IPSec VPN between pfSense 2.2.2 and Cisco ASA5505 9.2(3)3



  • Hello all,

    I have some trouble setting up an ipsev vpn between a Cisco ASA an an pfSense.
    The ASA is behind another NAT-Device. Ich have a portforwarding from that Device to the ASA for ESP, UDP/500 and UDP/4500.

    Here is the ASA.cfg:

    
    object network r4VDC
     subnet 10.153.192.0 255.255.255.0
     description r4VDC
    
    access-list inside_access_in extended permit ip 10.64.155.0 255.255.255.0 object r4VDC
    access-list outside_cryptomap_r4VDC extended permit ip 10.64.155.0 255.255.255.0 object r4VDC
    
    nat (inside,outside) source static inside10.64.155.0 inside10.64.155.0 destination static r4VDC r4VDC
    
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    
    crypto map outside_map 1 match address outside_cryptomap_r4VDC
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 217.xxx.201.xxx
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
    crypto map outside_map 1 set security-association lifetime seconds 86400
    
    crypto ikev1 policy 160
     authentication pre-share
     encryption aes-256
     hash sha
     group 5
     lifetime 86400
    
    group-policy GroupPolicy_r4VDC internal
    group-policy GroupPolicy_r4VDC attributes
     vpn-tunnel-protocol ikev1
    
    tunnel-group 217.xxx.201.xxx type ipsec-l2l
    tunnel-group 217.xxx.201.xxx general-attributes
     default-group-policy GroupPolicy_r4VDC
    tunnel-group 217.xxx.201.xxx ipsec-attributes
     ikev1 pre-shared-key test12345
    
    

    Here the pfSense config:

    Phase 1:

    
    Key Exchange version = V1
    Internet Protocol = IPv4
    Interface = WAN
    Remote gateway = r4xxxxx.com
    
    Authentication method = Mutual PSK
    Negotiation mode = Main
    My identifier = My IP address
    Peer identifier = Peer IP address
    Pre-Shared Key = test12345
    
    Encryption algorithm = AES 256bits
    Hash algorithm = SHA1
    DH key group = 2
    Lifetime = 86400
    
    Disable Rekey = unchecked
    Responder Only = unchecked
    NAT Traversal = Auto
    Dead Peer Detection = Enabled (10seconds/5retry)
    
    

    Phase 2:

    
    Phase 2:
    Mode = Tunnel IPv4
    Local Network = 10.153.192.0/24
    Remote Network = 10.64.155.0/24
    
    Protocol = ESP
    Encryption algorithms = AES 256bits
    Hash algorithms = SHA1
    PFS key group = 5
    Lifetime = 86400
    
    

    Log from ASA:

