      %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing hash payload
      %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing notify payload
      %ASA-7-715075: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1da854ec)
      %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.31.xxx:4500
      %ASA-7-713236: IP = 217.xxx.31.xxx, IKE_DECODE RECEIVED Message (msgid=d46d6a49) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
      %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing hash payload
      %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing notify payload
      %ASA-7-715075: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64970812)
      %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
      %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing SA payload
      %ASA-7-713906: IP = 217.xxx.201.xxx, Oakley proposal is acceptable
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      %ASA-7-715049: IP = 217.xxx.201.xxx, Received xauth V6 VID
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      %ASA-7-715049: IP = 217.xxx.201.xxx, Received DPD VID
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      %ASA-7-715049: IP = 217.xxx.201.xxx, Received Cisco Unity client VID
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      %ASA-7-715049: IP = 217.xxx.201.xxx, Received Fragmentation VID
      %ASA-7-715064: IP = 217.xxx.201.xxx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      %ASA-7-715049: IP = 217.xxx.201.xxx, Received NAT-Traversal RFC VID
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ke payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing nonce payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Cisco Unity VID payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing xauth V6 VID payload
      %ASA-7-715048: IP = 217.xxx.201.xxx, Send IOS VID
      %ASA-7-715038: IP = 217.xxx.201.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing VID payload
      %ASA-7-715048: IP = 217.xxx.201.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
      %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
      %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
      %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
      %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
      %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 244
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing ke payload
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing ISA_KE payload
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing nonce payload
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
      %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
      %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
      %ASA-7-713906: IP = 217.xxx.201.xxx, Connection landed on tunnel_group 217.xxx.201.xxx
      %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Generating keys for Initiator…
      %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing ID payload
      %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing hash payload
      %ASA-7-715076: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Computing hash for ISAKMP
      %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing dpd vid payload
      %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
      %ASA-6-713172: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Automatic NAT Detection Status:    Remote end is NOT behind a NAT device    This  end  IS  behind a NAT device
      %ASA-6-713905: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Floating NAT-T to port 4500
      %ASA-6-302015: Built outbound UDP connection 123932 for outside:217.xxx.201.xxx/4500 (217.xxx.201.xxx/4500) to identity:172.31.31.253/4500 (172.31.31.253/4500)
      %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
      %ASA-7-609001: Built local-host outside:10.153.192.5

      Log from pfSense (Read Down2Top):

