Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec VPN between pfSense 2.2.2 and Cisco ASA5505 9.2(3)3

    Scheduled Pinned Locked Moved IPsec
    9 Posts 5 Posters 10.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      r4z13l
      last edited by

      Hello all,

      I have some trouble setting up an ipsev vpn between a Cisco ASA an an pfSense.
      The ASA is behind another NAT-Device. Ich have a portforwarding from that Device to the ASA for ESP, UDP/500 and UDP/4500.

      Here is the ASA.cfg:

      
object network r4VDC
 subnet 10.153.192.0 255.255.255.0
 description r4VDC

access-list inside_access_in extended permit ip 10.64.155.0 255.255.255.0 object r4VDC
access-list outside_cryptomap_r4VDC extended permit ip 10.64.155.0 255.255.255.0 object r4VDC

nat (inside,outside) source static inside10.64.155.0 inside10.64.155.0 destination static r4VDC r4VDC

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address outside_cryptomap_r4VDC
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 217.xxx.201.xxx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400

crypto ikev1 policy 160
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

group-policy GroupPolicy_r4VDC internal
group-policy GroupPolicy_r4VDC attributes
 vpn-tunnel-protocol ikev1

tunnel-group 217.xxx.201.xxx type ipsec-l2l
tunnel-group 217.xxx.201.xxx general-attributes
 default-group-policy GroupPolicy_r4VDC
tunnel-group 217.xxx.201.xxx ipsec-attributes
 ikev1 pre-shared-key test12345

      Here the pfSense config:

      Phase 1:

      
Key Exchange version = V1
Internet Protocol = IPv4
Interface = WAN
Remote gateway = r4xxxxx.com

Authentication method = Mutual PSK
Negotiation mode = Main
My identifier = My IP address
Peer identifier = Peer IP address
Pre-Shared Key = test12345

Encryption algorithm = AES 256bits
Hash algorithm = SHA1
DH key group = 2
Lifetime = 86400

Disable Rekey = unchecked
Responder Only = unchecked
NAT Traversal = Auto
Dead Peer Detection = Enabled (10seconds/5retry)

      Phase 2:

      
Phase 2:
Mode = Tunnel IPv4
Local Network = 10.153.192.0/24
Remote Network = 10.64.155.0/24

Protocol = ESP
Encryption algorithms = AES 256bits
Hash algorithms = SHA1
PFS key group = 5
Lifetime = 86400

      Log from ASA:

      %ASA-5-713041: IP = 217.xxx.201.xxx, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 217.xxx.201.xxx  local Proxy Address 10.64.155.0, remote Proxy Address 10.153.192.0,  Crypto map (outside_map)
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ISAKMP SA payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 02 payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 03 payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver RFC payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Fragmentation VID + extended capabilities payload
      %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
      %ASA-7-609001: Built local-host outside:217.xxx.201.xxx
      %ASA-6-302015: Built outbound UDP connection 123931 for outside:217.xxx.201.xxx/500 (217.xxx.201.xxx/500) to identity:172.31.31.253/500 (172.31.31.253/500)
      %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 62.xxx.185.xxx:4500
      %ASA-7-713236: IP = 62.xxx.185.xxx, IKE_DECODE RECEIVED Message (msgid=185c8c2f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
      %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing hash payload
      %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing notify payload
      %ASA-7-715075: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1da854ec)
      %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.31.xxx:4500
      %ASA-7-713236: IP = 217.xxx.31.xxx, IKE_DECODE RECEIVED Message (msgid=d46d6a49) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
      %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing hash payload
      %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing notify payload
      %ASA-7-715075: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64970812)
      %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
      %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing SA payload
      %ASA-7-713906: IP = 217.xxx.201.xxx, Oakley proposal is acceptable
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      %ASA-7-715049: IP = 217.xxx.201.xxx, Received xauth V6 VID
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      %ASA-7-715049: IP = 217.xxx.201.xxx, Received DPD VID
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      %ASA-7-715049: IP = 217.xxx.201.xxx, Received Cisco Unity client VID
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      %ASA-7-715049: IP = 217.xxx.201.xxx, Received Fragmentation VID
      %ASA-7-715064: IP = 217.xxx.201.xxx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
      %ASA-7-715049: IP = 217.xxx.201.xxx, Received NAT-Traversal RFC VID
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ke payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing nonce payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Cisco Unity VID payload
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing xauth V6 VID payload
      %ASA-7-715048: IP = 217.xxx.201.xxx, Send IOS VID
      %ASA-7-715038: IP = 217.xxx.201.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing VID payload
      %ASA-7-715048: IP = 217.xxx.201.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
      %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
      %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
      %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
      %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
      %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
      %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 244
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing ke payload
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing ISA_KE payload
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing nonce payload
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
      %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
      %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
      %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
      %ASA-7-713906: IP = 217.xxx.201.xxx, Connection landed on tunnel_group 217.xxx.201.xxx
      %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Generating keys for Initiator…
      %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing ID payload
      %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing hash payload
      %ASA-7-715076: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Computing hash for ISAKMP
      %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing dpd vid payload
      %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
      %ASA-6-713172: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Automatic NAT Detection Status:    Remote end is NOT behind a NAT device    This  end  IS  behind a NAT device
      %ASA-6-713905: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Floating NAT-T to port 4500
      %ASA-6-302015: Built outbound UDP connection 123932 for outside:217.xxx.201.xxx/4500 (217.xxx.201.xxx/4500) to identity:172.31.31.253/4500 (172.31.31.253/4500)
      %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
      %ASA-7-609001: Built local-host outside:10.153.192.5