    %ASA-5-713041: IP = 217.xxx.201.xxx, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 217.xxx.201.xxx  local Proxy Address 10.64.155.0, remote Proxy Address 10.153.192.0,  Crypto map (outside_map)
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ISAKMP SA payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 02 payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 03 payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver RFC payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Fragmentation VID + extended capabilities payload
    %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
    %ASA-7-609001: Built local-host outside:217.xxx.201.xxx
    %ASA-6-302015: Built outbound UDP connection 123931 for outside:217.xxx.201.xxx/500 (217.xxx.201.xxx/500) to identity:172.31.31.253/500 (172.31.31.253/500)
    %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 62.xxx.185.xxx:4500
    %ASA-7-713236: IP = 62.xxx.185.xxx, IKE_DECODE RECEIVED Message (msgid=185c8c2f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing hash payload
    %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing notify payload
    %ASA-7-715075: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1da854ec)
    %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.31.xxx:4500
    %ASA-7-713236: IP = 217.xxx.31.xxx, IKE_DECODE RECEIVED Message (msgid=d46d6a49) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing hash payload
    %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing notify payload
    %ASA-7-715075: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64970812)
    %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
    %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing SA payload
    %ASA-7-713906: IP = 217.xxx.201.xxx, Oakley proposal is acceptable
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    %ASA-7-715049: IP = 217.xxx.201.xxx, Received xauth V6 VID
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    %ASA-7-715049: IP = 217.xxx.201.xxx, Received DPD VID
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    %ASA-7-715049: IP = 217.xxx.201.xxx, Received Cisco Unity client VID
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    %ASA-7-715049: IP = 217.xxx.201.xxx, Received Fragmentation VID
    %ASA-7-715064: IP = 217.xxx.201.xxx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    %ASA-7-715049: IP = 217.xxx.201.xxx, Received NAT-Traversal RFC VID
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ke payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing nonce payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Cisco Unity VID payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing xauth V6 VID payload
    %ASA-7-715048: IP = 217.xxx.201.xxx, Send IOS VID
    %ASA-7-715038: IP = 217.xxx.201.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing VID payload
    %ASA-7-715048: IP = 217.xxx.201.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
    %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
    %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
    %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
    %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
    %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 244
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing ke payload
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing ISA_KE payload
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing nonce payload
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
    %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
    %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
    %ASA-7-713906: IP = 217.xxx.201.xxx, Connection landed on tunnel_group 217.xxx.201.xxx
    %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Generating keys for Initiator…
    %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing ID payload
    %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing hash payload
    %ASA-7-715076: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Computing hash for ISAKMP
    %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing dpd vid payload
    %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
    %ASA-6-713172: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Automatic NAT Detection Status:    Remote end is NOT behind a NAT device    This  end  IS  behind a NAT device
    %ASA-6-713905: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Floating NAT-T to port 4500
    %ASA-6-302015: Built outbound UDP connection 123932 for outside:217.xxx.201.xxx/4500 (217.xxx.201.xxx/4500) to identity:172.31.31.253/4500 (172.31.31.253/4500)
    %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
    %ASA-7-609001: Built local-host outside:10.153.192.5

    Log from pfSense (Read Down2Top):