      May 12 10:25:22 charon: 13[CFG] ignoring acquire, connection attempt pending
      May 12 10:25:22 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:25:22 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:25:22 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
      May 12 10:25:22 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
      May 12 10:24:40 charon: 07[CFG] ignoring acquire, connection attempt pending
      May 12 10:24:40 charon: 13[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:24:40 charon: 11[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:24:40 charon: 11[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
      May 12 10:24:40 charon: 11[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
      May 12 10:24:17 charon: 11[CFG] ignoring acquire, connection attempt pending
      May 12 10:24:17 charon: 13[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:24:17 charon: 13[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:24:17 charon: 13[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
      May 12 10:24:17 charon: 13[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
      May 12 10:24:04 charon: 13[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:24:04 charon: 13[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
      May 12 10:24:04 charon: 13[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
      May 12 10:23:57 charon: 13[CFG] ignoring acquire, connection attempt pending
      May 12 10:23:57 charon: 11[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:23:57 charon: 11[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:23:57 charon: 11[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
      May 12 10:23:57 charon: 11[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
      May 12 10:23:53 charon: 11[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:23:53 charon: 11[ENC] <con1000|1080>generating ID_PROT request 0 [ SA V V V V V V ]
      May 12 10:23:53 charon: 11[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
      May 12 10:23:53 charon: 11[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
      May 12 10:23:53 charon: 13[CFG] ignoring acquire, connection attempt pending
      May 12 10:23:53 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:23:53 charon: 11[IKE] <con1000|1080>peer not responding, trying again (2/3)
      May 12 10:23:53 charon: 11[IKE] <con1000|1080>peer not responding, trying again (2/3)
      May 12 10:23:53 charon: 11[IKE] <con1000|1080>giving up after 5 retransmits
      May 12 10:23:53 charon: 11[IKE] <con1000|1080>giving up after 5 retransmits
      May 12 10:22:37 charon: 11[CFG] ignoring acquire, connection attempt pending
      May 12 10:22:37 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:22:37 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:22:37 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
      May 12 10:22:37 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
      May 12 10:21:55 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:21:55 charon: 07[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
      May 12 10:21:55 charon: 07[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
      May 12 10:21:55 charon: 07[CFG] ignoring acquire, connection attempt pending
      May 12 10:21:55 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:21:32 charon: 16[CFG] ignoring acquire, connection attempt pending
      May 12 10:21:32 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:21:32 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:21:32 charon: 07[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
      May 12 10:21:32 charon: 07[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
      May 12 10:21:19 charon: 07[CFG] ignoring acquire, connection attempt pending
      May 12 10:21:19 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:21:19 charon: 16[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:21:19 charon: 16[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
      May 12 10:21:19 charon: 16[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
      May 12 10:21:12 charon: 16[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:21:12 charon: 16[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
      May 12 10:21:12 charon: 16[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
      May 12 10:21:08 charon: 16[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:21:08 charon: 16[ENC] <con1000|1080>generating ID_PROT request 0 [ SA V V V V V V ]
      May 12 10:21:08 charon: 16[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
      May 12 10:21:08 charon: 16[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
      May 12 10:21:08 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:21:08 charon: 07[IKE] <con1000|1079>establishing IKE_SA failed, peer not responding
      May 12 10:21:08 charon: 07[IKE] <con1000|1079>establishing IKE_SA failed, peer not responding
      May 12 10:21:08 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits
      May 12 10:21:08 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits
      May 12 10:20:14 charon: 07[CFG] ignoring acquire, connection attempt pending
      May 12 10:20:14 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:19:52 charon: 16[CFG] ignoring acquire, connection attempt pending
      May 12 10:19:52 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:19:52 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:19:52 charon: 07[IKE] <con1000|1079>sending retransmit 5 of request message ID 0, seq 1
      May 12 10:19:52 charon: 07[IKE] <con1000|1079>sending retransmit 5 of request message ID 0, seq 1
      May 12 10:19:10 charon: 08[CFG] ignoring acquire, connection attempt pending
      May 12 10:19:10 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:19:10 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:19:10 charon: 07[IKE] <con1000|1079>sending retransmit 4 of request message ID 0, seq 1
      May 12 10:19:10 charon: 07[IKE] <con1000|1079>sending retransmit 4 of request message ID 0, seq 1
      May 12 10:18:47 charon: 07[CFG] ignoring acquire, connection attempt pending
      May 12 10:18:47 charon: 08[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:18:47 charon: 08[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:18:47 charon: 08[IKE] <con1000|1079>sending retransmit 3 of request message ID 0, seq 1
      May 12 10:18:47 charon: 08[IKE] <con1000|1079>sending retransmit 3 of request message ID 0, seq 1
      May 12 10:18:34 charon: 08[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:18:34 charon: 08[IKE] <con1000|1079>sending retransmit 2 of request message ID 0, seq 1
      May 12 10:18:34 charon: 08[IKE] <con1000|1079>sending retransmit 2 of request message ID 0, seq 1
      May 12 10:18:26 charon: 08[CFG] ignoring acquire, connection attempt pending
      May 12 10:18:26 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:18:26 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:18:26 charon: 07[IKE] <con1000|1079>sending retransmit 1 of request message ID 0, seq 1
      May 12 10:18:26 charon: 07[IKE] <con1000|1079>sending retransmit 1 of request message ID 0, seq 1
      May 12 10:18:22 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:18:22 charon: 07[ENC] <con1000|1079>generating ID_PROT request 0 [ SA V V V V V V ]
      May 12 10:18:22 charon: 07[IKE] <con1000|1079>initiating Main Mode IKE_SA con1000[1079] to 37.xxx.39.xxx
      May 12 10:18:22 charon: 07[IKE] <con1000|1079>initiating Main Mode IKE_SA con1000[1079] to 37.xxx.39.xxx
      May 12 10:18:22 charon: 08[CFG] ignoring acquire, connection attempt pending
      May 12 10:18:22 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:18:22 charon: 07[IKE] <con1000|1079>peer not responding, trying again (3/3)
      May 12 10:18:22 charon: 07[IKE] <con1000|1079>peer not responding, trying again (3/3)
      May 12 10:18:22 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits
      May 12 10:18:22 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits</con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080>

      Any Ideas?

      greetings, r4

      EDIT1:

      If changed the pfSense in Phase 1 from
      Peer identifier = Peer IP Identifier to
      Peer identifier = IP Identifier: 172.31.31.253 (outside IF of the ASA).