      Log from pfSense (Read Down2Top):

      May 12 10:25:22 charon: 13[CFG] ignoring acquire, connection attempt pending
      May 12 10:25:22 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:25:22 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:25:22 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
      May 12 10:25:22 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
      May 12 10:24:40 charon: 07[CFG] ignoring acquire, connection attempt pending
      May 12 10:24:40 charon: 13[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:24:40 charon: 11[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:24:40 charon: 11[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
      May 12 10:24:40 charon: 11[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
      May 12 10:24:17 charon: 11[CFG] ignoring acquire, connection attempt pending
      May 12 10:24:17 charon: 13[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:24:17 charon: 13[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:24:17 charon: 13[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
      May 12 10:24:17 charon: 13[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
      May 12 10:24:04 charon: 13[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:24:04 charon: 13[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
      May 12 10:24:04 charon: 13[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
      May 12 10:23:57 charon: 13[CFG] ignoring acquire, connection attempt pending
      May 12 10:23:57 charon: 11[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:23:57 charon: 11[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:23:57 charon: 11[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
      May 12 10:23:57 charon: 11[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
      May 12 10:23:53 charon: 11[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:23:53 charon: 11[ENC] <con1000|1080>generating ID_PROT request 0 [ SA V V V V V V ]
      May 12 10:23:53 charon: 11[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
      May 12 10:23:53 charon: 11[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
      May 12 10:23:53 charon: 13[CFG] ignoring acquire, connection attempt pending
      May 12 10:23:53 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:23:53 charon: 11[IKE] <con1000|1080>peer not responding, trying again (2/3)
      May 12 10:23:53 charon: 11[IKE] <con1000|1080>peer not responding, trying again (2/3)
      May 12 10:23:53 charon: 11[IKE] <con1000|1080>giving up after 5 retransmits
      May 12 10:23:53 charon: 11[IKE] <con1000|1080>giving up after 5 retransmits
      May 12 10:22:37 charon: 11[CFG] ignoring acquire, connection attempt pending
      May 12 10:22:37 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:22:37 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:22:37 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
      May 12 10:22:37 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
      May 12 10:21:55 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:21:55 charon: 07[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
      May 12 10:21:55 charon: 07[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
      May 12 10:21:55 charon: 07[CFG] ignoring acquire, connection attempt pending
      May 12 10:21:55 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:21:32 charon: 16[CFG] ignoring acquire, connection attempt pending
      May 12 10:21:32 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:21:32 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:21:32 charon: 07[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
      May 12 10:21:32 charon: 07[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
      May 12 10:21:19 charon: 07[CFG] ignoring acquire, connection attempt pending
      May 12 10:21:19 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:21:19 charon: 16[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:21:19 charon: 16[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
      May 12 10:21:19 charon: 16[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
      May 12 10:21:12 charon: 16[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:21:12 charon: 16[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
      May 12 10:21:12 charon: 16[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
      May 12 10:21:08 charon: 16[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:21:08 charon: 16[ENC] <con1000|1080>generating ID_PROT request 0 [ SA V V V V V V ]
      May 12 10:21:08 charon: 16[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
      May 12 10:21:08 charon: 16[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
      May 12 10:21:08 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:21:08 charon: 07[IKE] <con1000|1079>establishing IKE_SA failed, peer not responding
      May 12 10:21:08 charon: 07[IKE] <con1000|1079>establishing IKE_SA failed, peer not responding
      May 12 10:21:08 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits
      May 12 10:21:08 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits
      May 12 10:20:14 charon: 07[CFG] ignoring acquire, connection attempt pending
      May 12 10:20:14 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:19:52 charon: 16[CFG] ignoring acquire, connection attempt pending
      May 12 10:19:52 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:19:52 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:19:52 charon: 07[IKE] <con1000|1079>sending retransmit 5 of request message ID 0, seq 1
      May 12 10:19:52 charon: 07[IKE] <con1000|1079>sending retransmit 5 of request message ID 0, seq 1
      May 12 10:19:10 charon: 08[CFG] ignoring acquire, connection attempt pending
      May 12 10:19:10 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:19:10 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:19:10 charon: 07[IKE] <con1000|1079>sending retransmit 4 of request message ID 0, seq 1
      May 12 10:19:10 charon: 07[IKE] <con1000|1079>sending retransmit 4 of request message ID 0, seq 1
      May 12 10:18:47 charon: 07[CFG] ignoring acquire, connection attempt pending
      May 12 10:18:47 charon: 08[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:18:47 charon: 08[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:18:47 charon: 08[IKE] <con1000|1079>sending retransmit 3 of request message ID 0, seq 1
      May 12 10:18:47 charon: 08[IKE] <con1000|1079>sending retransmit 3 of request message ID 0, seq 1
      May 12 10:18:34 charon: 08[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:18:34 charon: 08[IKE] <con1000|1079>sending retransmit 2 of request message ID 0, seq 1
      May 12 10:18:34 charon: 08[IKE] <con1000|1079>sending retransmit 2 of request message ID 0, seq 1
      May 12 10:18:26 charon: 08[CFG] ignoring acquire, connection attempt pending
      May 12 10:18:26 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:18:26 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:18:26 charon: 07[IKE] <con1000|1079>sending retransmit 1 of request message ID 0, seq 1
      May 12 10:18:26 charon: 07[IKE] <con1000|1079>sending retransmit 1 of request message ID 0, seq 1
      May 12 10:18:22 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
      May 12 10:18:22 charon: 07[ENC] <con1000|1079>generating ID_PROT request 0 [ SA V V V V V V ]
      May 12 10:18:22 charon: 07[IKE] <con1000|1079>initiating Main Mode IKE_SA con1000[1079] to 37.xxx.39.xxx
      May 12 10:18:22 charon: 07[IKE] <con1000|1079>initiating Main Mode IKE_SA con1000[1079] to 37.xxx.39.xxx
      May 12 10:18:22 charon: 08[CFG] ignoring acquire, connection attempt pending
      May 12 10:18:22 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
      May 12 10:18:22 charon: 07[IKE] <con1000|1079>peer not responding, trying again (3/3)
      May 12 10:18:22 charon: 07[IKE] <con1000|1079>peer not responding, trying again (3/3)
      May 12 10:18:22 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits
      May 12 10:18:22 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits</con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080>