    May 12 10:25:22 charon: 13[CFG] ignoring acquire, connection attempt pending
    May 12 10:25:22 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:25:22 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:25:22 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
    May 12 10:25:22 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
    May 12 10:24:40 charon: 07[CFG] ignoring acquire, connection attempt pending
    May 12 10:24:40 charon: 13[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:24:40 charon: 11[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:24:40 charon: 11[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
    May 12 10:24:40 charon: 11[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
    May 12 10:24:17 charon: 11[CFG] ignoring acquire, connection attempt pending
    May 12 10:24:17 charon: 13[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:24:17 charon: 13[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:24:17 charon: 13[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
    May 12 10:24:17 charon: 13[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
    May 12 10:24:04 charon: 13[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:24:04 charon: 13[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
    May 12 10:24:04 charon: 13[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
    May 12 10:23:57 charon: 13[CFG] ignoring acquire, connection attempt pending
    May 12 10:23:57 charon: 11[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:23:57 charon: 11[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:23:57 charon: 11[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
    May 12 10:23:57 charon: 11[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
    May 12 10:23:53 charon: 11[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:23:53 charon: 11[ENC] <con1000|1080>generating ID_PROT request 0 [ SA V V V V V V ]
    May 12 10:23:53 charon: 11[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
    May 12 10:23:53 charon: 11[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
    May 12 10:23:53 charon: 13[CFG] ignoring acquire, connection attempt pending
    May 12 10:23:53 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:23:53 charon: 11[IKE] <con1000|1080>peer not responding, trying again (2/3)
    May 12 10:23:53 charon: 11[IKE] <con1000|1080>peer not responding, trying again (2/3)
    May 12 10:23:53 charon: 11[IKE] <con1000|1080>giving up after 5 retransmits
    May 12 10:23:53 charon: 11[IKE] <con1000|1080>giving up after 5 retransmits
    May 12 10:22:37 charon: 11[CFG] ignoring acquire, connection attempt pending
    May 12 10:22:37 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:22:37 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:22:37 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
    May 12 10:22:37 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
    May 12 10:21:55 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:21:55 charon: 07[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
    May 12 10:21:55 charon: 07[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
    May 12 10:21:55 charon: 07[CFG] ignoring acquire, connection attempt pending
    May 12 10:21:55 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:21:32 charon: 16[CFG] ignoring acquire, connection attempt pending
    May 12 10:21:32 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:21:32 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:21:32 charon: 07[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
    May 12 10:21:32 charon: 07[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
    May 12 10:21:19 charon: 07[CFG] ignoring acquire, connection attempt pending
    May 12 10:21:19 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:21:19 charon: 16[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:21:19 charon: 16[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
    May 12 10:21:19 charon: 16[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
    May 12 10:21:12 charon: 16[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:21:12 charon: 16[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
    May 12 10:21:12 charon: 16[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
    May 12 10:21:08 charon: 16[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:21:08 charon: 16[ENC] <con1000|1080>generating ID_PROT request 0 [ SA V V V V V V ]
    May 12 10:21:08 charon: 16[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
    May 12 10:21:08 charon: 16[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
    May 12 10:21:08 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:21:08 charon: 07[IKE] <con1000|1079>establishing IKE_SA failed, peer not responding
    May 12 10:21:08 charon: 07[IKE] <con1000|1079>establishing IKE_SA failed, peer not responding
    May 12 10:21:08 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits
    May 12 10:21:08 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits
    May 12 10:20:14 charon: 07[CFG] ignoring acquire, connection attempt pending
    May 12 10:20:14 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:19:52 charon: 16[CFG] ignoring acquire, connection attempt pending
    May 12 10:19:52 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:19:52 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:19:52 charon: 07[IKE] <con1000|1079>sending retransmit 5 of request message ID 0, seq 1
    May 12 10:19:52 charon: 07[IKE] <con1000|1079>sending retransmit 5 of request message ID 0, seq 1
    May 12 10:19:10 charon: 08[CFG] ignoring acquire, connection attempt pending
    May 12 10:19:10 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:19:10 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:19:10 charon: 07[IKE] <con1000|1079>sending retransmit 4 of request message ID 0, seq 1
    May 12 10:19:10 charon: 07[IKE] <con1000|1079>sending retransmit 4 of request message ID 0, seq 1
    May 12 10:18:47 charon: 07[CFG] ignoring acquire, connection attempt pending
    May 12 10:18:47 charon: 08[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:18:47 charon: 08[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:18:47 charon: 08[IKE] <con1000|1079>sending retransmit 3 of request message ID 0, seq 1
    May 12 10:18:47 charon: 08[IKE] <con1000|1079>sending retransmit 3 of request message ID 0, seq 1
    May 12 10:18:34 charon: 08[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:18:34 charon: 08[IKE] <con1000|1079>sending retransmit 2 of request message ID 0, seq 1
    May 12 10:18:34 charon: 08[IKE] <con1000|1079>sending retransmit 2 of request message ID 0, seq 1
    May 12 10:18:26 charon: 08[CFG] ignoring acquire, connection attempt pending
    May 12 10:18:26 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:18:26 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:18:26 charon: 07[IKE] <con1000|1079>sending retransmit 1 of request message ID 0, seq 1
    May 12 10:18:26 charon: 07[IKE] <con1000|1079>sending retransmit 1 of request message ID 0, seq 1
    May 12 10:18:22 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:18:22 charon: 07[ENC] <con1000|1079>generating ID_PROT request 0 [ SA V V V V V V ]
    May 12 10:18:22 charon: 07[IKE] <con1000|1079>initiating Main Mode IKE_SA con1000[1079] to 37.xxx.39.xxx
    May 12 10:18:22 charon: 07[IKE] <con1000|1079>initiating Main Mode IKE_SA con1000[1079] to 37.xxx.39.xxx
    May 12 10:18:22 charon: 08[CFG] ignoring acquire, connection attempt pending
    May 12 10:18:22 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:18:22 charon: 07[IKE] <con1000|1079>peer not responding, trying again (3/3)
    May 12 10:18:22 charon: 07[IKE] <con1000|1079>peer not responding, trying again (3/3)
    May 12 10:18:22 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits
    May 12 10:18:22 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits</con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080>

    Any Ideas?

    greetings, r4

    EDIT1:

    If changed the pfSense in Phase 1 from
    Peer identifier = Peer IP Identifier to
    Peer identifier = IP Identifier: 172.31.31.253 (outside IF of the ASA).

