Just putting in place my first 2.2 deploy, looking to tunnel to our Cisco ASA. The tunnel appears to drop partly at instances – I’m not nicely versed in these things through any manner, so forgive me for not understanding the choices terminology.
Under Status/IPSec, if the choices tunnel is running, there may be an option to “Show toddler SA entries.” When I are available in the mornings, that choice isn’t there and I can’t attain some thing on the opposite side of the choices tunnel, although it indicates as being up. Disconnecting and reconnecting manually brings the entirety back up.
P1: IKE v2, mutual PSK, AES 256, SHA512, DH 14 P2: tunnel, ESP, AES 256, SHA512, PFS organization 14
No logs but, as the choices IPSec logging seems very verbose. Will get logging sent to a faraway syslog server if it’ll assist…
This is what the choices log record looks as if when the tunnel instances out and attempts to restart routinely:
Dec eight 03:17:21 charon: 03[KNL] developing acquire activity for policy 1.2.three.4/320 === 9.eight/0 with reqid Dec 8 03:17:21 charon: 05[IKE] <con1establishing CHILD_SA con1 Dec 8 03:17:21 charon: 05[IKE] establishing CHILD_SA con1 Dec 8 03:17:21 charon: 05[ENC] producing CREATE_CHILD_SA request 482 [ N(ESP_TFC_PAD_N) SA No TSi TSr ] Dec 8 03:17:21 charon: 05[NET] sending packet: from 1.2.three.four to 9.eight.7.6 (240 bytes) Dec 8 03:17:21 charon: 05[NET] received packet: from 18.104.22.168 to 22.214.171.124 (eighty bytes) Dec 8 03:17:21 charon: 05[ENC] parsed CREATE_CHILD_SA reaction 482 [ N(NO_PROP) ] Dec 8 03:17:21 charon: 05[IKE] failed to set up CHILD_SA, keeping IKE_SA Dec 8 03:17:21 charon: 05[IKE] failed to establish CHILD_SA, preserving IKE_SA
And for a manual start of the choices tunnel:
Dec 8 09:14:forty nine charon: 16[CFG] obtained stroke: provoke ‘con1’ Dec 8 09:14:49177>initiating IKE_SA con1 to nine.8.7.6 Dec eight 09:14:forty nine charon: 10[IKE] starting up IKE_SA con1 to 126.96.36.199 Dec eight 09:14:forty nine charon: 10[ENC] producing IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Dec eight 09:14:forty nine charon: 10[NET] sending packet: from 1.2.three.4 to 188.8.131.52 (376 bytes) Dec eight 09:14:forty nine charon: 10[NET] obtained packet: from nine.eight.7.6 to one.2.3.four (521 bytes) Dec eight 09:14:forty nine charon: 10[ENC] parsed IKE_SA_INIT reaction zero [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP) V ] Dec eight 09:14:forty nine charon: 10[IKE] received Cisco Copyright 2009 vendor ID Dec 8 09:14:49 charon: 10[IKE] received Cisco Copyright 2009 dealer ID Dec eight 09:14:49 charon: 10[ENC] obtained unknown seller ID: forty three:49:53:43:4f:2d:forty seven:52:45:2nd:4d:4f:44:45:02 Dec eight 09:14:49177>obtained FRAGMENTATION supplier ID Dec 8 09:14:49 charon: 10[IKE] obtained FRAGMENTATION seller ID Dec 8 09:14:forty nine177>authentication of ‘1.2.three.4’ (myself) with pre-shared key Dec 8 09:14:49 charon: 10[IKE] authentication of ‘1.2.3.four’ (myself) with pre-shared key Dec 8 09:14:forty nine charon: 10[IKE] authentication of ‘9.eight.7.6’ with pre-shared key a success Dec 8 09:14:49 charon: 10[IKE] authentication of ‘nine.8.7.6’ with pre-shared key successful Dec eight 09:14:49177>IKE_SA con1 installed among 184.108.40.206[220.127.116.11]…18.104.22.168[22.214.171.124] Dec eight 09:14:forty nine charon: 10[IKE] IKE_SA con1 mounted