IPSec VPN between ASA 5505 and pfSense 2.2.4

konrad

Did anybody successfully create tunnel between ASA and new 2.2.4 pfsense ??

On ASA i have following error:
5 Aug 25 2015 01:17:57 713904 Group = xxx.xxx.xx.xx, IP = xxx.xxx.xx.xx, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0
4 Aug 25 2015 01:17:57 713903 Group = xxx.xxx.xx.xx, IP = xxx.xxx.xx.xx, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key.  Aborting

and yes i tried many times to put different PSK

This is probably corresponding log from pfsense:

Aug 25 16:00:38 charon: 11[CFG] <125> looking for an ike config forxxx.xxx.xx.xx…xxx.xxx.xx.xx
Aug 25 16:00:38 charon: 11[CFG] <125> looking for an ike config for xxx.xxx.xx.xx…xxx.xxx.xx.xx
Aug 25 16:00:38 charon: 11[CFG] <125> candidate: %any…%any, prio 24
Aug 25 16:00:38 charon: 11[CFG] <125> candidate: %any…%any, prio 24
Aug 25 16:00:38 charon: 11[CFG] <125> candidate: xxx.xxx.xx.xx…xxx.xxx.xx.xx, prio 3100
Aug 25 16:00:38 charon: 11[CFG] <125> candidate: xxx.xxx.xx.xx…xxx.xxx.xx.xx, prio 3100
Aug 25 16:00:38 charon: 11[CFG] <125> found matching ike config: xxx.xxx.xx.xx…xxx.xxx.xx.xx with prio 3100
Aug 25 16:00:38 charon: 11[CFG] <125> found matching ike config: xxx.xxx.xx.xx…xxx.xxx.xx.xx with prio 3100
Aug 25 16:00:38 charon: 11[IKE] <125> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 25 16:00:38 charon: 11[IKE] <125> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 25 16:00:38 charon: 11[IKE] <125> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug 25 16:00:38 charon: 11[IKE] <125> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug 25 16:00:38 charon: 11[IKE] <125> received NAT-T (RFC 3947) vendor ID
Aug 25 16:00:38 charon: 11[IKE] <125> received NAT-T (RFC 3947) vendor ID
Aug 25 16:00:38 charon: 11[IKE] <125> received FRAGMENTATION vendor ID
Aug 25 16:00:38 charon: 11[IKE] <125> received FRAGMENTATION vendor ID
Aug 25 16:00:38 charon: 11[IKE] <125> xxx.xxx.xx.xx is initiating a Main Mode IKE_SA
Aug 25 16:00:38 charon: 11[IKE] <125> xxx.xxx.xx.xx is initiating a Main Mode IKE_SA
Aug 25 16:00:38 charon: 11[CFG] <125> selecting proposal:
Aug 25 16:00:38 charon: 11[CFG] <125> selecting proposal:
Aug 25 16:00:38 charon: 11[CFG] <125> proposal matches
Aug 25 16:00:38 charon: 11[CFG] <125> proposal matches
Aug 25 16:00:38 charon: 11[CFG] <125> received proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Aug 25 16:00:38 charon: 11[CFG] <125> received proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Aug 25 16:00:38 charon: 11[CFG] <125> configured proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Aug 25 16:00:38 charon: 11[CFG] <125> configured proposals: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Aug 25 16:00:38 charon: 11[CFG] <125> selected proposal: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Aug 25 16:00:38 charon: 11[CFG] <125> selected proposal: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Aug 25 16:00:38 charon: 11[IKE] <con6000|101>sending DPD request
Aug 25 16:00:38 charon: 11[IKE] <con6000|101>sending DPD request
Aug 25 16:00:38 charon: 11[IKE] <125> received Cisco Unity vendor ID
Aug 25 16:00:38 charon: 11[IKE] <125> received Cisco Unity vendor ID
Aug 25 16:00:38 charon: 11[IKE] <125> received XAuth vendor ID
Aug 25 16:00:38 charon: 11[IKE] <125> received XAuth vendor ID
Aug 25 16:00:38 charon: 11[IKE] <125> remote host is behind NAT
Aug 25 16:00:38 charon: 11[IKE] <125> remote host is behind NAT
Aug 25 16:00:38 charon: 11[IKE] <125> message parsing failed
Aug 25 16:00:38 charon: 11[IKE] <125> message parsing failed
Aug 25 16:00:38 charon: 11[IKE] <125> ID_PROT request with message ID 0 processing failed
Aug 25 16:00:38 charon: 11[IKE] <125> ID_PROT request with message ID 0 processing failed

IT WAS WORKING WITH OLDER VERSION OF pfsense, unfortunately i do not know which one it was ;(</con6000|101></con6000|101>

miken32

First thing I would do is strengthen your crypto; we're using IKEv2 with AES256-GCM 128 bits, SHA512, and DH group 21 for P1 and P2. Works great on ASA 9.1(6)

Make sure that P1 matches the IKE policy, and P2 matches IPSec proposal (including SA lifetimes for both.) Post your ASA debug logs if you're still having problems.

konrad

It is working using IKE2.

Thanks.