      Any Ideas?

      greetings, r4

      EDIT1:

      If changed the pfSense in Phase 1 from
      Peer identifier = Peer IP Identifier to
      Peer identifier = IP Identifier: 172.31.31.253 (outside IF of the ASA).

      Now a Tunnel is established for about 30 sekonds an than breaks down.
      I´ve also tried to build the Tunnel with an KeyID but that didn´t work for me.

      ASA Log for that Tunnel:

      
Sending 5, 100-byte ICMP Echos to 10.153.192.254, timeout is 2 seconds:
May 12 2015 13:50:37: %ASA-7-609001: Built local-host outside:10.153.192.254
May 12 2015 13:50:37: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
May 12 2015 13:50:37: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = outside_map.  Map Sequence Number = 1.
May 12 2015 13:50:37: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
May 12 2015 13:50:37: %ASA-5-713041: IP = 217.xxx.201.xxx, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 217.xxx.201.xxx  local Proxy Address 10.64.155.0, remote Proxy Address 10.153.192.0,  Crypto map (outside_map)
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ISAKMP SA payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 02 payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 03 payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver RFC payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Fragmentation VID + extended capabilities payload
May 12 2015 13:50:37: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
May 12 2015 13:50:37: %ASA-7-609001: Built local-host outside:217.xxx.201.xxx
May 12 2015 13:50:37: %ASA-6-302015: Built outbound UDP connection 125318 for outside:217.xxx.201.xxx/500 (217.xxx.201.xxx/500) to identity:172.31.31.253/500 (172.31.31.253/500)
May 12 2015 13:50:37: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
May 12 2015 13:50:37: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184
May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing SA payload
May 12 2015 13:50:37: %ASA-7-713906: IP = 217.xxx.201.xxx, Oakley proposal is acceptable
May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received xauth V6 VID
May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received DPD VID
May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received Cisco Unity client VID
May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received Fragmentation VID
May 12 2015 13:50:37: %ASA-7-715064: IP = 217.xxx.201.xxx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received NAT-Traversal RFC VID
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ke payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing nonce payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Cisco Unity VID payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing xauth V6 VID payload
May 12 2015 13:50:37: %ASA-7-715048: IP = 217.xxx.201.xxx, Send IOS VID
May 12 2015 13:50:37: %ASA-7-715038: IP = 217.xxx.201.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing VID payload
May 12 2015 13:50:37: %ASA-7-715048: IP = 217.xxx.201.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
May 12 2015 13:50:37: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
May 12 2015 13:50:37: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
May 12 2015 13:50:37: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
May 12 2015 13:50:38: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 244
May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing ke payload
May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing ISA_KE payload
May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing nonce payload
May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, Connection landed on tunnel_group 217.xxx.201.xxx
May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Generating keys for Initiator...
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing ID payload
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing hash payload
May 12 2015 13:50:38: %ASA-7-715076: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Computing hash for ISAKMP
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing dpd vid payload
May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
May 12 2015 13:50:38: %ASA-6-713172: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end   IS   behind a NAT device
May 12 2015 13:50:38: %ASA-6-713905: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Floating NAT-T to port 4500
May 12 2015 13:50:38: %ASA-6-302015: Built outbound UDP connection 125319 for outside:217.xxx.201.xxx/4500 (217.xxx.201.xxx/4500) to identity:172.31.31.253/4500 (172.31.31.253/4500)
May 12 2015 13:50:38: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing ID payload
May 12 2015 13:50:38: %ASA-7-714011: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, ID_IPV4_ADDR ID received
217.xxx.201.xxx
May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing hash payload
May 12 2015 13:50:38: %ASA-7-715076: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Computing hash for ISAKMP
May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, Connection landed on tunnel_group 217.xxx.201.xxx
May 12 2015 13:50:38: %ASA-7-715059: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Proposing only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
May 12 2015 13:50:38: %ASA-6-113009: AAA retrieved default group policy (GroupPolicy_r4VDC) for user = 217.xxx.201.xxx
May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Oakley begin quick mode
May 12 2015 13:50:38: %ASA-7-714002: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE Initiator starting QM: msg id = 4e956de2
May 12 2015 13:50:38: %ASA-5-713119: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, PHASE 1 COMPLETED
May 12 2015 13:50:38: %ASA-7-713121: IP = 217.xxx.201.xxx, Keep-alive type for this connection: DPD
May 12 2015 13:50:38: %ASA-7-715080: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Starting P1 rekey timer: 82080 seconds.
May 12 2015 13:50:38: %ASA-7-715006: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE got SPI from key engine: SPI = 0xae561233