among 1.2.3.four[126.96.36.199]…188.8.131.52[184.108.40.206] Dec eight 09:14:forty nine177>scheduling reauthentication in 27966s Dec eight 09:14:49 charon: 10[IKE] scheduling reauthentication in 27966s Dec eight 09:14:forty nine177>most IKE_SA lifetime 28506s Dec 8 09:14:49 charon: 10[IKE] most IKE_SA lifetime 28506s Dec 8 09:14:49 charon: 10[IKE] CHILD_SA con1 set up with SPIs cbbb4fef_i 2dec761d_o and TS 192.168.244.0/24zero === 192.168.242.0/0 Dec eight 09:14:49 charon: 10[IKE] CHILD_SA con1 mounted with SPIs cbbb4fef_i 2dec761d_o and TS 192.168.244.0/0 === 192.168.242.0/0177></con1might be greater telling, it is sending returned a "no concept chosen" this means that it's claiming the notion does not suit some thing it has configured, the question is why. ASAs are easy to configure in this kind of manner that they will use diff settings as initiator than responder, that is generally what reasons issues along those strains.
Syslog would handiest say this:
Dec eight 16:19:01 192.168.242.1 %ASA-three-751022: Local:nine.8.7.6:4500 Remote:1.2.three.four:4500 Username:1.2.3.four IKEv2 Tunnel rejected: Crypto Map Policy now not observed for remote traffic selector 192.168.244.zero/192.168.244.255/0/65535/0 neighborhood traffic selector 192.168.242.0/192.168.242.255/0/65535/zero! Dec eight 16:19:01 192.168.242.1 %ASA-four-750003: Local:9.eight.7.6:4500 Remote:220.127.116.11:4500 Username:1.2.3.four IKEv2 Negotiation aborted due to ERROR: Failed to discover a matching policy
But debug from the console says:
IKEv2-PROTO-1: (48): Failed to discover a matching coverage IKEv2-PROTO-1: (forty eight): Received Policies: ESP: Proposal 1: AES-CBC-256 SHA512 DH_GROUP_2048_MODP/Group 14 Don’t use ESN
ESP: Proposal 2: AES-GCM-256 DH_GROUP_2048_MODP/Group 14 Don’t use ESN
IKEv2-PROTO-1: (forty eight): Failed to find a matching coverage IKEv2-PROTO-1: (48): Expected Policies: IKEv2-PROTO-1: (forty eight): Failed to find a matching coverage IKEv2-PROTO-1: (forty eight): IKEv2-PROTO-1: (48): Create child trade failed IKEv2-PROTO-1: (forty eight):
I guess the dearth of whatever indexed after “anticipated regulations” shows it have to be a configuration trouble on my Cisco, and no longer a pfSense hassle. No concept what it is able to be even though.
ASAs are smooth to configure in this type of manner that they will use diff settings as initiator than responder
I’d be curious to have you extend on that. BTW debug from the Cisco is right here: http://pastebin.com/egAZmYFu
Cisco config looks as if this:
You need to reveal the choices logs from pfSense aspect.
You need to show the logs from pfSense side.
I did that on the second publish. @cmb advised me to submit logs from the Cisco side 🙂
FWIW, right here’s what the choices ipsec.conf looks as if in the intervening time:
The source of the problem is truly the “Crypto Map Policy now not determined for remote visitors selector” log from the choices ASA. As to why, probably a higher query for a Cisco discussion board. Your crypto map seems like it fits what the ASA claims would not fit.
The source of the difficulty is really the choices “Crypto Map Policy no longer determined for faraway traffic selector” log from the choices ASA. As to why, in all likelihood a better query for a Cisco forum. Your crypto map looks like it matches what the choices ASA claims does not healthy.