    Now a Tunnel is established for about 30 sekonds an than breaks down.
    I´ve also tried to build the Tunnel with an KeyID but that didn´t work for me.

    ASA Log for that Tunnel:

    
    Sending 5, 100-byte ICMP Echos to 10.153.192.254, timeout is 2 seconds:
    May 12 2015 13:50:37: %ASA-7-609001: Built local-host outside:10.153.192.254
    May 12 2015 13:50:37: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
    May 12 2015 13:50:37: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = outside_map.  Map Sequence Number = 1.
    May 12 2015 13:50:37: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
    May 12 2015 13:50:37: %ASA-5-713041: IP = 217.xxx.201.xxx, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 217.xxx.201.xxx  local Proxy Address 10.64.155.0, remote Proxy Address 10.153.192.0,  Crypto map (outside_map)
    May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ISAKMP SA payload
    May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 02 payload
    May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 03 payload
    May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver RFC payload
    May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Fragmentation VID + extended capabilities payload
    May 12 2015 13:50:37: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
    May 12 2015 13:50:37: %ASA-7-609001: Built local-host outside:217.xxx.201.xxx
    May 12 2015 13:50:37: %ASA-6-302015: Built outbound UDP connection 125318 for outside:217.xxx.201.xxx/500 (217.xxx.201.xxx/500) to identity:172.31.31.253/500 (172.31.31.253/500)
    May 12 2015 13:50:37: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
    May 12 2015 13:50:37: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184
    May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing SA payload
    May 12 2015 13:50:37: %ASA-7-713906: IP = 217.xxx.201.xxx, Oakley proposal is acceptable
    May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received xauth V6 VID
    May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received DPD VID
    May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received Cisco Unity client VID
    May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received Fragmentation VID
    May 12 2015 13:50:37: %ASA-7-715064: IP = 217.xxx.201.xxx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
    May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received NAT-Traversal RFC VID
    May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ke payload
    May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing nonce payload
    May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Cisco Unity VID payload
    May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing xauth V6 VID payload
    May 12 2015 13:50:37: %ASA-7-715048: IP = 217.xxx.201.xxx, Send IOS VID
    May 12 2015 13:50:37: %ASA-7-715038: IP = 217.xxx.201.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
    May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing VID payload
    May 12 2015 13:50:37: %ASA-7-715048: IP = 217.xxx.201.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
    May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
    May 12 2015 13:50:37: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
    May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
    May 12 2015 13:50:37: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
    May 12 2015 13:50:37: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
    May 12 2015 13:50:38: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
    May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 244
    May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing ke payload
    May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing ISA_KE payload
    May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing nonce payload
    May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
    May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
    May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
    May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
    May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, Connection landed on tunnel_group 217.xxx.201.xxx
    May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Generating keys for Initiator...
    May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing ID payload
    May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing hash payload
    May 12 2015 13:50:38: %ASA-7-715076: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Computing hash for ISAKMP
    May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing dpd vid payload
    May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
    May 12 2015 13:50:38: %ASA-6-713172: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end   IS   behind a NAT device
    May 12 2015 13:50:38: %ASA-6-713905: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Floating NAT-T to port 4500
    May 12 2015 13:50:38: %ASA-6-302015: Built outbound UDP connection 125319 for outside:217.xxx.201.xxx/4500 (217.xxx.201.xxx/4500) to identity:172.31.31.253/4500 (172.31.31.253/4500)
    May 12 2015 13:50:38: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
    May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
    May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing ID payload
    May 12 2015 13:50:38: %ASA-7-714011: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, ID_IPV4_ADDR ID received
    217.xxx.201.xxx
    May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing hash payload
    May 12 2015 13:50:38: %ASA-7-715076: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Computing hash for ISAKMP
    May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, Connection landed on tunnel_group 217.xxx.201.xxx
    May 12 2015 13:50:38: %ASA-7-715059: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Proposing only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    May 12 2015 13:50:38: %ASA-6-113009: AAA retrieved default group policy (GroupPolicy_r4VDC) for user = 217.xxx.201.xxx
    May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Oakley begin quick mode
    May 12 2015 13:50:38: %ASA-7-714002: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE Initiator starting QM: msg id = 4e956de2
    May 12 2015 13:50:38: %ASA-5-713119: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, PHASE 1 COMPLETED
    May 12 2015 13:50:38: %ASA-7-713121: IP = 217.xxx.201.xxx, Keep-alive type for this connection: DPD