May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, oakley constucting quick mode
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing blank hash payload
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing IPSec SA payload
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing IPSec nonce payload
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing pfs ke payload
May 12 2015 13:50:38: %ASA-7-715001: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing proxy ID
May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Transmitting Proxy Id:
  Local subnet:  10.64.155.0  mask 255.255.255.0 Protocol 0  Port 0
  Remote subnet: 10.153.192.0  Mask 255.255.255.0 Protocol 0  Port 0
May 12 2015 13:50:38: %ASA-7-714007: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE Initiator sending Initial Contact
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing qm hash payload
May 12 2015 13:50:38: %ASA-7-714004: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE Initiator sending 1st QM pkt: msg id = 4e956de2
May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=4e956de2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 340
May 12 2015 13:50:38: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=4710bb77) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing hash payload
May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing notify payload
May 12 2015 13:50:38: %ASA-5-713068: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Received non-routine Notify message: No proposal chosen (14)
May 12 2015 13:50:39: %ASA-7-609001: Built local-host outside:10.153.192.254
May 12 2015 13:50:39: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
May 12 2015 13:50:39: %ASA-7-752008: Duplicate entry already in Tunnel Manager
May 12 2015 13:50:41: %ASA-7-609001: Built local-host outside:10.153.192.254
May 12 2015 13:50:41: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
May 12 2015 13:50:41: %ASA-7-752008: Duplicate entry already in Tunnel Manager
May 12 2015 13:50:42: %ASA-6-302016: Teardown UDP connection 125308 for outside:148.251.6.51/123 to identity:172.31.31.253/65535 duration 0:02:01 bytes 96
May 12 2015 13:50:42: %ASA-7-609002: Teardown local-host outside:148.251.6.51 duration 0:02:01
May 12 2015 13:50:43: %ASA-7-609001: Built local-host outside:10.153.192.254
May 12 2015 13:50:43: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
May 12 2015 13:50:43: %ASA-7-752008: Duplicate entry already in Tunnel Manager
May 12 2015 13:50:44: %ASA-7-715036: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x64970cf9)
May 12 2015 13:50:44: %ASA-7-715046: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, constructing blank hash payload
May 12 2015 13:50:44: %ASA-7-715046: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, constructing qm hash payload
May 12 2015 13:50:44: %ASA-7-713236: IP = 217.xxx.31.xxx, IKE_DECODE SENDING Message (msgid=d77554c4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 12 2015 13:50:44: %ASA-7-715036: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0xe1e197b)
May 12 2015 13:50:44: %ASA-7-715046: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, constructing blank hash payload
May 12 2015 13:50:44: %ASA-7-715046: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, constructing qm hash payload
May 12 2015 13:50:44: %ASA-7-713236: IP = 62.xxx.185.xxx, IKE_DECODE SENDING Message (msgid=a7a6c821) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 12 2015 13:50:44: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.31.xxx:4500
May 12 2015 13:50:44: %ASA-7-713236: IP = 217.xxx.31.xxx, IKE_DECODE RECEIVED Message (msgid=273d5a7b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 12 2015 13:50:44: %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing hash payload
May 12 2015 13:50:44: %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing notify payload
May 12 2015 13:50:44: %ASA-7-715075: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64970cf9)
May 12 2015 13:50:44: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 62.xxx.185.xxx:4500
May 12 2015 13:50:44: %ASA-7-713236: IP = 62.xxx.185.xxx, IKE_DECODE RECEIVED Message (msgid=f558fd73) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 12 2015 13:50:44: %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing hash payload
May 12 2015 13:50:44: %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing notify payload
May 12 2015 13:50:44: %ASA-7-715075: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xe1e197b)
May 12 2015 13:50:45: %ASA-7-609001: Built local-host outside:10.153.192.254
May 12 2015 13:50:45: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
May 12 2015 13:50:45: %ASA-7-752008: Duplicate entry already in Tunnel Manager
?
Success rate is 0 percent (0/5)
May 12 2015 13:50:47: %ASA-5-111008: User 'enable_15' executed the 'ping inside 10.153.192.254' command.
May 12 2015 13:50:47: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.64.155.230, executed 'ping inside 10.153.192.254'
May 12 2015 13:50:48: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
May 12 2015 13:50:48: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=833328cd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 12 2015 13:50:48: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing hash payload
May 12 2015 13:50:48: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing notify payload
May 12 2015 13:50:48: %ASA-7-715075: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Received keep-alive of type DPD R-U-THERE (seq number 0x69bcc0c)
May 12 2015 13:50:48: %ASA-7-715036: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x69bcc0c)
May 12 2015 13:50:48: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing blank hash payload
May 12 2015 13:50:48: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing qm hash payload
May 12 2015 13:50:48: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=6c526b0b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
n
      1 Reply Last reply Reply Quote 0
      • R
        r4z13l
        last edited by

