IPSEC between pfSense and Cisco PIX 525 (pixos v8)



  • IPSEC gurus:

    I have been trying for a few hours to get this working properly,  i believe my setup seems ok on the pix and the pfsense box,  on the pix i have the following relevant config items:

    
    crypto ipsec transform-set coutts-transform-set esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    
    crypto map mymap 100 match address vpn
    crypto map mymap 100 set peer 72.38.121.34
    crypto map mymap 100 set transform-set coutts-transform-set
    crypto map mymap interface T3
    crypto isakmp identity address
    crypto isakmp enable T3
    crypto isakmp policy 11
     authentication pre-share
     encryption des
     hash md5
     group 2
     lifetime 86400
    no crypto isakmp nat-traversal
    
    tunnel-group 72.38.121.34 type ipsec-l2l
    tunnel-group 72.38.121.34 ipsec-attributes
     pre-shared-key *
    
    

    configuration on the pfsense matches this but is setup for the opposite end.  I don't know if i need an entry on the psk tab, but i have put one there with the identifier as the IP of the cisco,  and the psk in that box as well as in the ipsec properties.  The phase1 groups, lifetimes etc.  are all correct, and it seems like racoon is trying to come up, however, i get the following errors when i try to get the tunnel to come online.  i believe the bold lines are the relevant ones, but am having trouble tracking down any answers as  to why they are happening.

    
    Apr 23 21:55:32 racoon: [USLV IPSEC]: INFO: ISAKMP-SA deleted 72.38.121.34[500]-198.183.167.100[500] spi:19788241af5d2232:4219ee0ce8b1cb16 
    Apr 23 21:55:31 racoon: ERROR: phase2 negotiation failed due to phase1 expired. 19788241af5d2232:4219ee0ce8b1cb16:0000d114 
    Apr 23 21:55:21 racoon: [USLV IPSEC]: INFO: ISAKMP-SA expired 72.38.121.34[500]-198.183.167.100[500] spi:19788241af5d2232:4219ee0ce8b1cb16 
    Apr 23 21:55:21 racoon: ERROR: Message: '^ hBl 2 4 ( P &C5LP F E I e z M T\ \p $Nh @ a H-8+ 2 !gi f) d% 4Pd <{ xn' l U = H w ,| h B f$ nkx f < '. 
    ***Apr 23 21:55:21 racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. 
    Apr 23 21:55:21 racoon: [USLV IPSEC]: INFO: initiate new phase 2 negotiation: 72.38.121.34[500]<=>198.183.167.100[500] 
    Apr 23 21:55:20 racoon: [USLV IPSEC]: INFO: ISAKMP-SA established 72.38.121.34[500]-198.183.167.100[500] spi:19788241af5d2232:4219ee0ce8b1cb16 
    Apr 23 21:55:20 racoon: INFO: received Vendor ID: DPD 
    Apr 23 21:55:20 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
    Apr 23 21:55:20 racoon: INFO: received Vendor ID: CISCO-UNITY 
    ***Apr 23 21:55:20 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Apr 23 21:55:20 racoon: INFO: begin Identity Protection mode. 
    Apr 23 21:55:20 racoon: [USLV IPSEC]: INFO: initiate new phase 1 negotiation: 72.38.121.34[500]<=>198.183.167.100[500] 
    Apr 23 21:55:20 racoon: [USLV IPSEC]: INFO: IPsec-SA request for 198.183.167.100 queued due to no phase1 found. 
    
    

    Any help on this would be greatly appreciated,  I need to get this configuration done by friday or we may have to reinstall our crappy cisco 2611 in place of this lovely pfsense box.





  • thanks for the link,  that is the doc i used as a guide to get troubleshooting underway.  the configs at that link also differ as they are for pixos6 and do not apply on 8.  8 will tell you that a command is deprected and you have to do something a little differently.

    Is there anyone that can help with the racoon issues I am expeiencing?  is there a way to turn off isakmp fragmentation on the cisco?  It would be great to know exactly what is going wrong since it seems to want to bring up both layers of the tunnel.



  • I have an update on this.  it seems that my remote subnet entry was /16, while the actual remote subnet was /22…

    the debugging on the cisco was way more helpful in determining the problem at the end of the day.  for those in a similar situation you will need to run the following on a PIX/ASA to see what you need.
    debug crypto isakmp

    THEN.  i got a ping ready on pfsene, to ping the inside address of the remote endpoint (after creating firewall rules) and did the following
    terminal monitor
    -execute ping on pfsense now.
    -after you see the Group = xxxx  entry in the logs and think you have what you need
    terminal no monitor

    this will keep it from scrolling off your buffer until you can figure our what it going on.


Locked