Ok, thanks for checking it out. Will document back if it does turn out to be something with pfSense. Using IKE v1 in the period in-between…
I suppose this is an problem with the pfSense…
Here’s a partial debug hint of the pfSense seeking to initiate a connection. The tunnel is down, and I attempt to ping a bunch inside the remote subnet. This brings up section 1 of the tunnel however not section 2 (or whatever the IKEv2 terms are.)
Note the public IP addresses are covered within the ‘TS_IPV4_ADDR_RANGE’ section. The resulting failure seems like this:
Here is what occurs, moments later, after I manually begin the choices tunnel from the IPSec reputation page:
No public IP addresses protected, and this connection succeeds. Thoughts?
EDIT: Here are pfSense logs for these connection attempts. Aside from the choices unique length of the choices packets despatched, word the line ‘setting up CHILD_SA con1’ inside the failed attemps, versus ‘establishing CHILD_SA con1’ inside the successful try. Does this indicate some thing beneficial?
The source of the issue is in reality the choices “Crypto Map Policy now not discovered for far flung traffic selector” log from the ASA. As to why, in all likelihood a better query for a Cisco discussion board. Your crypto map looks as if it suits what the choices ASA claims would not fit.
Any input on this? It looks as if the visitors selector being despatched with the aid of StrongSwan is one-of-a-kind based totally on how the tunnel is initiated, which looks as if a bug. I’d open a computer virus but am not positive I should describe it in sufficient element to ensure a resolution, as I’ve no revel in with StrongSwan.
edit: no, misread that.
That’s this. https://redmine.pfsense.org/problems/4129
I best have the choices single phase 2 entry; does it still follow to me? Thanks.
No it doesn’t if so, I mis-study your ultimate publish. I’m doing a little IPsec testing with an ASA proper now, will see if it’s replicable.
No it does not in that case, I mis-study your remaining submit. I’m performing some IPsec checking out with an ASA proper now, will see if that’s replicable.
Any success with this? Anything greater I can do to help slender it down?
Did you take a look at new snapshots? There had been fixes put in area for numerous issues particularly on IPsec.
Did you take a look at new snapshots? There were fixes put in place for numerous problems mainly on IPsec.
No upgrades with this morning’s build. Tunnels must be manually started or the incorrect visitors selector is despatched.
What’s incorrect approximately it? It looks like it is sending what you’ve got configured and the ASA is rejecting it. The simplest difficulty with interoperability with Cisco IPsec that I’m aware of is that this. https://redmine.pfsense.org/troubles/4178 Which handiest applies to IKEv1 and isn’t always what you’re seeing right here.
What’s incorrect about it? It looks like it’s sending what you’ve got configured and the ASA is rejecting it.
Please reread my in advance publish at https://forum.pfsense.org/index.personal home page?topic=84934.msg469407#msg469407. When pfSense tries to bring up the choices tunnel automatically, it sends a special visitors selector than when the choices tunnel is manually began from the choices status page.
The brand new strongswan release (5.2.1->5.2.2) went into modern-day snapshots, please retry after upgrading to some thing from the seventh or newer and file lower back.
The modern strongswan release (five.2.1->5.2.2) went into latest snapshots, please retry after upgrading to some thing from the seventh or more recent and report lower back.
Just updated. Tunnel nevertheless does not come up on boot, however a subsequent ping take a look at from the pfSense did finally carry up P1 and P2 successfully. Will do similarly trying out and advise the following day, but looks as if it’s usable now. Thanks lots!
Glad to hear. Tunnels never come up unless there’s site visitors triggering them, or you have the “Automatically ping host” set inside the P2, so seems like that is the choices predicted end result.
We offer leading-edge community protection at a truthful price – irrespective of organizational length or network sophistication. We consider that an open-supply protection model gives disruptive pricing along with the agility required to quickly cope with emerging threats.
Product data, software bulletins, and special offers. See our newsletter archive to enroll in future newsletters and to examine beyond bulletins.