4. IPSec VPN between pfSense 2.2.2 and Cisco ASA5505 9.2(3)3

IPSec VPN between pfSense 2.2.2 and Cisco ASA5505 9.2(3)3

  • R

    Hello all,

    I have some trouble setting up an ipsev vpn between a Cisco ASA an an pfSense.
    The ASA is behind another NAT-Device. Ich have a portforwarding from that Device to the ASA for ESP, UDP/500 and UDP/4500.

    Here is the ASA.cfg:

    
object network r4VDC
 subnet 10.153.192.0 255.255.255.0
 description r4VDC

access-list inside_access_in extended permit ip 10.64.155.0 255.255.255.0 object r4VDC
access-list outside_cryptomap_r4VDC extended permit ip 10.64.155.0 255.255.255.0 object r4VDC

nat (inside,outside) source static inside10.64.155.0 inside10.64.155.0 destination static r4VDC r4VDC

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address outside_cryptomap_r4VDC
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 217.xxx.201.xxx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400

crypto ikev1 policy 160
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

group-policy GroupPolicy_r4VDC internal
group-policy GroupPolicy_r4VDC attributes
 vpn-tunnel-protocol ikev1

tunnel-group 217.xxx.201.xxx type ipsec-l2l
tunnel-group 217.xxx.201.xxx general-attributes
 default-group-policy GroupPolicy_r4VDC
tunnel-group 217.xxx.201.xxx ipsec-attributes
 ikev1 pre-shared-key test12345

    Here the pfSense config:

    Phase 1:

    
Key Exchange version = V1
Internet Protocol = IPv4
Interface = WAN
Remote gateway = r4xxxxx.com

Authentication method = Mutual PSK
Negotiation mode = Main
My identifier = My IP address
Peer identifier = Peer IP address
Pre-Shared Key = test12345

Encryption algorithm = AES 256bits
Hash algorithm = SHA1
DH key group = 2
Lifetime = 86400

Disable Rekey = unchecked
Responder Only = unchecked
NAT Traversal = Auto
Dead Peer Detection = Enabled (10seconds/5retry)

    Phase 2:

    
Phase 2:
Mode = Tunnel IPv4
Local Network = 10.153.192.0/24
Remote Network = 10.64.155.0/24

Protocol = ESP
Encryption algorithms = AES 256bits
Hash algorithms = SHA1
PFS key group = 5
Lifetime = 86400

    Log from ASA:

    %ASA-5-713041: IP = 217.xxx.201.xxx, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 217.xxx.201.xxx  local Proxy Address 10.64.155.0, remote Proxy Address 10.153.192.0,  Crypto map (outside_map)
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ISAKMP SA payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 02 payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 03 payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver RFC payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Fragmentation VID + extended capabilities payload
    %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
    %ASA-7-609001: Built local-host outside:217.xxx.201.xxx
    %ASA-6-302015: Built outbound UDP connection 123931 for outside:217.xxx.201.xxx/500 (217.xxx.201.xxx/500) to identity:172.31.31.253/500 (172.31.31.253/500)
    %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 62.xxx.185.xxx:4500
    %ASA-7-713236: IP = 62.xxx.185.xxx, IKE_DECODE RECEIVED Message (msgid=185c8c2f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing hash payload
    %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing notify payload
    %ASA-7-715075: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1da854ec)
    %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.31.xxx:4500
    %ASA-7-713236: IP = 217.xxx.31.xxx, IKE_DECODE RECEIVED Message (msgid=d46d6a49) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing hash payload
    %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing notify payload
    %ASA-7-715075: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64970812)
    %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
    %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing SA payload
    %ASA-7-713906: IP = 217.xxx.201.xxx, Oakley proposal is acceptable
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    %ASA-7-715049: IP = 217.xxx.201.xxx, Received xauth V6 VID
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    %ASA-7-715049: IP = 217.xxx.201.xxx, Received DPD VID
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    %ASA-7-715049: IP = 217.xxx.201.xxx, Received Cisco Unity client VID
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    %ASA-7-715049: IP = 217.xxx.201.xxx, Received Fragmentation VID
    %ASA-7-715064: IP = 217.xxx.201.xxx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
    %ASA-7-715049: IP = 217.xxx.201.xxx, Received NAT-Traversal RFC VID
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ke payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing nonce payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Cisco Unity VID payload
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing xauth V6 VID payload
    %ASA-7-715048: IP = 217.xxx.201.xxx, Send IOS VID
    %ASA-7-715038: IP = 217.xxx.201.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing VID payload
    %ASA-7-715048: IP = 217.xxx.201.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
    %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
    %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
    %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
    %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
    %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
    %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 244
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing ke payload
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing ISA_KE payload
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing nonce payload
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
    %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
    %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
    %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
    %ASA-7-713906: IP = 217.xxx.201.xxx, Connection landed on tunnel_group 217.xxx.201.xxx
    %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Generating keys for Initiator…
    %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing ID payload
    %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing hash payload
    %ASA-7-715076: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Computing hash for ISAKMP
    %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing dpd vid payload
    %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
    %ASA-6-713172: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Automatic NAT Detection Status:    Remote end is NOT behind a NAT device    This  end  IS  behind a NAT device
    %ASA-6-713905: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Floating NAT-T to port 4500
    %ASA-6-302015: Built outbound UDP connection 123932 for outside:217.xxx.201.xxx/4500 (217.xxx.201.xxx/4500) to identity:172.31.31.253/4500 (172.31.31.253/4500)
    %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
    %ASA-7-609001: Built local-host outside:10.153.192.5

