IPSec VPN between ASA 5505 and pfSense 2.2.4



  • Did anybody successfully create tunnel between ASA and new 2.2.4 pfsense ??

    On ASA i have following error:
    5 Aug 25 2015 01:17:57 713904 Group = xxx.xxx.xx.xx, IP = xxx.xxx.xx.xx, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0
    4 Aug 25 2015 01:17:57 713903 Group = xxx.xxx.xx.xx, IP = xxx.xxx.xx.xx, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key.  Aborting

    and yes i tried many times to put different PSK

    This is probably corresponding log from pfsense:

    Aug 25 16:00:38 charon: 11[CFG] <125> looking for an ike config forxxx.xxx.xx.xx…xxx.xxx.xx.xx
    Aug 25 16:00:38 charon: 11[CFG] <125> looking for an ike config for xxx.xxx.xx.xx…xxx.xxx.xx.xx
    Aug 25 16:00:38 charon: 11[CFG] <125> candidate: %any…%any, prio 24
    Aug 25 16:00:38 charon: 11[CFG] <125> candidate: %any…%any, prio 24
    Aug 25 16:00:38 charon: 11[CFG] <125> candidate: xxx.xxx.xx.xx…xxx.xxx.xx.xx, prio 3100
    Aug 25 16:00:38 charon: 11[CFG] <125> candidate: xxx.xxx.xx.xx…xxx.xxx.xx.xx, prio 3100
    Aug 25 16:00:38 charon: 11[CFG] <125> found matching ike config: xxx.xxx.xx.xx…xxx.xxx.xx.xx with prio 3100
    Aug 25 16:00:38 charon: 11[CFG] <125> found matching ike config: xxx.xxx.xx.xx…xxx.xxx.xx.xx with prio 3100
    Aug 25 16:00:38 charon: 11[IKE] <125> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 25 16:00:38 charon: 11[IKE] <125> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 25 16:00:38 charon: 11[IKE] <125> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 25 16:00:38 charon: 11[IKE] <125> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 25 16:00:38 charon: 11[IKE] <125> received NAT-T (RFC 3947) vendor ID
    Aug 25 16:00:38 charon: 11[IKE] <125> received NAT-T (RFC 3947) vendor ID
    Aug 25 16:00:38 charon: 11[IKE] <125> received FRAGMENTATION vendor ID
    Aug 25 16:00:38 charon: 11[IKE] <125> received FRAGMENTATION vendor ID
    Aug 25 16:00:38 charon: 11[IKE] <125> xxx.xxx.xx.xx is initiating a Main Mode IKE_SA
    Aug 25 16:00:38 charon: 11[IKE] <125> xxx.xxx.xx.xx is initiating a Main Mode IKE_SA
    Aug 25 16:00:38 charon: 11[CFG] <125> selecting proposal:
    Aug 25 16:00:38 charon: 11[CFG] <125> selecting proposal:
    Aug 25 16:00:38 charon: 11[CFG] <125> proposal matches
    Aug 25 16:00:38 charon: 11[CFG] <125> proposal matches
    Aug 25 16:00:38 charon: 11[CFG] <125> received proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Aug 25 16:00:38 charon: 11[CFG] <125> received proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Aug 25 16:00:38 charon: 11[CFG] <125> configured proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Aug 25 16:00:38 charon: 11[CFG] <125> configured proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Aug 25 16:00:38 charon: 11[CFG] <125> selected proposal: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Aug 25 16:00:38 charon: 11[CFG] <125> selected proposal: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Aug 25 16:00:38 charon: 11[IKE] <con6000|101>sending DPD request
    Aug 25 16:00:38 charon: 11[IKE] <con6000|101>sending DPD request
    Aug 25 16:00:38 charon: 11[IKE] <125> received Cisco Unity vendor ID
    Aug 25 16:00:38 charon: 11[IKE] <125> received Cisco Unity vendor ID
    Aug 25 16:00:38 charon: 11[IKE] <125> received XAuth vendor ID
    Aug 25 16:00:38 charon: 11[IKE] <125> received XAuth vendor ID
    Aug 25 16:00:38 charon: 11[IKE] <125> remote host is behind NAT
    Aug 25 16:00:38 charon: 11[IKE] <125> remote host is behind NAT
    Aug 25 16:00:38 charon: 11[IKE] <125> message parsing failed
    Aug 25 16:00:38 charon: 11[IKE] <125> message parsing failed
    Aug 25 16:00:38 charon: 11[IKE] <125> ID_PROT request with message ID 0 processing failed
    Aug 25 16:00:38 charon: 11[IKE] <125> ID_PROT request with message ID 0 processing failed

    IT WAS WORKING WITH OLDER VERSION OF pfsense, unfortunately i do not know which one it was ;(</con6000|101></con6000|101>



  • First thing I would do is strengthen your crypto; we're using IKEv2 with AES256-GCM 128 bits, SHA512, and DH group 21 for P1 and P2. Works great on ASA 9.1(6)

    Make sure that P1 matches the IKE policy, and P2 matches IPSec proposal (including SA lifetimes for both.) Post your ASA debug logs if you're still having problems.



  • It is working using IKE2.

    Thanks.


Log in to reply