    May 12 2015 13:50:38: %ASA-7-715080: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Starting P1 rekey timer: 82080 seconds.
    May 12 2015 13:50:38: %ASA-7-715006: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE got SPI from key engine: SPI = 0xae561233
    May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, oakley constucting quick mode
    May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing blank hash payload
    May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing IPSec SA payload
    May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing IPSec nonce payload
    May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing pfs ke payload
    May 12 2015 13:50:38: %ASA-7-715001: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing proxy ID
    May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Transmitting Proxy Id:
      Local subnet:  10.64.155.0  mask 255.255.255.0 Protocol 0  Port 0
      Remote subnet: 10.153.192.0  Mask 255.255.255.0 Protocol 0  Port 0
    May 12 2015 13:50:38: %ASA-7-714007: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE Initiator sending Initial Contact
    May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing qm hash payload
    May 12 2015 13:50:38: %ASA-7-714004: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE Initiator sending 1st QM pkt: msg id = 4e956de2
    May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=4e956de2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 340
    May 12 2015 13:50:38: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
    May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=4710bb77) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
    May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing hash payload
    May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing notify payload
    May 12 2015 13:50:38: %ASA-5-713068: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Received non-routine Notify message: No proposal chosen (14)
    May 12 2015 13:50:39: %ASA-7-609001: Built local-host outside:10.153.192.254
    May 12 2015 13:50:39: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
    May 12 2015 13:50:39: %ASA-7-752008: Duplicate entry already in Tunnel Manager
    May 12 2015 13:50:41: %ASA-7-609001: Built local-host outside:10.153.192.254
    May 12 2015 13:50:41: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
    May 12 2015 13:50:41: %ASA-7-752008: Duplicate entry already in Tunnel Manager
    May 12 2015 13:50:42: %ASA-6-302016: Teardown UDP connection 125308 for outside:148.251.6.51/123 to identity:172.31.31.253/65535 duration 0:02:01 bytes 96
    May 12 2015 13:50:42: %ASA-7-609002: Teardown local-host outside:148.251.6.51 duration 0:02:01
    May 12 2015 13:50:43: %ASA-7-609001: Built local-host outside:10.153.192.254
    May 12 2015 13:50:43: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
    May 12 2015 13:50:43: %ASA-7-752008: Duplicate entry already in Tunnel Manager
    May 12 2015 13:50:44: %ASA-7-715036: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x64970cf9)
    May 12 2015 13:50:44: %ASA-7-715046: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, constructing blank hash payload
    May 12 2015 13:50:44: %ASA-7-715046: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, constructing qm hash payload
    May 12 2015 13:50:44: %ASA-7-713236: IP = 217.xxx.31.xxx, IKE_DECODE SENDING Message (msgid=d77554c4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    May 12 2015 13:50:44: %ASA-7-715036: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0xe1e197b)
    May 12 2015 13:50:44: %ASA-7-715046: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, constructing blank hash payload
    May 12 2015 13:50:44: %ASA-7-715046: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, constructing qm hash payload
    May 12 2015 13:50:44: %ASA-7-713236: IP = 62.xxx.185.xxx, IKE_DECODE SENDING Message (msgid=a7a6c821) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    May 12 2015 13:50:44: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.31.xxx:4500
    May 12 2015 13:50:44: %ASA-7-713236: IP = 217.xxx.31.xxx, IKE_DECODE RECEIVED Message (msgid=273d5a7b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    May 12 2015 13:50:44: %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing hash payload
    May 12 2015 13:50:44: %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing notify payload
    May 12 2015 13:50:44: %ASA-7-715075: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64970cf9)
    May 12 2015 13:50:44: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 62.xxx.185.xxx:4500
    May 12 2015 13:50:44: %ASA-7-713236: IP = 62.xxx.185.xxx, IKE_DECODE RECEIVED Message (msgid=f558fd73) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    May 12 2015 13:50:44: %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing hash payload
    May 12 2015 13:50:44: %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing notify payload
    May 12 2015 13:50:44: %ASA-7-715075: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xe1e197b)
    May 12 2015 13:50:45: %ASA-7-609001: Built local-host outside:10.153.192.254
    May 12 2015 13:50:45: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
    May 12 2015 13:50:45: %ASA-7-752008: Duplicate entry already in Tunnel Manager
    ?
    Success rate is 0 percent (0/5)
    May 12 2015 13:50:47: %ASA-5-111008: User 'enable_15' executed the 'ping inside 10.153.192.254' command.
    May 12 2015 13:50:47: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.64.155.230, executed 'ping inside 10.153.192.254'
    May 12 2015 13:50:48: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
    May 12 2015 13:50:48: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=833328cd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    May 12 2015 13:50:48: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing hash payload
    May 12 2015 13:50:48: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing notify payload
    May 12 2015 13:50:48: %ASA-7-715075: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Received keep-alive of type DPD R-U-THERE (seq number 0x69bcc0c)
    May 12 2015 13:50:48: %ASA-7-715036: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x69bcc0c)
    May 12 2015 13:50:48: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing blank hash payload
    May 12 2015 13:50:48: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing qm hash payload
    May 12 2015 13:50:48: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=6c526b0b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    n
    