    Log from pfSense (Read Down2Top):

    May 12 10:25:22 charon: 13[CFG] ignoring acquire, connection attempt pending
    May 12 10:25:22 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:25:22 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:25:22 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
    May 12 10:25:22 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
    May 12 10:24:40 charon: 07[CFG] ignoring acquire, connection attempt pending
    May 12 10:24:40 charon: 13[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:24:40 charon: 11[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:24:40 charon: 11[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
    May 12 10:24:40 charon: 11[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
    May 12 10:24:17 charon: 11[CFG] ignoring acquire, connection attempt pending
    May 12 10:24:17 charon: 13[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:24:17 charon: 13[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:24:17 charon: 13[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
    May 12 10:24:17 charon: 13[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
    May 12 10:24:04 charon: 13[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:24:04 charon: 13[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
    May 12 10:24:04 charon: 13[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
    May 12 10:23:57 charon: 13[CFG] ignoring acquire, connection attempt pending
    May 12 10:23:57 charon: 11[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:23:57 charon: 11[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:23:57 charon: 11[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
    May 12 10:23:57 charon: 11[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
    May 12 10:23:53 charon: 11[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:23:53 charon: 11[ENC] <con1000|1080>generating ID_PROT request 0 [ SA V V V V V V ]
    May 12 10:23:53 charon: 11[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
    May 12 10:23:53 charon: 11[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
    May 12 10:23:53 charon: 13[CFG] ignoring acquire, connection attempt pending
    May 12 10:23:53 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:23:53 charon: 11[IKE] <con1000|1080>peer not responding, trying again (2/3)
    May 12 10:23:53 charon: 11[IKE] <con1000|1080>peer not responding, trying again (2/3)
    May 12 10:23:53 charon: 11[IKE] <con1000|1080>giving up after 5 retransmits
    May 12 10:23:53 charon: 11[IKE] <con1000|1080>giving up after 5 retransmits
    May 12 10:22:37 charon: 11[CFG] ignoring acquire, connection attempt pending
    May 12 10:22:37 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:22:37 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:22:37 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
    May 12 10:22:37 charon: 07[IKE] <con1000|1080>sending retransmit 5 of request message ID 0, seq 1
    May 12 10:21:55 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:21:55 charon: 07[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
    May 12 10:21:55 charon: 07[IKE] <con1000|1080>sending retransmit 4 of request message ID 0, seq 1
    May 12 10:21:55 charon: 07[CFG] ignoring acquire, connection attempt pending
    May 12 10:21:55 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:21:32 charon: 16[CFG] ignoring acquire, connection attempt pending
    May 12 10:21:32 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:21:32 charon: 07[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:21:32 charon: 07[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
    May 12 10:21:32 charon: 07[IKE] <con1000|1080>sending retransmit 3 of request message ID 0, seq 1
    May 12 10:21:19 charon: 07[CFG] ignoring acquire, connection attempt pending
    May 12 10:21:19 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:21:19 charon: 16[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:21:19 charon: 16[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
    May 12 10:21:19 charon: 16[IKE] <con1000|1080>sending retransmit 2 of request message ID 0, seq 1
    May 12 10:21:12 charon: 16[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:21:12 charon: 16[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