        I fixed it finally :)
        I will post the configuration of ASA & pfSense tomorrow

        1 Reply Last reply Reply Quote 0
        • F
          FabioRK
          last edited by

          We are waiting.  :)

          1 Reply Last reply Reply Quote 0
          • R
            r4z13l
            last edited by

            Here is the ASA.cfg:

            
object network r4VDC
 subnet 10.153.192.0 255.255.255.0
 description r4VDC

access-list inside_access_in extended permit ip 10.64.155.0 255.255.255.0 object r4VDC
access-list outside_access_in extended permit ip object r4VDC 10.64.155.0 255.255.255.0
access-list outside_cryptomap_r4VDC extended permit ip 10.64.155.0 255.255.255.0 object r4VDC

nat (inside,outside) source static inside10.64.155.0 inside10.64.155.0 destination static r4VDC r4VDC

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address outside_cryptomap_r4VDC
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 217.xxx.201.xxx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400

crypto ikev1 policy 160
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

group-policy GroupPolicy_r4VDC internal
group-policy GroupPolicy_r4VDC attributes
 vpn-tunnel-protocol ikev1

tunnel-group 217.xxx.201.xxx type ipsec-l2l
tunnel-group 217.xxx.201.xxx general-attributes
 default-group-policy GroupPolicy_r4VDC
tunnel-group 217.xxx.201.xxx ipsec-attributes
 ikev1 pre-shared-key test12345

            Here the pfSense config:

            Phase 1:

            
Key Exchange version = V1
Internet Protocol = IPv4
Interface = WAN
Remote gateway = r4xxxxx.com

Authentication method = Mutual PSK
Negotiation mode = Main
My identifier = My IP address
Peer identifier = [color]IP address (outside IP of ASA = 172.31.31.254) [/color]
Pre-Shared Key = test12345

Encryption algorithm = AES 256bits
Hash algorithm = SHA1
DH key group = 2
Lifetime = 86400

Disable Rekey = unchecked
Responder Only = unchecked
NAT Traversal = Auto
Dead Peer Detection = Enabled (10seconds/5retry)

            Phase 2:

            
Phase 2:
Mode = Tunnel IPv4
Local Network = 10.153.192.0/24
Remote Network = 10.64.155.0/24

Protocol = ESP
Encryption algorithms = AES 256bits
Hash algorithms = SHA1
PFS key group = [color]2 [/color]
Lifetime = 86400

            Two points are left:
            -The Tunnel does not rekey after 24h
            -I can just establish the Tunnel from the ASA side

            Any thoughts on this?

            regards r4

            1 Reply Last reply Reply Quote 0
            • R
              r4z13l
              last edited by

              Has anyone some ideas?
              Here is the pfSense log when no tunnel is established:

              
May 27 21:35:17 	charon: 06[CFG] ignoring acquire, connection attempt pending
May 27 21:35:17 	charon: 13[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:35:17 	charon: 13[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:35:17 	charon: 13[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
May 27 21:35:17 	charon: 13[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
May 27 21:35:04 	charon: 13[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:35:04 	charon: 13[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
May 27 21:35:04 	charon: 13[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
May 27 21:34:57 	charon: 13[CFG] ignoring acquire, connection attempt pending
May 27 21:34:57 	charon: 06[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:34:57 	charon: 06[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:34:57 	charon: 06[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
May 27 21:34:57 	charon: 06[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
May 27 21:34:53 	charon: 06[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:34:53 	charon: 06[ENC] <con1000|87>generating ID_PROT request 0 [ SA V V V V V V ]
May 27 21:34:53 	charon: 06[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
May 27 21:34:53 	charon: 06[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
May 27 21:34:53 	charon: 13[CFG] ignoring acquire, connection attempt pending
May 27 21:34:53 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:34:53 	charon: 06[IKE] <con1000|87>peer not responding, trying again (3/3)
May 27 21:34:53 	charon: 06[IKE] <con1000|87>peer not responding, trying again (3/3)
May 27 21:34:53 	charon: 06[IKE] <con1000|87>giving up after 5 retransmits
May 27 21:34:53 	charon: 06[IKE] <con1000|87>giving up after 5 retransmits
May 27 21:34:17 	charon: 06[CFG] ignoring acquire, connection attempt pending
May 27 21:34:17 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:33:37 	charon: 10[CFG] ignoring acquire, connection attempt pending
May 27 21:33:37 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:33:37 	charon: 12[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:33:37 	charon: 12[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
May 27 21:33:37 	charon: 12[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
May 27 21:32:55 	charon: 12[CFG] ignoring acquire, connection attempt pending
May 27 21:32:55 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:32:55 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:32:55 	charon: 10[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
May 27 21:32:55 	charon: 10[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
May 27 21:32:32 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:32:32 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
May 27 21:32:32 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
May 27 21:32:30 	charon: 10[CFG] ignoring acquire, connection attempt pending
May 27 21:32:30 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:32:19 	charon: 12[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:32:19 	charon: 12[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
May 27 21:32:19 	charon: 12[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
May 27 21:32:12 	charon: 12[CFG] ignoring acquire, connection attempt pending
May 27 21:32:12 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:32:12 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:32:12 	charon: 10[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
May 27 21:32:12 	charon: 10[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
May 27 21:32:08 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:32:08 	charon: 10[ENC] <con1000|87>generating ID_PROT request 0 [ SA V V V V V V ]
May 27 21:32:08 	charon: 10[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
May 27 21:32:08 	charon: 10[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
May 27 21:32:08 	charon: 12[CFG] ignoring acquire, connection attempt pending
May 27 21:32:08 	charon: 06[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:32:08 	charon: 10[IKE] <con1000|87>peer not responding, trying again (2/3)
May 27 21:32:08 	charon: 10[IKE] <con1000|87>peer not responding, trying again (2/3)
May 27 21:32:08 	charon: 10[IKE] <con1000|87>giving up after 5 retransmits
May 27 21:32:08 	charon: 10[IKE] <con1000|87>giving up after 5 retransmits
May 27 21:30:52 	charon: 15[CFG] ignoring acquire, connection attempt pending
May 27 21:30:52 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:30:52 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:30:52 	charon: 10[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
