Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSEC Pfsense v2.0.3 Cisco ASA 9.x

    IPsec
    2
    2
    762
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thda last edited by

      Hello,

      We successfully mounted a lot of VPN IPSEC site to site up to now, but today I'm stucked on one case between Pfsense v2.0.3 (my side) and Cisco ASA 9.x (remote side : I have no direct access on it).

      Configuration is the following :
      Phase1 (IKE Setup)
      Exchange mode : Main
      Authentification method : Pre-Shared secret
      Encryption Algorithm : 3DES
      Hash Algrorithim (data integrity) : SHA1
      Diffle-Hellman : Group 5
      SA Lifetime : 86400
      Phase 2 (Ipsec Setup)
      Security Protocol : ESP
      Encapsulation Mode : Tunnel
      Encryption Algorithm : 3DES
      Hash Algrorithim (data integrity) : SHA1
      PFS (Perfect Forward Secrecy) : Key group 5
      Lifetime : 3600

      I found no information in the log concerning phase 1.

      But I found the following :
      Aug 10 11:39:08 racoon: INFO: unsupported PF_KEY message REGISTER
      Aug 10 11:39:08 racoon: ERROR: such policy already exists. anyway replace it: 10.128.0.0/9[0] 10.93.0.0/22[0] proto=any dir=out
      Aug 10 11:39:08 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.1.0/24[0] 10.93.0.0/22[0] proto=any dir=out
      Aug 10 11:39:08 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/10[0] 10.93.0.0/22[0] proto=any dir=out
      Aug 10 11:39:08 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.94.0.0/15[0] 10.93.0.0/22[0] proto=any dir=out

      I tried to search on the following link with no success :
      http://forum.pfsense.org/index.php?action=search
      keywords: "racoon: [Unknown Gateway/Dynamic]"

      Normally, IP address are static on both side.

      Is someone already had this kind of behaviour ?

      1 Reply Last reply Reply Quote 0
      • C
        cmb last edited by

        Those aren't actually errors. Newer racoon versions log those more correctly as informational.

        Dynamic gateway probably means you have a P1 mismatch, though you're on such an outdated version it's hard to say for sure there.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post