    May 12 10:21:12 charon: 16[IKE] <con1000|1080>sending retransmit 1 of request message ID 0, seq 1
    May 12 10:21:08 charon: 16[NET] <con1000|1080>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:21:08 charon: 16[ENC] <con1000|1080>generating ID_PROT request 0 [ SA V V V V V V ]
    May 12 10:21:08 charon: 16[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
    May 12 10:21:08 charon: 16[IKE] <con1000|1080>initiating Main Mode IKE_SA con1000[1080] to 37.xxx.39.xxx
    May 12 10:21:08 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:21:08 charon: 07[IKE] <con1000|1079>establishing IKE_SA failed, peer not responding
    May 12 10:21:08 charon: 07[IKE] <con1000|1079>establishing IKE_SA failed, peer not responding
    May 12 10:21:08 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits
    May 12 10:21:08 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits
    May 12 10:20:14 charon: 07[CFG] ignoring acquire, connection attempt pending
    May 12 10:20:14 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:19:52 charon: 16[CFG] ignoring acquire, connection attempt pending
    May 12 10:19:52 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:19:52 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:19:52 charon: 07[IKE] <con1000|1079>sending retransmit 5 of request message ID 0, seq 1
    May 12 10:19:52 charon: 07[IKE] <con1000|1079>sending retransmit 5 of request message ID 0, seq 1
    May 12 10:19:10 charon: 08[CFG] ignoring acquire, connection attempt pending
    May 12 10:19:10 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:19:10 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:19:10 charon: 07[IKE] <con1000|1079>sending retransmit 4 of request message ID 0, seq 1
    May 12 10:19:10 charon: 07[IKE] <con1000|1079>sending retransmit 4 of request message ID 0, seq 1
    May 12 10:18:47 charon: 07[CFG] ignoring acquire, connection attempt pending
    May 12 10:18:47 charon: 08[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:18:47 charon: 08[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:18:47 charon: 08[IKE] <con1000|1079>sending retransmit 3 of request message ID 0, seq 1
    May 12 10:18:47 charon: 08[IKE] <con1000|1079>sending retransmit 3 of request message ID 0, seq 1
    May 12 10:18:34 charon: 08[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:18:34 charon: 08[IKE] <con1000|1079>sending retransmit 2 of request message ID 0, seq 1
    May 12 10:18:34 charon: 08[IKE] <con1000|1079>sending retransmit 2 of request message ID 0, seq 1
    May 12 10:18:26 charon: 08[CFG] ignoring acquire, connection attempt pending
    May 12 10:18:26 charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:18:26 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:18:26 charon: 07[IKE] <con1000|1079>sending retransmit 1 of request message ID 0, seq 1
    May 12 10:18:26 charon: 07[IKE] <con1000|1079>sending retransmit 1 of request message ID 0, seq 1
    May 12 10:18:22 charon: 07[NET] <con1000|1079>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
    May 12 10:18:22 charon: 07[ENC] <con1000|1079>generating ID_PROT request 0 [ SA V V V V V V ]
    May 12 10:18:22 charon: 07[IKE] <con1000|1079>initiating Main Mode IKE_SA con1000[1079] to 37.xxx.39.xxx
    May 12 10:18:22 charon: 07[IKE] <con1000|1079>initiating Main Mode IKE_SA con1000[1079] to 37.xxx.39.xxx
    May 12 10:18:22 charon: 08[CFG] ignoring acquire, connection attempt pending
    May 12 10:18:22 charon: 16[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {9}
    May 12 10:18:22 charon: 07[IKE] <con1000|1079>peer not responding, trying again (3/3)
    May 12 10:18:22 charon: 07[IKE] <con1000|1079>peer not responding, trying again (3/3)
    May 12 10:18:22 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits
    May 12 10:18:22 charon: 07[IKE] <con1000|1079>giving up after 5 retransmits</con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1079></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080></con1000|1080>

    Any Ideas?

    greetings, r4

    EDIT1:

    If changed the pfSense in Phase 1 from
    Peer identifier = Peer IP Identifier to
    Peer identifier = IP Identifier: 172.31.31.253 (outside IF of the ASA).