May 27 21:30:52 	charon: 10[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
May 27 21:30:10 	charon: 10[CFG] ignoring acquire, connection attempt pending
May 27 21:30:10 	charon: 15[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:30:10 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:30:10 	charon: 15[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
May 27 21:30:10 	charon: 15[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
May 27 21:29:47 	charon: 15[CFG] ignoring acquire, connection attempt pending
May 27 21:29:47 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:29:47 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:29:47 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
May 27 21:29:47 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
May 27 21:29:34 	charon: 10[CFG] ignoring acquire, connection attempt pending
May 27 21:29:34 	charon: 15[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:29:34 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:29:34 	charon: 15[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
May 27 21:29:34 	charon: 15[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
May 27 21:29:27 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:29:27 	charon: 15[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
May 27 21:29:27 	charon: 15[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
May 27 21:29:23 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:29:23 	charon: 15[ENC] <con1000|87>generating ID_PROT request 0 [ SA V V V V V V ]
May 27 21:29:23 	charon: 15[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
May 27 21:29:23 	charon: 15[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
May 27 21:29:23 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:29:23 	charon: 10[IKE] <con1000|86>establishing IKE_SA failed, peer not responding
May 27 21:29:23 	charon: 10[IKE] <con1000|86>establishing IKE_SA failed, peer not responding
May 27 21:29:23 	charon: 10[IKE] <con1000|86>giving up after 5 retransmits
May 27 21:29:23 	charon: 10[IKE] <con1000|86>giving up after 5 retransmits
May 27 21:28:07 	charon: 07[NET] <con1000|86>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:28:07 	charon: 07[IKE] <con1000|86>sending retransmit 5 of request message ID 0, seq 1
May 27 21:28:07 	charon: 07[IKE] <con1000|86>sending retransmit 5 of request message ID 0, seq 1
May 27 21:27:52 	charon: 07[CFG] ignoring acquire, connection attempt pending
May 27 21:27:52 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:27:25 	charon: 10[CFG] ignoring acquire, connection attempt pending
May 27 21:27:25 	charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:27:25 	charon: 07[NET] <con1000|86>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:27:25 	charon: 07[IKE] <con1000|86>sending retransmit 4 of request message ID 0, seq 1
May 27 21:27:25 	charon: 07[IKE] <con1000|86>sending retransmit 4 of request message ID 0, seq 1</con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87>
              1 Reply Last reply Reply Quote 0
              • C
                catdsnny
                last edited by

                Using the ASDM to create the tunnel on an ASA 5545x worked for me out of the box.  Just make sure all the parameters are the same on both sides.

                1 Reply Last reply Reply Quote 0
                • R
                  r4z13l
                  last edited by

                  @catdsnny:

                  Just make sure all the parameters are the same on both sides.

                  Really? Thank you Capt. Obvious, i didn´t know :P
                  Back to Topic: VPN can be established from the ASA Side, not from the psSense. The ASA is behind a NAT Device. For further informations please read the thread

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    @r4z13l:

                    Back to Topic: VPN can be established from the ASA Side, not from the psSense. The ASA is behind a NAT Device. For further informations please read the thread

                    You likely have a mismatched P1 identifier in that case since the ASA is behind NAT. You're specifying "My IP address" (or equivalent, don't recall the name of the Cisco option off the top of my head) on the ASA, which is its private IP. You're specifying same on the pfSense side, but it's using the ASA's public IP. Private IP != public IP, so your ASA's config doesn't match, so it only matches properly initiated in that direction. That's my first guess at least, the most likely cause in the described circumstance that we've run into with others here and support customers in the past.