      Now a Tunnel is established for about 30 sekonds an than breaks down.
      I´ve also tried to build the Tunnel with an KeyID but that didn´t work for me.

      ASA Log for that Tunnel:

      
      Sending 5, 100-byte ICMP Echos to 10.153.192.254, timeout is 2 seconds:
      May 12 2015 13:50:37: %ASA-7-609001: Built local-host outside:10.153.192.254
      May 12 2015 13:50:37: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
      May 12 2015 13:50:37: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = outside_map.  Map Sequence Number = 1.
      May 12 2015 13:50:37: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
      May 12 2015 13:50:37: %ASA-5-713041: IP = 217.xxx.201.xxx, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 217.xxx.201.xxx  local Proxy Address 10.64.155.0, remote Proxy Address 10.153.192.0,  Crypto map (outside_map)
      May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ISAKMP SA payload
      May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 02 payload
      May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 03 payload
      May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver RFC payload
      May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Fragmentation VID + extended capabilities payload
      May 12 2015 13:50:37: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
      May 12 2015 13:50:37: %ASA-7-609001: Built local-host outside:217.xxx.201.xxx
      May 12 2015 13:50:37: %ASA-6-302015: Built outbound UDP connection 125318 for outside:217.xxx.201.xxx/500 (217.xxx.201.xxx/500) to identity:172.31.31.253/500 (172.31.31.253/500)
      May 12 2015 13:50:37: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
      May 12 2015 13:50:37: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184
      May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing SA payload
      May 12 2015 13:50:37: %ASA-7-713906: IP = 217.xxx.201.xxx, Oakley proposal is acceptable
      May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received xauth V6 VID
      May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received DPD VID
      May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received Cisco Unity client VID
      May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received Fragmentation VID
      May 12 2015 13:50:37: %ASA-7-715064: IP = 217.xxx.201.xxx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
      May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received NAT-Traversal RFC VID
      May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ke payload
      May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing nonce payload
      May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Cisco Unity VID payload
      May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing xauth V6 VID payload
      May 12 2015 13:50:37: %ASA-7-715048: IP = 217.xxx.201.xxx, Send IOS VID
      May 12 2015 13:50:37: %ASA-7-715038: IP = 217.xxx.201.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
      May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing VID payload
      May 12 2015 13:50:37: %ASA-7-715048: IP = 217.xxx.201.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
      May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
      May 12 2015 13:50:37: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
      May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
      May 12 2015 13:50:37: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
      May 12 2015 13:50:37: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
      May 12 2015 13:50:38: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
      May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 244
      May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing ke payload
      May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing ISA_KE payload
      May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing nonce payload
      May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
      May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
      May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
      May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
      May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, Connection landed on tunnel_group 217.xxx.201.xxx
      May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Generating keys for Initiator...
      May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing ID payload
      May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing hash payload
      May 12 2015 13:50:38: %ASA-7-715076: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Computing hash for ISAKMP
      May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing dpd vid payload
      May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
      May 12 2015 13:50:38: %ASA-6-713172: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end   IS   behind a NAT device
      May 12 2015 13:50:38: %ASA-6-713905: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Floating NAT-T to port 4500
      May 12 2015 13:50:38: %ASA-6-302015: Built outbound UDP connection 125319 for outside:217.xxx.201.xxx/4500 (217.xxx.201.xxx/4500) to identity:172.31.31.253/4500 (172.31.31.253/4500)
      May 12 2015 13:50:38: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
      May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
      May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing ID payload
      May 12 2015 13:50:38: %ASA-7-714011: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, ID_IPV4_ADDR ID received
      217.xxx.201.xxx
      May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing hash payload
      May 12 2015 13:50:38: %ASA-7-715076: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Computing hash for ISAKMP
      May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, Connection landed on tunnel_group 217.xxx.201.xxx
      May 12 2015 13:50:38: %ASA-7-715059: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Proposing only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
      May 12 2015 13:50:38: %ASA-6-113009: AAA retrieved default group policy (GroupPolicy_r4VDC) for user = 217.xxx.201.xxx
      May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Oakley begin quick mode
      May 12 2015 13:50:38: %ASA-7-714002: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE Initiator starting QM: msg id = 4e956de2
      May 12 2015 13:50:38: %ASA-5-713119: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, PHASE 1 COMPLETED
      May 12 2015 13:50:38: %ASA-7-713121: IP = 217.xxx.201.xxx, Keep-alive type for this connection: DPD
