IPSEC Pfsense v2.0.3 Cisco ASA 9.x

thda

Hello,

We successfully mounted a lot of VPN IPSEC site to site up to now, but today I'm stucked on one case between Pfsense v2.0.3 (my side) and Cisco ASA 9.x (remote side : I have no direct access on it).

Configuration is the following :
Phase1 (IKE Setup)
Exchange mode : Main
Authentification method : Pre-Shared secret
Encryption Algorithm : 3DES
Hash Algrorithim (data integrity) : SHA1
Diffle-Hellman : Group 5
SA Lifetime : 86400
Phase 2 (Ipsec Setup)
Security Protocol : ESP
Encapsulation Mode : Tunnel
Encryption Algorithm : 3DES
Hash Algrorithim (data integrity) : SHA1
PFS (Perfect Forward Secrecy) : Key group 5
Lifetime : 3600

I found no information in the log concerning phase 1.

But I found the following :
Aug 10 11:39:08 racoon: INFO: unsupported PF_KEY message REGISTER
Aug 10 11:39:08 racoon: ERROR: such policy already exists. anyway replace it: 10.128.0.0/9[0] 10.93.0.0/22[0] proto=any dir=out
Aug 10 11:39:08 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.1.0/24[0] 10.93.0.0/22[0] proto=any dir=out
Aug 10 11:39:08 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/10[0] 10.93.0.0/22[0] proto=any dir=out
Aug 10 11:39:08 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.94.0.0/15[0] 10.93.0.0/22[0] proto=any dir=out

I tried to search on the following link with no success :
http://forum.pfsense.org/index.php?action=search
keywords: "racoon: [Unknown Gateway/Dynamic]"

Normally, IP address are static on both side.

Is someone already had this kind of behaviour ?

cmb

Those aren't actually errors. Newer racoon versions log those more correctly as informational.

Dynamic gateway probably means you have a P1 mismatch, though you're on such an outdated version it's hard to say for sure there.