    Now a Tunnel is established for about 30 sekonds an than breaks down.
    I´ve also tried to build the Tunnel with an KeyID but that didn´t work for me.

    ASA Log for that Tunnel:

    
Sending 5, 100-byte ICMP Echos to 10.153.192.254, timeout is 2 seconds:
May 12 2015 13:50:37: %ASA-7-609001: Built local-host outside:10.153.192.254
May 12 2015 13:50:37: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
May 12 2015 13:50:37: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = outside_map.  Map Sequence Number = 1.
May 12 2015 13:50:37: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
May 12 2015 13:50:37: %ASA-5-713041: IP = 217.xxx.201.xxx, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 217.xxx.201.xxx  local Proxy Address 10.64.155.0, remote Proxy Address 10.153.192.0,  Crypto map (outside_map)
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ISAKMP SA payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 02 payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver 03 payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Traversal VID ver RFC payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Fragmentation VID + extended capabilities payload
May 12 2015 13:50:37: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
May 12 2015 13:50:37: %ASA-7-609001: Built local-host outside:217.xxx.201.xxx
May 12 2015 13:50:37: %ASA-6-302015: Built outbound UDP connection 125318 for outside:217.xxx.201.xxx/500 (217.xxx.201.xxx/500) to identity:172.31.31.253/500 (172.31.31.253/500)
May 12 2015 13:50:37: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
May 12 2015 13:50:37: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184
May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing SA payload
May 12 2015 13:50:37: %ASA-7-713906: IP = 217.xxx.201.xxx, Oakley proposal is acceptable
May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received xauth V6 VID
May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received DPD VID
May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received Cisco Unity client VID
May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received Fragmentation VID
May 12 2015 13:50:37: %ASA-7-715064: IP = 217.xxx.201.xxx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
May 12 2015 13:50:37: %ASA-7-715047: IP = 217.xxx.201.xxx, processing VID payload
May 12 2015 13:50:37: %ASA-7-715049: IP = 217.xxx.201.xxx, Received NAT-Traversal RFC VID
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing ke payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing nonce payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing Cisco Unity VID payload
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing xauth V6 VID payload
May 12 2015 13:50:37: %ASA-7-715048: IP = 217.xxx.201.xxx, Send IOS VID
May 12 2015 13:50:37: %ASA-7-715038: IP = 217.xxx.201.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing VID payload
May 12 2015 13:50:37: %ASA-7-715048: IP = 217.xxx.201.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
May 12 2015 13:50:37: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
May 12 2015 13:50:37: %ASA-7-715046: IP = 217.xxx.201.xxx, constructing NAT-Discovery payload
May 12 2015 13:50:37: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
May 12 2015 13:50:37: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
May 12 2015 13:50:38: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:500 from 217.xxx.201.xxx:500
May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 244
May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing ke payload
May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing ISA_KE payload
May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing nonce payload
May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
May 12 2015 13:50:38: %ASA-7-715047: IP = 217.xxx.201.xxx, processing NAT-Discovery payload
May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, computing NAT Discovery hash
May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, Connection landed on tunnel_group 217.xxx.201.xxx
May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Generating keys for Initiator...
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing ID payload
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing hash payload
May 12 2015 13:50:38: %ASA-7-715076: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Computing hash for ISAKMP
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing dpd vid payload
May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
May 12 2015 13:50:38: %ASA-6-713172: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end   IS   behind a NAT device
May 12 2015 13:50:38: %ASA-6-713905: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Floating NAT-T to port 4500
May 12 2015 13:50:38: %ASA-6-302015: Built outbound UDP connection 125319 for outside:217.xxx.201.xxx/4500 (217.xxx.201.xxx/4500) to identity:172.31.31.253/4500 (172.31.31.253/4500)
May 12 2015 13:50:38: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing ID payload
May 12 2015 13:50:38: %ASA-7-714011: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, ID_IPV4_ADDR ID received
217.xxx.201.xxx
May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing hash payload
May 12 2015 13:50:38: %ASA-7-715076: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Computing hash for ISAKMP
May 12 2015 13:50:38: %ASA-7-713906: IP = 217.xxx.201.xxx, Connection landed on tunnel_group 217.xxx.201.xxx
May 12 2015 13:50:38: %ASA-7-715059: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Proposing only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
May 12 2015 13:50:38: %ASA-6-113009: AAA retrieved default group policy (GroupPolicy_r4VDC) for user = 217.xxx.201.xxx
May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Oakley begin quick mode
May 12 2015 13:50:38: %ASA-7-714002: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE Initiator starting QM: msg id = 4e956de2
May 12 2015 13:50:38: %ASA-5-713119: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, PHASE 1 COMPLETED
May 12 2015 13:50:38: %ASA-7-713121: IP = 217.xxx.201.xxx, Keep-alive type for this connection: DPD
May 12 2015 13:50:38: %ASA-7-715080: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Starting P1 rekey timer: 82080 seconds.
May 12 2015 13:50:38: %ASA-7-715006: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE got SPI from key engine: SPI = 0xae561233
