IPSEC Pfsense v2.0.3 Cisco ASA 9.x



  • Hello,

    We successfully mounted a lot of VPN IPSEC site to site up to now, but today I'm stucked on one case between Pfsense v2.0.3 (my side) and Cisco ASA 9.x (remote side : I have no direct access on it).

    Configuration is the following :
    Phase1 (IKE Setup)
    Exchange mode : Main
    Authentification method : Pre-Shared secret
    Encryption Algorithm : 3DES
    Hash Algrorithim (data integrity) : SHA1
    Diffle-Hellman : Group 5
    SA Lifetime : 86400
    Phase 2 (Ipsec Setup)
    Security Protocol : ESP
    Encapsulation Mode : Tunnel
    Encryption Algorithm : 3DES
    Hash Algrorithim (data integrity) : SHA1
    PFS (Perfect Forward Secrecy) : Key group 5
    Lifetime : 3600

    I found no information in the log concerning phase 1.

    But I found the following :
    Aug 10 11:39:08 racoon: INFO: unsupported PF_KEY message REGISTER
    Aug 10 11:39:08 racoon: ERROR: such policy already exists. anyway replace it: 10.128.0.0/9[0] 10.93.0.0/22[0] proto=any dir=out
    Aug 10 11:39:08 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.1.0/24[0] 10.93.0.0/22[0] proto=any dir=out
    Aug 10 11:39:08 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/10[0] 10.93.0.0/22[0] proto=any dir=out
    Aug 10 11:39:08 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.94.0.0/15[0] 10.93.0.0/22[0] proto=any dir=out

    I tried to search on the following link with no success :
    http://forum.pfsense.org/index.php?action=search
    keywords: "racoon: [Unknown Gateway/Dynamic]"

    Normally, IP address are static on both side.

    Is someone already had this kind of behaviour ?



  • Those aren't actually errors. Newer racoon versions log those more correctly as informational.

    Dynamic gateway probably means you have a P1 mismatch, though you're on such an outdated version it's hard to say for sure there.