                    1 Reply Last reply Reply Quote 0
                    • F
                      franco22
                      last edited by

                      HI, and can able to help with my issue, please... This was my Task Give In my work as I'm in my training Period

                      the Give to me was site to site vpn configuration between pfsense and cisco asa 5505

                      Pfsense(router)------(192.168.10.1)--switch--->to pfsense
                      Pfsense------(192.168.10.1)--switch--->to ASA5505 (the to cable give to me was from the same switch (same gateway)

                      lan cable 1Pfsense--wanIP(192.168.10.175) Lan IP 192.168.20.175-DG for my pc

                      lan cable 2 asa -- wanip (192.168.10.150) Lan IP 192.168.30.150 DG for my pc .. this was my set up

                      below I will mention my as cli

                      ASA Version 8.4(2)
                      !
                      hostname ciscoasa
                      enable password 8Ry2YjIyt7RRXU24 encrypted
                      passwd 2KFQnbNIdI.2KYOU encrypted
                      names
                      !
                      interface Ethernet0/0
                      switchport access vlan 2
                      !
                      interface Ethernet0/1
                      !
                      interface Ethernet0/2
                      shutdown
                      !
                      interface Ethernet0/3
                      shutdown
                      !
                      interface Ethernet0/4
                      shutdown
                      !
                      interface Ethernet0/5
                      shutdown
                      !
                      interface Ethernet0/6
                      shutdown
                      !
                      interface Ethernet0/7
                      shutdown
                      !
                      interface Vlan1
                      nameif inside
                      security-level 100
                      ip address 192.168.30.150 255.255.255.0
                      !
                      interface Vlan2
                      nameif outside
                      security-level 0
                      ip address 192.168.10.150 255.255.255.0
                      !
                      ftp mode passive
                      object network obj_any
                      subnet 0.0.0.0 0.0.0.0
                      pager lines 24
                      mtu inside 1500
                      mtu outside 1500
                      icmp unreachable rate-limit 1 burst-size 1
                      no asdm history enable
                      arp timeout 14400
                      !
                      object network obj_any
                      nat (inside,outside) dynamic interface
                      route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
                      timeout xlate 3:00:00
                      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
                      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
                      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
                      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
                      timeout tcp-proxy-reassembly 0:01:00
                      timeout floating-conn 0:00:00
                      dynamic-access-policy-record DfltAccessPolicy
                      user-identity default-domain LOCAL
                      no snmp-server location
                      no snmp-server contact
                      snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
                      telnet timeout 5
                      ssh timeout 5
                      console timeout 0

                      threat-detection basic-threat
                      threat-detection statistics access-list
                      no threat-detection statistics tcp-intercept
                      !
                      class-map inspection_default
                      match default-inspection-traffic
                      !
                      !
                      policy-map type inspect dns preset_dns_map
                      parameters
                      message-length maximum client auto
                      message-length maximum 512
                      policy-map global_policy
                      class inspection_default
                      inspect dns preset_dns_map
                      inspect ftp
                      inspect h323 h225
                      inspect h323 ras
                      inspect ip-options
                      inspect netbios
                      inspect rsh
                      inspect rtsp
                      inspect skinny
                      inspect esmtp
                      inspect sqlnet
                      inspect sunrpc
                      inspect tftp
                      inspect sip
                      inspect xdmcp
                      inspect icmp
                      inspect icmp error
                      !
                      service-policy global_policy global
                      prompt hostname context
                      no call-home reporting anonymous
                      call-home
                      profile CiscoTAC-1
                      no active
                      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
                      destination address email callhome@cisco.com
                      destination transport-method http
                      subscribe-to-alert-group diagnostic
                      subscribe-to-alert-group environment
                      subscribe-to-alert-group inventory periodic monthly
                      subscribe-to-alert-group configuration periodic monthly
                      subscribe-to-alert-group telemetry periodic daily
                      Cryptochecksum:b4d8c59ed8a5c6015eb9570342028037
                      ciscoasa#

                      for site to site conf in asa

                      crypto ipsec ikev1 transform-set pfSense esp-aes esp-sha-hmac
                      !
                      access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense
                      access-list outside_cryptomap_10 extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
                      !
                      crypto map outside_map 10 match address outside_cryptomap_10
                      crypto map outside_map 10 set peer 192.168.10.175
                      crypto map outside_map 10 set ikev1 transform-set pfSense
                      crypto map outside_map interface outside

                      crypto ikev1 enable outside
                      crypto ikev1 policy 1
                      authentication pre-share
                      encryption aes
                      hash sha
                      group 2
                      lifetime 86400
                      exit
                      !
                      tunnel-group 192.168.10.175 type ipsec-l2l
                      tunnel-group 192.168.10.175 ipsec-attributes
                      ikev1 pre-shared-key admin123
                      pls help me

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.