May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, oakley constucting quick mode
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing blank hash payload
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing IPSec SA payload
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing IPSec nonce payload
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing pfs ke payload
May 12 2015 13:50:38: %ASA-7-715001: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing proxy ID
May 12 2015 13:50:38: %ASA-7-713906: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Transmitting Proxy Id:
  Local subnet:  10.64.155.0  mask 255.255.255.0 Protocol 0  Port 0
  Remote subnet: 10.153.192.0  Mask 255.255.255.0 Protocol 0  Port 0
May 12 2015 13:50:38: %ASA-7-714007: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE Initiator sending Initial Contact
May 12 2015 13:50:38: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing qm hash payload
May 12 2015 13:50:38: %ASA-7-714004: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, IKE Initiator sending 1st QM pkt: msg id = 4e956de2
May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=4e956de2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 340
May 12 2015 13:50:38: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
May 12 2015 13:50:38: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=4710bb77) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing hash payload
May 12 2015 13:50:38: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing notify payload
May 12 2015 13:50:38: %ASA-5-713068: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Received non-routine Notify message: No proposal chosen (14)
May 12 2015 13:50:39: %ASA-7-609001: Built local-host outside:10.153.192.254
May 12 2015 13:50:39: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
May 12 2015 13:50:39: %ASA-7-752008: Duplicate entry already in Tunnel Manager
May 12 2015 13:50:41: %ASA-7-609001: Built local-host outside:10.153.192.254
May 12 2015 13:50:41: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
May 12 2015 13:50:41: %ASA-7-752008: Duplicate entry already in Tunnel Manager
May 12 2015 13:50:42: %ASA-6-302016: Teardown UDP connection 125308 for outside:148.251.6.51/123 to identity:172.31.31.253/65535 duration 0:02:01 bytes 96
May 12 2015 13:50:42: %ASA-7-609002: Teardown local-host outside:148.251.6.51 duration 0:02:01
May 12 2015 13:50:43: %ASA-7-609001: Built local-host outside:10.153.192.254
May 12 2015 13:50:43: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
May 12 2015 13:50:43: %ASA-7-752008: Duplicate entry already in Tunnel Manager
May 12 2015 13:50:44: %ASA-7-715036: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x64970cf9)
May 12 2015 13:50:44: %ASA-7-715046: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, constructing blank hash payload
May 12 2015 13:50:44: %ASA-7-715046: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, constructing qm hash payload
May 12 2015 13:50:44: %ASA-7-713236: IP = 217.xxx.31.xxx, IKE_DECODE SENDING Message (msgid=d77554c4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 12 2015 13:50:44: %ASA-7-715036: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0xe1e197b)
May 12 2015 13:50:44: %ASA-7-715046: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, constructing blank hash payload
May 12 2015 13:50:44: %ASA-7-715046: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, constructing qm hash payload
May 12 2015 13:50:44: %ASA-7-713236: IP = 62.xxx.185.xxx, IKE_DECODE SENDING Message (msgid=a7a6c821) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 12 2015 13:50:44: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.31.xxx:4500
May 12 2015 13:50:44: %ASA-7-713236: IP = 217.xxx.31.xxx, IKE_DECODE RECEIVED Message (msgid=273d5a7b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 12 2015 13:50:44: %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing hash payload
May 12 2015 13:50:44: %ASA-7-715047: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, processing notify payload
May 12 2015 13:50:44: %ASA-7-715075: Group = 217.xxx.31.xxx, IP = 217.xxx.31.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64970cf9)
May 12 2015 13:50:44: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 62.xxx.185.xxx:4500
May 12 2015 13:50:44: %ASA-7-713236: IP = 62.xxx.185.xxx, IKE_DECODE RECEIVED Message (msgid=f558fd73) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 12 2015 13:50:44: %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing hash payload
May 12 2015 13:50:44: %ASA-7-715047: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, processing notify payload
May 12 2015 13:50:44: %ASA-7-715075: Group = 62.xxx.185.xxx, IP = 62.xxx.185.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xe1e197b)
May 12 2015 13:50:45: %ASA-7-609001: Built local-host outside:10.153.192.254
May 12 2015 13:50:45: %ASA-7-609002: Teardown local-host outside:10.153.192.254 duration 0:00:00
May 12 2015 13:50:45: %ASA-7-752008: Duplicate entry already in Tunnel Manager
?
Success rate is 0 percent (0/5)
May 12 2015 13:50:47: %ASA-5-111008: User 'enable_15' executed the 'ping inside 10.153.192.254' command.
May 12 2015 13:50:47: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.64.155.230, executed 'ping inside 10.153.192.254'
May 12 2015 13:50:48: %ASA-7-713906: IKE Receiver: Packet received on 172.31.31.253:4500 from 217.xxx.201.xxx:4500
May 12 2015 13:50:48: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE RECEIVED Message (msgid=833328cd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 12 2015 13:50:48: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing hash payload
May 12 2015 13:50:48: %ASA-7-715047: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, processing notify payload
May 12 2015 13:50:48: %ASA-7-715075: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Received keep-alive of type DPD R-U-THERE (seq number 0x69bcc0c)
May 12 2015 13:50:48: %ASA-7-715036: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x69bcc0c)
May 12 2015 13:50:48: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing blank hash payload
May 12 2015 13:50:48: %ASA-7-715046: Group = 217.xxx.201.xxx, IP = 217.xxx.201.xxx, constructing qm hash payload
May 12 2015 13:50:48: %ASA-7-713236: IP = 217.xxx.201.xxx, IKE_DECODE SENDING Message (msgid=6c526b0b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
n
    0
  • R

