----- Original Message ----- > On Fri, May 3, 2013 at 4:04 PM, Mark Street <[email protected]> > wrote: > > Hi, > > > > I am creating a tunnel with another party that is using a Cisco > > ASA5520. > > Phase 1 is negotiating just fine. > > > > Phase 2 will not come up. I am using my LAN Subnet on my side and > > made sure > > they have the same settings. They are using a public routable IP > > on their > > side for the remote network. ex. Their VPN endpoint of the ASA is > > 111.222.333.25 and they are using 111.222.333.140/32 for the remote > > network. > > I have that remote network set on my side in Phase 2 - > > 111.222.333.140/32 > > > > When I go to pfSense Status and click on the little start icon next > > to the > > phase 2 entry it is yellow with an x, once pushed the tunnel does > > not come > > up green, but stays yellow with and x. Am I setting the remote > > network > > properly on my side of phase 2? > > > > There can be a difference between an address and a /32 network in > phase 2, might want to try the opposite of what you're using now.
Funny, I configured my pfsense Phase 2 with both an address and a /32 network. In DEBUG mode pfsense shows the same IPV4_address for the remote side for both. I configured the remote side as a /31 and it does show as an IPv4_subnet. So.. I should probably work with the remote side admin to configure as an address instead of a /32 network.... as Chris says, there is a difference but it appears as if pfsense does not negotiate phase 2 as if they are different. Configured as Address May 6 09:02:40 racoon: DEBUG: use remote ID type IPv4_address May 6 09:02:40 racoon: DEBUG: use local ID type IPv4_subnet Configured as /32 Network May 6 09:05:54 racoon: DEBUG: use remote ID type IPv4_address May 6 09:05:54 racoon: DEBUG: use local ID type IPv4_subnet > > > > I have seen some cryptic error messages in the log viewer in > > pfsense. Is > > there a key to decode these message codes? > > > > That's generally what gets spewed when you have a P2 mismatch with a > Cisco, it in and of itself isn't helpful. Enabling "Start racoon in > debug mode" under System>Advanced, Misc may give you more useful > logs. > Though maybe not since you're the initiator, in many cases of > mismatch > as the initiator you won't get very telling logs on your end for why > the remote end is refusing to accept, if it's just timing out. > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > -- Mark Street, D.C., RHCE Chief Technology Officer Alliance Medical Center (707) 433-5494 _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