    


  • I fixed it finally :)
    I will post the configuration of ASA & pfSense tomorrow



  • We are waiting.  :)



  • Here is the ASA.cfg:

    
    object network r4VDC
     subnet 10.153.192.0 255.255.255.0
     description r4VDC
    
    access-list inside_access_in extended permit ip 10.64.155.0 255.255.255.0 object r4VDC
    access-list outside_access_in extended permit ip object r4VDC 10.64.155.0 255.255.255.0
    access-list outside_cryptomap_r4VDC extended permit ip 10.64.155.0 255.255.255.0 object r4VDC
    
    nat (inside,outside) source static inside10.64.155.0 inside10.64.155.0 destination static r4VDC r4VDC
    
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    
    crypto map outside_map 1 match address outside_cryptomap_r4VDC
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 217.xxx.201.xxx
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
    crypto map outside_map 1 set security-association lifetime seconds 86400
    
    crypto ikev1 policy 160
     authentication pre-share
     encryption aes-256
     hash sha
     group 5
     lifetime 86400
    
    group-policy GroupPolicy_r4VDC internal
    group-policy GroupPolicy_r4VDC attributes
     vpn-tunnel-protocol ikev1
    
    tunnel-group 217.xxx.201.xxx type ipsec-l2l
    tunnel-group 217.xxx.201.xxx general-attributes
     default-group-policy GroupPolicy_r4VDC
    tunnel-group 217.xxx.201.xxx ipsec-attributes
     ikev1 pre-shared-key test12345
    
    

    Here the pfSense config:

    Phase 1:

    
    Key Exchange version = V1
    Internet Protocol = IPv4
    Interface = WAN
    Remote gateway = r4xxxxx.com
    
    Authentication method = Mutual PSK
    Negotiation mode = Main
    My identifier = My IP address
    Peer identifier = [color]IP address (outside IP of ASA = 172.31.31.254) [/color]
    Pre-Shared Key = test12345
    