    I fixed it finally :)
    I will post the configuration of ASA & pfSense tomorrow

    0
  • F

    We are waiting.  :)

    0
  • R

    Here is the ASA.cfg:

    
object network r4VDC
 subnet 10.153.192.0 255.255.255.0
 description r4VDC

access-list inside_access_in extended permit ip 10.64.155.0 255.255.255.0 object r4VDC
access-list outside_access_in extended permit ip object r4VDC 10.64.155.0 255.255.255.0
access-list outside_cryptomap_r4VDC extended permit ip 10.64.155.0 255.255.255.0 object r4VDC

nat (inside,outside) source static inside10.64.155.0 inside10.64.155.0 destination static r4VDC r4VDC

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address outside_cryptomap_r4VDC
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 217.xxx.201.xxx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400

crypto ikev1 policy 160
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

group-policy GroupPolicy_r4VDC internal
group-policy GroupPolicy_r4VDC attributes
 vpn-tunnel-protocol ikev1

tunnel-group 217.xxx.201.xxx type ipsec-l2l
tunnel-group 217.xxx.201.xxx general-attributes
 default-group-policy GroupPolicy_r4VDC
tunnel-group 217.xxx.201.xxx ipsec-attributes
 ikev1 pre-shared-key test12345

    Here the pfSense config:

    Phase 1:

    
Key Exchange version = V1
Internet Protocol = IPv4
Interface = WAN
Remote gateway = r4xxxxx.com

Authentication method = Mutual PSK
Negotiation mode = Main
My identifier = My IP address
Peer identifier = [color]IP address (outside IP of ASA = 172.31.31.254) [/color]
Pre-Shared Key = test12345

Encryption algorithm = AES 256bits
Hash algorithm = SHA1
DH key group = 2
Lifetime = 86400

