cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10006
Views
0
Helpful
9
Replies

Site-to-Site IPSEC VPN Between Pfsense and ASA (ASA is behind NAT)

kaushal22
Level 1
Level 1

Hello,

Private --PFSENSE (Public IP ) <------------Internet -----------> Bell Modem (Public IP)-----NAT-----Outside-ASA-Inside

I have configured a Site-to-Site VPN between Pfsens and ASA 5505. And ASA is behind NAT With Private ip on the Outside interface.

Bell hub 1000 is the main modem with public ip and it is forwarding everything to ASA outside interface.

And for some reason ASA can get public ip so i have to use Bell modem and NAT it to ASA.

I have configured IKEv1 with pre-shared key and NAT-T is also enabled. But it is not able to establish the tunnel for Phase1.

It fails the IKEv1 information exchange.

So, what do i need to change to make it working ?

9 Replies 9

JP Miranda Z
Cisco Employee
Cisco Employee

Hi kaushal22,

Please share a sanitized config so we can help you identifying the issue.

Hope this info helps!!

Rate if helps you!! 

-JP- 

Hello JP,

I have attached a ASA Sanitize Config.

Thank you.

You need to share the debugs on the ASA:

debug cry ikev1 128

Ensure NAT traversal is enabled on both the ASA and the PFSense. Since that the ASA is behind a device that is doing NAT.

Finally, those packet captures will show exactly what is happening:

capture isakmp interface outside match udp any host <remote-peer-public-address>

Then copy the content of the captures:

copy /pcap capture:capout tftp://

or via a browser:

https://asa-address/capture/capout/pcap

Ensure udp 4500 is allowed in the path.

Moh.

Hello Mohammad,

I have attached a debug logs.

Thank you,

Hi, 

you see in the debugs that we fail the negotiation with the peer from this error:

NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Aug 15 09:30:17 [IKEv1]IKE Receiver: Packet received on 192.168.10.2:500 from 1.1.1.1:500
Aug 15 09:30:17 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=810688ff) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Aug 15 09:30:17 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=810688ff) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Aug 15 09:30:17 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Received an un-encrypted INVALID_KEY_INFO notify message, dropping
Aug 15 09:30:17 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Information Exchange processing failed

What is the peer ? is it a cisco ASA ? if yes do they have a valid tunnel group configured for the ASA?

Cheers.

Hi,

Remote Peer is a Pfsense not ASA.

And all the configs are correct on that side.

Hi,

ASA is clearly sending MM4 and getting a termination from the other side. this is from the rfc:

https://tools.ietf.org/id/draft-ietf-ipsec-notifymsg-00.txt

2.17 INVALID-KEY-INFORMATION

   The INVALID-KEY-INFORMATION error message may be used to communicate
   that the key exchange type specified by the key exchange payload is
   not supported.

   Phase:            1 or 2
   Differentiator:   Cookies, message ID,  KE payload

   When present, the Notification Payload MUST have the following
   format:

     o  Payload Length - set to length of payload + size of data (var)
     o  DOI - set to DOI of received packet
     o  Protocol ID - set to selected Protocol ID from chosen SA
     o  SPI Size - set to either zero (0) or four (4)(one IPSEC SPI)
     o  Notify Message Type - set to INVALID-KEY-INFORMATION
     o  SPI - set to empty or to the sender's inbound IPSEC SPI
     o  Notification Data - contains the subject key exchange payload

please share debugs from the pfsense.

You also have some policies that uses crack authentication which is not used nowadays. Please clean those. to see what is being negotiated:

debug cry isa 255

Moh

Hi,

As per the debug, the issue seems to be on the remote peer.

Can you check if you have used a correct IP on the remote peer?

Regards,

Aditya

Please rate helpful and mark correct answers

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi,

Can you share the outputs of following debugs from the ASA:

debug cry ikev1 200

debug cry ipsec 200

Regards,

Aditya

Please rate helpful and mark correct answers