      May 12 2015 13:50:38: %ASA-7-715080: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Starting P1 rekey timer: 82080 seconds.
      May 12 2015 13:50:38: %ASA-7-715006: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE got SPI from key engine: SPI = 0xae561233
      May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, oakley constucting quick mode
      May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing blank hash payload
      May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing IPSec SA payload
      May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing IPSec nonce payload
      May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing pfs ke payload
      May 12 2015 13:50:38: %ASA-7-715001: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing proxy ID
      May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Transmitting Proxy Id:
        Local subnet:  10.64.155.0  mask 255.255.255.0 Protocol 0  Port 0
        Remote subnet: 10.153.192.0  Mask 255.255.255.0 Protocol 0  Port 0
      May 12 2015 13:50:38: %ASA-7-714007: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE Initiator sending Initial Contact
      May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing qm hash payload
      May 12 2015 13:50:38: %ASA-7-714004: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE Initiator sending 1st QM pkt: msg id = 4e956de2
      May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=4e956de2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 340
      May 12 2015 13:50:38: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
      May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=4710bb77) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
      May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing hash payload
      May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing notify payload
      May 12 2015 13:50:38: %ASA-5-713068: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Received non-routine Notify message: No proposal chosen (14)
      May 12 2015 13:50:39: %ASA-7-609001: Built local-host outside:10.153.192.254
      May 12 2015 13:50:39: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
      May 12 2015 13:50:39: %ASA-7-752008: Duplicate entry already in Tunnel Manager
      May 12 2015 13:50:41: %ASA-7-609001: Built local-host outside:10.153.192.254
      May 12 2015 13:50:41: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
      May 12 2015 13:50:41: %ASA-7-752008: Duplicate entry already in Tunnel Manager
      May 12 2015 13:50:42: %ASA-6-302016: Teardown UDP connection 125308 for outside:148.251.6.51/123 to identity:172.31.31.253/65535 duration 0:02:01 bytes 96
      May 12 2015 13:50:42: %ASA-7-609002: Teardown local-host outside:148.251.6.51 duration 0:02:01
      May 12 2015 13:50:43: %ASA-7-609001: Built local-host outside:10.153.192.254
      May 12 2015 13:50:43: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
      May 12 2015 13:50:43: %ASA-7-752008: Duplicate entry already in Tunnel Manager
      May 12 2015 13:50:44: %ASA-7-715036: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x64970cf9)
      May 12 2015 13:50:44: %ASA-7-715046: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, constructing blank hash payload
      May 12 2015 13:50:44: %ASA-7-715046: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, constructing qm hash payload
      May 12 2015 13:50:44: %ASA-7-713236: IP = 217.xxx.31.xxx, IKE_DECODE SENDING Message (msgid=d77554c4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
      May 12 2015 13:50:44: %ASA-7-715036: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0xe1e197b)
      May 12 2015 13:50:44: %ASA-7-715046: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, constructing blank hash payload
      May 12 2015 13:50:44: %ASA-7-715046: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, constructing qm hash payload
      May 12 2015 13:50:44: %ASA-7-713236: IP = 62.xxx.185.xxx, IKE_DECODE SENDING Message (msgid=a7a6c821) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
      May 12 2015 13:50:44: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.31.xxx:4500
      May 12 2015 13:50:44: %ASA-7-713236: IP = 217.xxx.31.xxx, IKE_DECODE RECEIVED Message (msgid=273d5a7b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
      May 12 2015 13:50:44: %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing hash payload
      May 12 2015 13:50:44: %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing notify payload
      May 12 2015 13:50:44: %ASA-7-715075: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64970cf9)
      May 12 2015 13:50:44: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 62.xxx.185.xxx:4500
      May 12 2015 13:50:44: %ASA-7-713236: IP = 62.xxx.185.xxx, IKE_DECODE RECEIVED Message (msgid=f558fd73) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
      May 12 2015 13:50:44: %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing hash payload
      May 12 2015 13:50:44: %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing notify payload
      May 12 2015 13:50:44: %ASA-7-715075: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xe1e197b)
      May 12 2015 13:50:45: %ASA-7-609001: Built local-host outside:10.153.192.254
      May 12 2015 13:50:45: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
      May 12 2015 13:50:45: %ASA-7-752008: Duplicate entry already in Tunnel Manager
      ?
      Success rate is 0 percent (0/5)
      May 12 2015 13:50:47: %ASA-5-111008: User 'enable_15' executed the 'ping inside 10.153.192.254' command.
      May 12 2015 13:50:47: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.64.155.230, executed 'ping inside 10.153.192.254'
      May 12 2015 13:50:48: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
      May 12 2015 13:50:48: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=833328cd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
      May 12 2015 13:50:48: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing hash payload
      May 12 2015 13:50:48: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing notify payload
      May 12 2015 13:50:48: %ASA-7-715075: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Received keep-alive of type DPD R-U-THERE (seq number 0x69bcc0c)
      May 12 2015 13:50:48: %ASA-7-715036: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x69bcc0c)
      May 12 2015 13:50:48: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing blank hash payload
      May 12 2015 13:50:48: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing qm hash payload
      May 12 2015 13:50:48: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=6c526b0b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
      n
      