    Encryption algorithm = AES 256bits
    Hash algorithm = SHA1
    DH key group = 2
    Lifetime = 86400
    
    Disable Rekey = unchecked
    Responder Only = unchecked
    NAT Traversal = Auto
    Dead Peer Detection = Enabled (10seconds/5retry)
    
    

    Phase 2:

    
    Phase 2:
    Mode = Tunnel IPv4
    Local Network = 10.153.192.0/24
    Remote Network = 10.64.155.0/24
    
    Protocol = ESP
    Encryption algorithms = AES 256bits
    Hash algorithms = SHA1
    PFS key group = [color]2 [/color]
    Lifetime = 86400
    
    

    Two points are left:
    -The Tunnel does not rekey after 24h
    -I can just establish the Tunnel from the ASA side

    Any thoughts on this?

    regards r4



  • Has anyone some ideas?
    Here is the pfSense log when no tunnel is established:

    
    May 27 21:35:17 	charon: 06[CFG] ignoring acquire, connection attempt pending
    May 27 21:35:17 	charon: 13[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:35:17 	charon: 13[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:35:17 	charon: 13[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
    May 27 21:35:17 	charon: 13[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
    May 27 21:35:04 	charon: 13[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:35:04 	charon: 13[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
    May 27 21:35:04 	charon: 13[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
    May 27 21:34:57 	charon: 13[CFG] ignoring acquire, connection attempt pending
    May 27 21:34:57 	charon: 06[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:34:57 	charon: 06[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:34:57 	charon: 06[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
    May 27 21:34:57 	charon: 06[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
    May 27 21:34:53 	charon: 06[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:34:53 	charon: 06[ENC] <con1000|87>generating ID_PROT request 0 [ SA V V V V V V ]
    May 27 21:34:53 	charon: 06[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
    May 27 21:34:53 	charon: 06[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
    May 27 21:34:53 	charon: 13[CFG] ignoring acquire, connection attempt pending
    May 27 21:34:53 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:34:53 	charon: 06[IKE] <con1000|87>peer not responding, trying again (3/3)
    May 27 21:34:53 	charon: 06[IKE] <con1000|87>peer not responding, trying again (3/3)
    May 27 21:34:53 	charon: 06[IKE] <con1000|87>giving up after 5 retransmits
    May 27 21:34:53 	charon: 06[IKE] <con1000|87>giving up after 5 retransmits
    May 27 21:34:17 	charon: 06[CFG] ignoring acquire, connection attempt pending
    May 27 21:34:17 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:33:37 	charon: 10[CFG] ignoring acquire, connection attempt pending
    May 27 21:33:37 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:33:37 	charon: 12[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:33:37 	charon: 12[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
    May 27 21:33:37 	charon: 12[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
    May 27 21:32:55 	charon: 12[CFG] ignoring acquire, connection attempt pending
    May 27 21:32:55 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:32:55 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:32:55 	charon: 10[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
    May 27 21:32:55 	charon: 10[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
    May 27 21:32:32 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:32:32 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
    May 27 21:32:32 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
    May 27 21:32:30 	charon: 10[CFG] ignoring acquire, connection attempt pending
    May 27 21:32:30 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:32:19 	charon: 12[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:32:19 	charon: 12[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
    May 27 21:32:19 	charon: 12[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
    May 27 21:32:12 	charon: 12[CFG] ignoring acquire, connection attempt pending
    May 27 21:32:12 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:32:12 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:32:12 	charon: 10[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
    May 27 21:32:12 	charon: 10[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
    May 27 21:32:08 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:32:08 	charon: 10[ENC] <con1000|87>generating ID_PROT request 0 [ SA V V V V V V ]
    May 27 21:32:08 	charon: 10[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
    May 27 21:32:08 	charon: 10[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
    May 27 21:32:08 	charon: 12[CFG] ignoring acquire, connection attempt pending
