IPSEC between pfSense and Cisco PIX 525 (pixos v8)
-
IPSEC gurus:
I have been trying for a few hours to get this working properly, i believe my setup seems ok on the pix and the pfsense box, on the pix i have the following relevant config items:
crypto ipsec transform-set coutts-transform-set esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 3600 crypto map mymap 100 match address vpn crypto map mymap 100 set peer 72.38.121.34 crypto map mymap 100 set transform-set coutts-transform-set crypto map mymap interface T3 crypto isakmp identity address crypto isakmp enable T3 crypto isakmp policy 11 authentication pre-share encryption des hash md5 group 2 lifetime 86400 no crypto isakmp nat-traversal tunnel-group 72.38.121.34 type ipsec-l2l tunnel-group 72.38.121.34 ipsec-attributes pre-shared-key *configuration on the pfsense matches this but is setup for the opposite end. I don't know if i need an entry on the psk tab, but i have put one there with the identifier as the IP of the cisco, and the psk in that box as well as in the ipsec properties. The phase1 groups, lifetimes etc. are all correct, and it seems like racoon is trying to come up, however, i get the following errors when i try to get the tunnel to come online. i believe the bold lines are the relevant ones, but am having trouble tracking down any answers as to why they are happening.
Apr 23 21:55:32 racoon: [USLV IPSEC]: INFO: ISAKMP-SA deleted 72.38.121.34[500]-198.183.167.100[500] spi:19788241af5d2232:4219ee0ce8b1cb16 Apr 23 21:55:31 racoon: ERROR: phase2 negotiation failed due to phase1 expired. 19788241af5d2232:4219ee0ce8b1cb16:0000d114 Apr 23 21:55:21 racoon: [USLV IPSEC]: INFO: ISAKMP-SA expired 72.38.121.34[500]-198.183.167.100[500] spi:19788241af5d2232:4219ee0ce8b1cb16 Apr 23 21:55:21 racoon: ERROR: Message: '^ hBl 2 4 ( P &C5LP F E I e z M T\ \p $Nh @ a H-8+ 2 !gi f) d% 4Pd <{ xn' l U = H w ,| h B f$ nkx f < '. ***Apr 23 21:55:21 racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Apr 23 21:55:21 racoon: [USLV IPSEC]: INFO: initiate new phase 2 negotiation: 72.38.121.34[500]<=>198.183.167.100[500] Apr 23 21:55:20 racoon: [USLV IPSEC]: INFO: ISAKMP-SA established 72.38.121.34[500]-198.183.167.100[500] spi:19788241af5d2232:4219ee0ce8b1cb16 Apr 23 21:55:20 racoon: INFO: received Vendor ID: DPD Apr 23 21:55:20 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Apr 23 21:55:20 racoon: INFO: received Vendor ID: CISCO-UNITY ***Apr 23 21:55:20 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Apr 23 21:55:20 racoon: INFO: begin Identity Protection mode. Apr 23 21:55:20 racoon: [USLV IPSEC]: INFO: initiate new phase 1 negotiation: 72.38.121.34[500]<=>198.183.167.100[500] Apr 23 21:55:20 racoon: [USLV IPSEC]: INFO: IPsec-SA request for 198.183.167.100 queued due to no phase1 found.Any help on this would be greatly appreciated, I need to get this configuration done by friday or we may have to reinstall our crappy cisco 2611 in place of this lovely pfsense box.
-
-
thanks for the link, that is the doc i used as a guide to get troubleshooting underway. the configs at that link also differ as they are for pixos6 and do not apply on 8. 8 will tell you that a command is deprected and you have to do something a little differently.
Is there anyone that can help with the racoon issues I am expeiencing? is there a way to turn off isakmp fragmentation on the cisco? It would be great to know exactly what is going wrong since it seems to want to bring up both layers of the tunnel.
-
I have an update on this. it seems that my remote subnet entry was /16, while the actual remote subnet was /22…
the debugging on the cisco was way more helpful in determining the problem at the end of the day. for those in a similar situation you will need to run the following on a PIX/ASA to see what you need.
debug crypto isakmpTHEN. i got a ping ready on pfsene, to ping the inside address of the remote endpoint (after creating firewall rules) and did the following
terminal monitor
-execute ping on pfsense now.
-after you see the Group = xxxx entry in the logs and think you have what you need
terminal no monitorthis will keep it from scrolling off your buffer until you can figure our what it going on.