      
      1 Reply Last reply Reply Quote 0
      • R
        r4z13l
        last edited by

        I fixed it finally :)
        I will post the configuration of ASA & pfSense tomorrow

        1 Reply Last reply Reply Quote 0
        • F
          FabioRK
          last edited by

          We are waiting.  :)

          1 Reply Last reply Reply Quote 0
          • R
            r4z13l
            last edited by

            Here is the ASA.cfg:

            
            object network r4VDC
             subnet 10.153.192.0 255.255.255.0
             description r4VDC
            
            access-list inside_access_in extended permit ip 10.64.155.0 255.255.255.0 object r4VDC
            access-list outside_access_in extended permit ip object r4VDC 10.64.155.0 255.255.255.0
            access-list outside_cryptomap_r4VDC extended permit ip 10.64.155.0 255.255.255.0 object r4VDC
            
            nat (inside,outside) source static inside10.64.155.0 inside10.64.155.0 destination static r4VDC r4VDC
            
            crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
            
            crypto map outside_map 1 match address outside_cryptomap_r4VDC
            crypto map outside_map 1 set pfs
            crypto map outside_map 1 set peer 217.xxx.201.xxx
            crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
            crypto map outside_map 1 set security-association lifetime seconds 86400
            
            crypto ikev1 policy 160
             authentication pre-share
             encryption aes-256
             hash sha
             group 5
             lifetime 86400
            
            group-policy GroupPolicy_r4VDC internal
            group-policy GroupPolicy_r4VDC attributes
             vpn-tunnel-protocol ikev1
            
            tunnel-group 217.xxx.201.xxx type ipsec-l2l
            tunnel-group 217.xxx.201.xxx general-attributes
             default-group-policy GroupPolicy_r4VDC
            tunnel-group 217.xxx.201.xxx ipsec-attributes
             ikev1 pre-shared-key test12345
            
            

            Here the pfSense config:

            Phase 1:

            
            Key Exchange version = V1
            Internet Protocol = IPv4
            Interface = WAN
            Remote gateway = r4xxxxx.com
            
            Authentication method = Mutual PSK
            Negotiation mode = Main
            My identifier = My IP address
            Peer identifier = [color]IP address (outside IP of ASA = 172.31.31.254) [/color]
            Pre-Shared Key = test12345
            
            Encryption algorithm = AES 256bits
            Hash algorithm = SHA1
            DH key group = 2
            Lifetime = 86400
            
            Disable Rekey = unchecked
            Responder Only = unchecked
            NAT Traversal = Auto
            Dead Peer Detection = Enabled (10seconds/5retry)
            
            

            Phase 2:

            
            Phase 2:
            Mode = Tunnel IPv4
            Local Network = 10.153.192.0/24
            Remote Network = 10.64.155.0/24
            
            Protocol = ESP
            Encryption algorithms = AES 256bits
            Hash algorithms = SHA1
            PFS key group = [color]2 [/color]
            Lifetime = 86400
            
            

            Two points are left:
            -The Tunnel does not rekey after 24h
            -I can just establish the Tunnel from the ASA side

            Any thoughts on this?

            regards r4

            1 Reply Last reply Reply Quote 0
            • R
              r4z13l
              last edited by

              Has anyone some ideas?
              Here is the pfSense log when no tunnel is established:

              
              May 27 21:35:17 	charon: 06[CFG] ignoring acquire, connection attempt pending
              May 27 21:35:17 	charon: 13[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:35:17 	charon: 13[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:35:17 	charon: 13[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
              May 27 21:35:17 	charon: 13[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
              May 27 21:35:04 	charon: 13[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:35:04 	charon: 13[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
              May 27 21:35:04 	charon: 13[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
              May 27 21:34:57 	charon: 13[CFG] ignoring acquire, connection attempt pending
              May 27 21:34:57 	charon: 06[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:34:57 	charon: 06[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:34:57 	charon: 06[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
              May 27 21:34:57 	charon: 06[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
              May 27 21:34:53 	charon: 06[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:34:53 	charon: 06[ENC] <con1000|87>generating ID_PROT request 0 [ SA V V V V V V ]
              May 27 21:34:53 	charon: 06[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
              May 27 21:34:53 	charon: 06[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
              May 27 21:34:53 	charon: 13[CFG] ignoring acquire, connection attempt pending
              May 27 21:34:53 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:34:53 	charon: 06[IKE] <con1000|87>peer not responding, trying again (3/3)
              May 27 21:34:53 	charon: 06[IKE] <con1000|87>peer not responding, trying again (3/3)
              May 27 21:34:53 	charon: 06[IKE] <con1000|87>giving up after 5 retransmits
              May 27 21:34:53 	charon: 06[IKE] <con1000|87>giving up after 5 retransmits
              May 27 21:34:17 	charon: 06[CFG] ignoring acquire, connection attempt pending
              May 27 21:34:17 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:33:37 	charon: 10[CFG] ignoring acquire, connection attempt pending
              May 27 21:33:37 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:33:37 	charon: 12[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:33:37 	charon: 12[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
              May 27 21:33:37 	charon: 12[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
              May 27 21:32:55 	charon: 12[CFG] ignoring acquire, connection attempt pending
              May 27 21:32:55 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:32:55 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:32:55 	charon: 10[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
              May 27 21:32:55 	charon: 10[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
              May 27 21:32:32 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:32:32 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
              May 27 21:32:32 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
              May 27 21:32:30 	charon: 10[CFG] ignoring acquire, connection attempt pending
              May 27 21:32:30 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:32:19 	charon: 12[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:32:19 	charon: 12[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
              May 27 21:32:19 	charon: 12[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
              May 27 21:32:12 	charon: 12[CFG] ignoring acquire, connection attempt pending
              May 27 21:32:12 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:32:12 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:32:12 	charon: 10[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