    May 27 21:32:08 	charon: 06[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:32:08 	charon: 10[IKE] <con1000|87>peer not responding, trying again (2/3)
    May 27 21:32:08 	charon: 10[IKE] <con1000|87>peer not responding, trying again (2/3)
    May 27 21:32:08 	charon: 10[IKE] <con1000|87>giving up after 5 retransmits
    May 27 21:32:08 	charon: 10[IKE] <con1000|87>giving up after 5 retransmits
    May 27 21:30:52 	charon: 15[CFG] ignoring acquire, connection attempt pending
    May 27 21:30:52 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:30:52 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:30:52 	charon: 10[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
    May 27 21:30:52 	charon: 10[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
    May 27 21:30:10 	charon: 10[CFG] ignoring acquire, connection attempt pending
    May 27 21:30:10 	charon: 15[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:30:10 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:30:10 	charon: 15[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
    May 27 21:30:10 	charon: 15[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
    May 27 21:29:47 	charon: 15[CFG] ignoring acquire, connection attempt pending
    May 27 21:29:47 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:29:47 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:29:47 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
    May 27 21:29:47 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
    May 27 21:29:34 	charon: 10[CFG] ignoring acquire, connection attempt pending
    May 27 21:29:34 	charon: 15[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:29:34 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:29:34 	charon: 15[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
    May 27 21:29:34 	charon: 15[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
    May 27 21:29:27 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:29:27 	charon: 15[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
    May 27 21:29:27 	charon: 15[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
    May 27 21:29:23 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:29:23 	charon: 15[ENC] <con1000|87>generating ID_PROT request 0 [ SA V V V V V V ]
    May 27 21:29:23 	charon: 15[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
    May 27 21:29:23 	charon: 15[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
    May 27 21:29:23 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:29:23 	charon: 10[IKE] <con1000|86>establishing IKE_SA failed, peer not responding
    May 27 21:29:23 	charon: 10[IKE] <con1000|86>establishing IKE_SA failed, peer not responding
    May 27 21:29:23 	charon: 10[IKE] <con1000|86>giving up after 5 retransmits
    May 27 21:29:23 	charon: 10[IKE] <con1000|86>giving up after 5 retransmits
    May 27 21:28:07 	charon: 07[NET] <con1000|86>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:28:07 	charon: 07[IKE] <con1000|86>sending retransmit 5 of request message ID 0, seq 1
    May 27 21:28:07 	charon: 07[IKE] <con1000|86>sending retransmit 5 of request message ID 0, seq 1
    May 27 21:27:52 	charon: 07[CFG] ignoring acquire, connection attempt pending
    May 27 21:27:52 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:27:25 	charon: 10[CFG] ignoring acquire, connection attempt pending
    May 27 21:27:25 	charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
    May 27 21:27:25 	charon: 07[NET] <con1000|86>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 27 21:27:25 	charon: 07[IKE] <con1000|86>sending retransmit 4 of request message ID 0, seq 1
    May 27 21:27:25 	charon: 07[IKE] <con1000|86>sending retransmit 4 of request message ID 0, seq 1</con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87> 
    


  • Using the ASDM to create the tunnel on an ASA 5545x worked for me out of the box.  Just make sure all the parameters are the same on both sides.



  • @catdsnny:

    Just make sure all the parameters are the same on both sides.

    Really? Thank you Capt. Obvious, i didn´t know :P
    Back to Topic: VPN can be established from the ASA Side, not from the psSense. The ASA is behind a NAT Device. For further informations please read the thread



  • @r4z13l:

    Back to Topic: VPN can be established from the ASA Side, not from the psSense. The ASA is behind a NAT Device. For further informations please read the thread

    You likely have a mismatched P1 identifier in that case since the ASA is behind NAT. You're specifying "My IP address" (or equivalent, don't recall the name of the Cisco option off the top of my head) on the ASA, which is its private IP. You're specifying same on the pfSense side, but it's using the ASA's public IP. Private IP != public IP, so your ASA's config doesn't match, so it only matches properly initiated in that direction. That's my first guess at least, the most likely cause in the described circumstance that we've run into with others here and support customers in the past.