Hello JP,

I have attached a ASA Sanitize Config.

Thank you.

You need to share the debugs on the ASA:

debug cry ikev1 128

Ensure NAT traversal is enabled on both the ASA and the PFSense. Since that the ASA is behind a device that is doing NAT.

Finally, those packet captures will show exactly what is happening:

capture isakmp interface outside match udp any host <remote-peer-public-address>

Then copy the content of the captures:

copy /pcap capture:capout tftp://

or via a browser:

https://asa-address/capture/capout/pcap

Ensure udp 4500 is allowed in the path.

Moh.

Hello Mohammad,

I have attached a debug logs.

Thank you,

Hi, 

you see in the debugs that we fail the negotiation with the peer from this error:

NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Aug 15 09:30:17 [IKEv1]IKE Receiver: Packet received on 192.168.10.2:500 from 1.1.1.1:500
Aug 15 09:30:17 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=810688ff) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Aug 15 09:30:17 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=810688ff) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Aug 15 09:30:17 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Received an un-encrypted INVALID_KEY_INFO notify message, dropping
Aug 15 09:30:17 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Information Exchange processing failed

What is the peer ? is it a cisco ASA ? if yes do they have a valid tunnel group configured for the ASA?

Cheers.

Hi,

Remote Peer is a Pfsense not ASA.

And all the configs are correct on that side.

Hi,

ASA is clearly sending MM4 and getting a termination from the other side. this is from the rfc:

https://tools.ietf.org/id/draft-ietf-ipsec-notifymsg-00.txt

2.17 INVALID-KEY-INFORMATION

   The INVALID-KEY-INFORMATION error message may be used to communicate
   that the key exchange type specified by the key exchange payload is
   not supported.

   Phase:            1 or 2
   Differentiator:   Cookies, message ID,  KE payload

   When present, the Notification Payload MUST have the following
   format:

     o  Payload Length - set to length of payload + size of data (var)
     o  DOI - set to DOI of received packet
     o  Protocol ID - set to selected Protocol ID from chosen SA
     o  SPI Size - set to either zero (0) or four (4)(one IPSEC SPI)
     o  Notify Message Type - set to INVALID-KEY-INFORMATION
     o  SPI - set to empty or to the sender's inbound IPSEC SPI
     o  Notification Data - contains the subject key exchange payload

please share debugs from the pfsense.

You also have some policies that uses crack authentication which is not used nowadays. Please clean those. to see what is being negotiated:

debug cry isa 255

Moh

Hi,

As per the debug, the issue seems to be on the remote peer.

Can you check if you have used a correct IP on the remote peer?

Regards,

Aditya

Please rate helpful and mark correct answers