              May 27 21:32:12 	charon: 10[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
              May 27 21:32:08 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:32:08 	charon: 10[ENC] <con1000|87>generating ID_PROT request 0 [ SA V V V V V V ]
              May 27 21:32:08 	charon: 10[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
              May 27 21:32:08 	charon: 10[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
              May 27 21:32:08 	charon: 12[CFG] ignoring acquire, connection attempt pending
              May 27 21:32:08 	charon: 06[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:32:08 	charon: 10[IKE] <con1000|87>peer not responding, trying again (2/3)
              May 27 21:32:08 	charon: 10[IKE] <con1000|87>peer not responding, trying again (2/3)
              May 27 21:32:08 	charon: 10[IKE] <con1000|87>giving up after 5 retransmits
              May 27 21:32:08 	charon: 10[IKE] <con1000|87>giving up after 5 retransmits
              May 27 21:30:52 	charon: 15[CFG] ignoring acquire, connection attempt pending
              May 27 21:30:52 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:30:52 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:30:52 	charon: 10[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
              May 27 21:30:52 	charon: 10[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
              May 27 21:30:10 	charon: 10[CFG] ignoring acquire, connection attempt pending
              May 27 21:30:10 	charon: 15[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:30:10 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:30:10 	charon: 15[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
              May 27 21:30:10 	charon: 15[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
              May 27 21:29:47 	charon: 15[CFG] ignoring acquire, connection attempt pending
              May 27 21:29:47 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:29:47 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:29:47 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
              May 27 21:29:47 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
              May 27 21:29:34 	charon: 10[CFG] ignoring acquire, connection attempt pending
              May 27 21:29:34 	charon: 15[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:29:34 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:29:34 	charon: 15[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
              May 27 21:29:34 	charon: 15[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
              May 27 21:29:27 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:29:27 	charon: 15[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
              May 27 21:29:27 	charon: 15[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
              May 27 21:29:23 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:29:23 	charon: 15[ENC] <con1000|87>generating ID_PROT request 0 [ SA V V V V V V ]
              May 27 21:29:23 	charon: 15[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
              May 27 21:29:23 	charon: 15[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
              May 27 21:29:23 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:29:23 	charon: 10[IKE] <con1000|86>establishing IKE_SA failed, peer not responding
              May 27 21:29:23 	charon: 10[IKE] <con1000|86>establishing IKE_SA failed, peer not responding
              May 27 21:29:23 	charon: 10[IKE] <con1000|86>giving up after 5 retransmits
              May 27 21:29:23 	charon: 10[IKE] <con1000|86>giving up after 5 retransmits
              May 27 21:28:07 	charon: 07[NET] <con1000|86>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:28:07 	charon: 07[IKE] <con1000|86>sending retransmit 5 of request message ID 0, seq 1
              May 27 21:28:07 	charon: 07[IKE] <con1000|86>sending retransmit 5 of request message ID 0, seq 1
              May 27 21:27:52 	charon: 07[CFG] ignoring acquire, connection attempt pending
              May 27 21:27:52 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:27:25 	charon: 10[CFG] ignoring acquire, connection attempt pending
              May 27 21:27:25 	charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
              May 27 21:27:25 	charon: 07[NET] <con1000|86>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
              May 27 21:27:25 	charon: 07[IKE] <con1000|86>sending retransmit 4 of request message ID 0, seq 1
              May 27 21:27:25 	charon: 07[IKE] <con1000|86>sending retransmit 4 of request message ID 0, seq 1</con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87> 
              