Disable Rekey = unchecked
Responder Only = unchecked
NAT Traversal = Auto
Dead Peer Detection = Enabled (10seconds/5retry)

    Phase 2:

    
Phase 2:
Mode = Tunnel IPv4
Local Network = 10.153.192.0/24
Remote Network = 10.64.155.0/24

Protocol = ESP
Encryption algorithms = AES 256bits
Hash algorithms = SHA1
PFS key group = [color]2 [/color]
Lifetime = 86400

    Two points are left:
    -The Tunnel does not rekey after 24h
    -I can just establish the Tunnel from the ASA side

    Any thoughts on this?

    regards r4

    0
  • R

    Has anyone some ideas?
    Here is the pfSense log when no tunnel is established:

    
May 27 21:35:17 	charon: 06[CFG] ignoring acquire, connection attempt pending
May 27 21:35:17 	charon: 13[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:35:17 	charon: 13[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:35:17 	charon: 13[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
May 27 21:35:17 	charon: 13[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
May 27 21:35:04 	charon: 13[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:35:04 	charon: 13[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
May 27 21:35:04 	charon: 13[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
May 27 21:34:57 	charon: 13[CFG] ignoring acquire, connection attempt pending
May 27 21:34:57 	charon: 06[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:34:57 	charon: 06[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:34:57 	charon: 06[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
May 27 21:34:57 	charon: 06[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
May 27 21:34:53 	charon: 06[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:34:53 	charon: 06[ENC] <con1000|87>generating ID_PROT request 0 [ SA V V V V V V ]
May 27 21:34:53 	charon: 06[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
May 27 21:34:53 	charon: 06[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
May 27 21:34:53 	charon: 13[CFG] ignoring acquire, connection attempt pending
May 27 21:34:53 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:34:53 	charon: 06[IKE] <con1000|87>peer not responding, trying again (3/3)
May 27 21:34:53 	charon: 06[IKE] <con1000|87>peer not responding, trying again (3/3)
May 27 21:34:53 	charon: 06[IKE] <con1000|87>giving up after 5 retransmits
May 27 21:34:53 	charon: 06[IKE] <con1000|87>giving up after 5 retransmits
May 27 21:34:17 	charon: 06[CFG] ignoring acquire, connection attempt pending
May 27 21:34:17 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:33:37 	charon: 10[CFG] ignoring acquire, connection attempt pending
May 27 21:33:37 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:33:37 	charon: 12[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:33:37 	charon: 12[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
May 27 21:33:37 	charon: 12[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
May 27 21:32:55 	charon: 12[CFG] ignoring acquire, connection attempt pending
May 27 21:32:55 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:32:55 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:32:55 	charon: 10[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
May 27 21:32:55 	charon: 10[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
May 27 21:32:32 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:32:32 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
May 27 21:32:32 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
May 27 21:32:30 	charon: 10[CFG] ignoring acquire, connection attempt pending
May 27 21:32:30 	charon: 12[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:32:19 	charon: 12[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:32:19 	charon: 12[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
May 27 21:32:19 	charon: 12[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
May 27 21:32:12 	charon: 12[CFG] ignoring acquire, connection attempt pending
May 27 21:32:12 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:32:12 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:32:12 	charon: 10[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
May 27 21:32:12 	charon: 10[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
May 27 21:32:08 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:32:08 	charon: 10[ENC] <con1000|87>generating ID_PROT request 0 [ SA V V V V V V ]
May 27 21:32:08 	charon: 10[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
May 27 21:32:08 	charon: 10[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
May 27 21:32:08 	charon: 12[CFG] ignoring acquire, connection attempt pending
May 27 21:32:08 	charon: 06[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:32:08 	charon: 10[IKE] <con1000|87>peer not responding, trying again (2/3)
May 27 21:32:08 	charon: 10[IKE] <con1000|87>peer not responding, trying again (2/3)
May 27 21:32:08 	charon: 10[IKE] <con1000|87>giving up after 5 retransmits