              1 Reply Last reply Reply Quote 0
              • C
                catdsnny
                last edited by

                Using the ASDM to create the tunnel on an ASA 5545x worked for me out of the box.  Just make sure all the parameters are the same on both sides.

                1 Reply Last reply Reply Quote 0
                • R
                  r4z13l
                  last edited by

                  @catdsnny:

                  Just make sure all the parameters are the same on both sides.

                  Really? Thank you Capt. Obvious, i didn´t know :P
                  Back to Topic: VPN can be established from the ASA Side, not from the psSense. The ASA is behind a NAT Device. For further informations please read the thread

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    @r4z13l:

                    Back to Topic: VPN can be established from the ASA Side, not from the psSense. The ASA is behind a NAT Device. For further informations please read the thread

                    You likely have a mismatched P1 identifier in that case since the ASA is behind NAT. You're specifying "My IP address" (or equivalent, don't recall the name of the Cisco option off the top of my head) on the ASA, which is its private IP. You're specifying same on the pfSense side, but it's using the ASA's public IP. Private IP != public IP, so your ASA's config doesn't match, so it only matches properly initiated in that direction. That's my first guess at least, the most likely cause in the described circumstance that we've run into with others here and support customers in the past.

                    1 Reply Last reply Reply Quote 0
                    • F
                      franco22
                      last edited by

                      HI, and can able to help with my issue, please... This was my Task Give In my work as I'm in my training Period

                      the Give to me was site to site vpn configuration between pfsense and cisco asa 5505

                      Pfsense(router)------(192.168.10.1)--switch--->to pfsense
                      Pfsense------(192.168.10.1)--switch--->to ASA5505 (the to cable give to me was from the same switch (same gateway)

                      lan cable 1Pfsense--wanIP(192.168.10.175) Lan IP 192.168.20.175-DG for my pc

                      lan cable 2 asa -- wanip (192.168.10.150) Lan IP 192.168.30.150 DG for my pc .. this was my set up

                      below I will mention my as cli

                      ASA Version 8.4(2)
                      !
                      hostname ciscoasa
                      enable password 8Ry2YjIyt7RRXU24 encrypted
                      passwd 2KFQnbNIdI.2KYOU encrypted
                      names
                      !
                      interface Ethernet0/0
                      switchport access vlan 2
                      !
                      interface Ethernet0/1
                      !
                      interface Ethernet0/2
                      shutdown
                      !
                      interface Ethernet0/3
                      shutdown
                      !
                      interface Ethernet0/4
                      shutdown
                      !
                      interface Ethernet0/5
                      shutdown
                      !
                      interface Ethernet0/6
                      shutdown
                      !
                      interface Ethernet0/7
                      shutdown
                      !
                      interface Vlan1
                      nameif inside
                      security-level 100
                      ip address 192.168.30.150 255.255.255.0
                      !
                      interface Vlan2
                      nameif outside
                      security-level 0
                      ip address 192.168.10.150 255.255.255.0
                      !
                      ftp mode passive
                      object network obj_any
                      subnet 0.0.0.0 0.0.0.0
                      pager lines 24
                      mtu inside 1500
                      mtu outside 1500
                      icmp unreachable rate-limit 1 burst-size 1
                      no asdm history enable
                      arp timeout 14400
                      !
                      object network obj_any
                      nat (inside,outside) dynamic interface
                      route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
                      timeout xlate 3:00:00
                      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
                      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
                      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
                      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
                      timeout tcp-proxy-reassembly 0:01:00
                      timeout floating-conn 0:00:00
                      dynamic-access-policy-record DfltAccessPolicy
                      user-identity default-domain LOCAL
                      no snmp-server location
                      no snmp-server contact
                      snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
                      telnet timeout 5
                      ssh timeout 5
                      console timeout 0

                      threat-detection basic-threat
                      threat-detection statistics access-list
                      no threat-detection statistics tcp-intercept
                      !
                      class-map inspection_default
                      match default-inspection-traffic
                      !
                      !
                      policy-map type inspect dns preset_dns_map
                      parameters
                      message-length maximum client auto
                      message-length maximum 512
                      policy-map global_policy
                      class inspection_default
                      inspect dns preset_dns_map
                      inspect ftp
                      inspect h323 h225
                      inspect h323 ras
                      inspect ip-options
                      inspect netbios
                      inspect rsh
                      inspect rtsp
                      inspect skinny
                      inspect esmtp
                      inspect sqlnet
                      inspect sunrpc
                      inspect tftp
                      inspect sip
                      inspect xdmcp
                      inspect icmp
                      inspect icmp error
                      !
                      service-policy global_policy global
                      prompt hostname context
                      no call-home reporting anonymous
                      call-home
                      profile CiscoTAC-1
                      no active
                      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
                      destination address email callhome@cisco.com
                      destination transport-method http
                      subscribe-to-alert-group diagnostic
                      subscribe-to-alert-group environment
                      subscribe-to-alert-group inventory periodic monthly
                      subscribe-to-alert-group configuration periodic monthly
                      subscribe-to-alert-group telemetry periodic daily
                      Cryptochecksum:b4d8c59ed8a5c6015eb9570342028037
                      ciscoasa#

                      for site to site conf in asa

                      crypto ipsec ikev1 transform-set pfSense esp-aes esp-sha-hmac
                      !
                      access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense
                      access-list outside_cryptomap_10 extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
                      !
                      crypto map outside_map 10 match address outside_cryptomap_10
                      crypto map outside_map 10 set peer 192.168.10.175
                      crypto map outside_map 10 set ikev1 transform-set pfSense
                      crypto map outside_map interface outside

                      crypto ikev1 enable outside
                      crypto ikev1 policy 1
                      authentication pre-share
                      encryption aes
                      hash sha
                      group 2
                      lifetime 86400
                      exit
                      !
                      tunnel-group 192.168.10.175 type ipsec-l2l
                      tunnel-group 192.168.10.175 ipsec-attributes
                      ikev1 pre-shared-key admin123
                      pls help me

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.