May 27 21:32:08 	charon: 10[IKE] <con1000|87>giving up after 5 retransmits
May 27 21:30:52 	charon: 15[CFG] ignoring acquire, connection attempt pending
May 27 21:30:52 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:30:52 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:30:52 	charon: 10[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
May 27 21:30:52 	charon: 10[IKE] <con1000|87>sending retransmit 5 of request message ID 0, seq 1
May 27 21:30:10 	charon: 10[CFG] ignoring acquire, connection attempt pending
May 27 21:30:10 	charon: 15[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:30:10 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:30:10 	charon: 15[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
May 27 21:30:10 	charon: 15[IKE] <con1000|87>sending retransmit 4 of request message ID 0, seq 1
May 27 21:29:47 	charon: 15[CFG] ignoring acquire, connection attempt pending
May 27 21:29:47 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:29:47 	charon: 10[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:29:47 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
May 27 21:29:47 	charon: 10[IKE] <con1000|87>sending retransmit 3 of request message ID 0, seq 1
May 27 21:29:34 	charon: 10[CFG] ignoring acquire, connection attempt pending
May 27 21:29:34 	charon: 15[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:29:34 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:29:34 	charon: 15[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
May 27 21:29:34 	charon: 15[IKE] <con1000|87>sending retransmit 2 of request message ID 0, seq 1
May 27 21:29:27 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:29:27 	charon: 15[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
May 27 21:29:27 	charon: 15[IKE] <con1000|87>sending retransmit 1 of request message ID 0, seq 1
May 27 21:29:23 	charon: 15[NET] <con1000|87>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:29:23 	charon: 15[ENC] <con1000|87>generating ID_PROT request 0 [ SA V V V V V V ]
May 27 21:29:23 	charon: 15[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
May 27 21:29:23 	charon: 15[IKE] <con1000|87>initiating Main Mode IKE_SA con1000[87] to 37.xxx.39.xxx
May 27 21:29:23 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:29:23 	charon: 10[IKE] <con1000|86>establishing IKE_SA failed, peer not responding
May 27 21:29:23 	charon: 10[IKE] <con1000|86>establishing IKE_SA failed, peer not responding
May 27 21:29:23 	charon: 10[IKE] <con1000|86>giving up after 5 retransmits
May 27 21:29:23 	charon: 10[IKE] <con1000|86>giving up after 5 retransmits
May 27 21:28:07 	charon: 07[NET] <con1000|86>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:28:07 	charon: 07[IKE] <con1000|86>sending retransmit 5 of request message ID 0, seq 1
May 27 21:28:07 	charon: 07[IKE] <con1000|86>sending retransmit 5 of request message ID 0, seq 1
May 27 21:27:52 	charon: 07[CFG] ignoring acquire, connection attempt pending
May 27 21:27:52 	charon: 10[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:27:25 	charon: 10[CFG] ignoring acquire, connection attempt pending
May 27 21:27:25 	charon: 07[KNL] creating acquire job for policy 217.xxx.201.xxx/32|/0 === 37.xxx.39.xxx/32|/0 with reqid {1}
May 27 21:27:25 	charon: 07[NET] <con1000|86>sending packet: from 217.xxx.201.xxx[500] to 37.xxx.39.xxx[500] (204 bytes)
May 27 21:27:25 	charon: 07[IKE] <con1000|86>sending retransmit 4 of request message ID 0, seq 1
May 27 21:27:25 	charon: 07[IKE] <con1000|86>sending retransmit 4 of request message ID 0, seq 1</con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|86></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87></con1000|87>
    0
  • C

    Using the ASDM to create the tunnel on an ASA 5545x worked for me out of the box.  Just make sure all the parameters are the same on both sides.

    0
  • R

    @catdsnny:

    Just make sure all the parameters are the same on both sides.

    Really? Thank you Capt. Obvious, i didn´t know :P
    Back to Topic: VPN can be established from the ASA Side, not from the psSense. The ASA is behind a NAT Device. For further informations please read the thread

    0
  • C

    @r4z13l:

    Back to Topic: VPN can be established from the ASA Side, not from the psSense. The ASA is behind a NAT Device. For further informations please read the thread

    You likely have a mismatched P1 identifier in that case since the ASA is behind NAT. You're specifying "My IP address" (or equivalent, don't recall the name of the Cisco option off the top of my head) on the ASA, which is its private IP. You're specifying same on the pfSense side, but it's using the ASA's public IP. Private IP != public IP, so your ASA's config doesn't match, so it only matches properly initiated in that direction. That's my first guess at least, the most likely cause in the described circumstance that we've run into with others here and support customers in the past.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy