Provide also logs from Cisco ASA. NO_PROPOSAL_CHOSEN usually means that cipher specs does not match on both sides. Could you provide screenshot from cipher settings.
-- Eero 2016-07-15 22:08 GMT+03:00 Marc R. Meshurle Jr. <[email protected]>: > x.x.x.x is the PFSense and y.y.y.y is the Cisco > > Jul 16 00:05:54 charon: 11[IKE] <con2000|673> deleting IKE_SA con2000[673] > between x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y] > Jul 16 00:05:54 charon: 11[IKE] <con2000|673> received DELETE for IKE_SA > con2000[673] > Jul 16 00:05:54 charon: 11[ENC] <con2000|673> parsed INFORMATIONAL_V1 > request 3030444427 [ HASH D ] > Jul 16 00:05:54 charon: 11[NET] <con2000|673> received packet: from > y.y.y.y[500] to x.x.x.x[500] (84 bytes) > Jul 16 00:05:54 charon: 05[IKE] <con2000|673> received NO_PROPOSAL_CHOSEN > error notify > Jul 16 00:05:54 charon: 05[ENC] <con2000|673> parsed INFORMATIONAL_V1 > request 1608868438 [ HASH N(NO_PROP) ] > Jul 16 00:05:54 charon: 05[NET] <con2000|673> received packet: from > y.y.y.y[500] to x.x.x.x[500] (84 bytes) > Jul 16 00:05:54 charon: 05[NET] <con2000|673> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (396 bytes) > Jul 16 00:05:54 charon: 05[ENC] <con2000|673> generating QUICK_MODE > request 4135665263 [ HASH SA No KE ID ID ] > Jul 16 00:05:54 charon: 05[IKE] <con2000|673> maximum IKE_SA lifetime > 86369s > Jul 16 00:05:54 charon: 05[IKE] <con2000|673> scheduling reauthentication > in 85829s > Jul 16 00:05:54 charon: 05[IKE] <con2000|673> IKE_SA con2000[673] > established between x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y] > Jul 16 00:05:54 charon: 05[IKE] <con2000|673> received DPD vendor ID > Jul 16 00:05:54 charon: 05[ENC] <con2000|673> parsed ID_PROT response 0 [ > ID HASH V ] > Jul 16 00:05:54 charon: 05[NET] <con2000|673> received packet: from > y.y.y.y[500] to x.x.x.x[500] (84 bytes) > Jul 16 00:05:54 charon: 05[NET] <con2000|673> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (100 bytes) > Jul 16 00:05:54 charon: 05[ENC] <con2000|673> generating ID_PROT request 0 > [ ID HASH N(INITIAL_CONTACT) ] > Jul 16 00:05:54 charon: 05[ENC] <con2000|673> received unknown vendor ID: > 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 > Jul 16 00:05:54 charon: 05[ENC] <con2000|673> received unknown vendor ID: > 11:84:28:cb:63:c1:36:01:1c:b0:82:fb:98:db:9d:aa > Jul 16 00:05:54 charon: 05[IKE] <con2000|673> received XAuth vendor ID > Jul 16 00:05:54 charon: 05[IKE] <con2000|673> received Cisco Unity vendor > ID > Jul 16 00:05:54 charon: 05[ENC] <con2000|673> parsed ID_PROT response 0 [ > KE No V V V V NAT-D NAT-D ] > Jul 16 00:05:54 charon: 05[NET] <con2000|673> received packet: from > y.y.y.y[500] to x.x.x.x[500] (304 bytes) > Jul 16 00:05:54 charon: 05[NET] <con2000|673> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (244 bytes) > Jul 16 00:05:54 charon: 05[ENC] <con2000|673> generating ID_PROT request 0 > [ KE No NAT-D NAT-D ] > Jul 16 00:05:54 charon: 05[IKE] <con2000|673> received FRAGMENTATION > vendor ID > Jul 16 00:05:54 charon: 05[IKE] <con2000|673> received NAT-T (RFC 3947) > vendor ID > Jul 16 00:05:54 charon: 05[ENC] <con2000|673> parsed ID_PROT response 0 [ > SA V V ] > Jul 16 00:05:54 charon: 05[NET] <con2000|673> received packet: from > y.y.y.y[500] to x.x.x.x[500] (128 bytes) > Jul 16 00:05:54 charon: 11[NET] <con2000|673> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (200 bytes) > Jul 16 00:05:54 charon: 11[ENC] <con2000|673> generating ID_PROT request 0 > [ SA V V V V V V ] > Jul 16 00:05:54 charon: 11[IKE] <con2000|673> initiating Main Mode IKE_SA > con2000[673] to y.y.y.y > Jul 16 00:05:54 charon: 09[KNL] creating acquire job for policy > x.x.x.x/32|/0 === y.y.y.y/32|/0 with reqid {20} > Jul 16 00:05:53 charon: 11[IKE] <con2000|672> deleting IKE_SA con2000[672] > between x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y] > Jul 16 00:05:53 charon: 11[IKE] <con2000|672> received DELETE for IKE_SA > con2000[672] > Jul 16 00:05:53 charon: 11[ENC] <con2000|672> parsed INFORMATIONAL_V1 > request 3572694564 [ HASH D ] > Jul 16 00:05:53 charon: 11[NET] <con2000|672> received packet: from > y.y.y.y[500] to x.x.x.x[500] (84 bytes) > Jul 16 00:05:53 charon: 09[IKE] <con2000|672> received NO_PROPOSAL_CHOSEN > error notify > Jul 16 00:05:53 charon: 09[ENC] <con2000|672> parsed INFORMATIONAL_V1 > request 4230419079 [ HASH N(NO_PROP) ] > Jul 16 00:05:53 charon: 09[NET] <con2000|672> received packet: from > y.y.y.y[500] to x.x.x.x[500] (84 bytes) > Jul 16 00:05:53 charon: 09[NET] <con2000|672> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (396 bytes) > Jul 16 00:05:53 charon: 09[ENC] <con2000|672> generating QUICK_MODE > request 1039796497 [ HASH SA No KE ID ID ] > Jul 16 00:05:53 charon: 09[IKE] <con2000|672> maximum IKE_SA lifetime > 85885s > Jul 16 00:05:53 charon: 09[IKE] <con2000|672> scheduling reauthentication > in 85345s > Jul 16 00:05:53 charon: 09[IKE] <con2000|672> IKE_SA con2000[672] > established between x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y] > Jul 16 00:05:53 charon: 09[IKE] <con2000|672> received DPD vendor ID > Jul 16 00:05:53 charon: 09[ENC] <con2000|672> parsed ID_PROT response 0 [ > ID HASH V ] > Jul 16 00:05:53 charon: 09[NET] <con2000|672> received packet: from > y.y.y.y[500] to x.x.x.x[500] (84 bytes) > Jul 16 00:05:53 charon: 09[NET] <con2000|672> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (100 bytes) > Jul 16 00:05:53 charon: 09[ENC] <con2000|672> generating ID_PROT request 0 > [ ID HASH N(INITIAL_CONTACT) ] > Jul 16 00:05:53 charon: 09[ENC] <con2000|672> received unknown vendor ID: > 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 > Jul 16 00:05:53 charon: 09[ENC] <con2000|672> received unknown vendor ID: > 6c:3e:73:55:de:28:43:20:be:13:23:da:35:92:c6:5a > Jul 16 00:05:53 charon: 09[IKE] <con2000|672> received XAuth vendor ID > Jul 16 00:05:53 charon: 09[IKE] <con2000|672> received Cisco Unity vendor > ID > Jul 16 00:05:53 charon: 09[ENC] <con2000|672> parsed ID_PROT response 0 [ > KE No V V V V NAT-D NAT-D ] > Jul 16 00:05:53 charon: 09[NET] <con2000|672> received packet: from > y.y.y.y[500] to x.x.x.x[500] (304 bytes) > Jul 16 00:05:53 charon: 09[NET] <con2000|672> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (244 bytes) > Jul 16 00:05:53 charon: 09[ENC] <con2000|672> generating ID_PROT request 0 > [ KE No NAT-D NAT-D ] > Jul 16 00:05:53 charon: 09[IKE] <con2000|672> received FRAGMENTATION > vendor ID > Jul 16 00:05:53 charon: 09[IKE] <con2000|672> received NAT-T (RFC 3947) > vendor ID > Jul 16 00:05:53 charon: 09[ENC] <con2000|672> parsed ID_PROT response 0 [ > SA V V ] > Jul 16 00:05:53 charon: 09[NET] <con2000|672> received packet: from > y.y.y.y[500] to x.x.x.x[500] (128 bytes) > Jul 16 00:05:53 charon: 08[NET] <con2000|671> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (200 bytes) > Jul 16 00:05:53 charon: 08[ENC] <con2000|671> generating ID_PROT request 0 > [ SA V V V V V V ] > Jul 16 00:05:53 charon: 08[IKE] <con2000|671> initiating Main Mode IKE_SA > con2000[672] to y.y.y.y > Jul 16 00:05:53 charon: 08[IKE] <con2000|671> deleting IKE_SA con2000[671] > between x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y] > Jul 16 00:05:53 charon: 08[IKE] <con2000|671> received DELETE for IKE_SA > con2000[671] > Jul 16 00:05:53 charon: 08[ENC] <con2000|671> parsed INFORMATIONAL_V1 > request 877344761 [ HASH D ] > Jul 16 00:05:53 charon: 08[NET] <con2000|671> received packet: from > y.y.y.y[500] to x.x.x.x[500] (84 bytes) > Jul 16 00:05:53 charon: 08[NET] <con2000|671> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (396 bytes) > Jul 16 00:05:53 charon: 08[ENC] <con2000|671> generating QUICK_MODE > request 3061253677 [ HASH SA No KE ID ID ] > Jul 16 00:05:53 charon: 08[IKE] <con2000|671> received NO_PROPOSAL_CHOSEN > error notify > Jul 16 00:05:53 charon: 08[ENC] <con2000|671> parsed INFORMATIONAL_V1 > request 1071528904 [ HASH N(NO_PROP) ] > Jul 16 00:05:53 charon: 08[NET] <con2000|671> received packet: from > y.y.y.y[500] to x.x.x.x[500] (84 bytes) > Jul 16 00:05:53 charon: 08[NET] <con2000|671> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (396 bytes) > Jul 16 00:05:53 charon: 08[ENC] <con2000|671> generating QUICK_MODE > request 4166058011 [ HASH SA No KE ID ID ] > Jul 16 00:05:53 charon: 08[IKE] <con2000|671> maximum IKE_SA lifetime > 86387s > Jul 16 00:05:53 charon: 08[IKE] <con2000|671> scheduling reauthentication > in 85847s > Jul 16 00:05:53 charon: 08[IKE] <con2000|671> IKE_SA con2000[671] > established between x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y] > Jul 16 00:05:53 charon: 08[IKE] <con2000|671> received DPD vendor ID > Jul 16 00:05:53 charon: 08[ENC] <con2000|671> parsed ID_PROT response 0 [ > ID HASH V ] > Jul 16 00:05:53 charon: 08[NET] <con2000|671> received packet: from > y.y.y.y[500] to x.x.x.x[500] (84 bytes) > Jul 16 00:05:53 charon: 08[NET] <con2000|671> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (100 bytes) > Jul 16 00:05:53 charon: 08[ENC] <con2000|671> generating ID_PROT request 0 > [ ID HASH N(INITIAL_CONTACT) ] > Jul 16 00:05:53 charon: 08[ENC] <con2000|671> received unknown vendor ID: > 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 > Jul 16 00:05:53 charon: 08[ENC] <con2000|671> received unknown vendor ID: > d7:fa:f0:cf:5c:f4:7a:12:81:d0:bb:1a:be:48:22:00 > Jul 16 00:05:53 charon: 08[IKE] <con2000|671> received XAuth vendor ID > Jul 16 00:05:53 charon: 08[IKE] <con2000|671> received Cisco Unity vendor > ID > Jul 16 00:05:53 charon: 08[ENC] <con2000|671> parsed ID_PROT response 0 [ > KE No V V V V NAT-D NAT-D ] > Jul 16 00:05:53 charon: 08[NET] <con2000|671> received packet: from > y.y.y.y[500] to x.x.x.x[500] (304 bytes) > Jul 16 00:05:53 charon: 10[NET] <con2000|671> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (244 bytes) > Jul 16 00:05:53 charon: 10[ENC] <con2000|671> generating ID_PROT request 0 > [ KE No NAT-D NAT-D ] > Jul 16 00:05:53 charon: 10[IKE] <con2000|671> received FRAGMENTATION > vendor ID > Jul 16 00:05:53 charon: 10[IKE] <con2000|671> received NAT-T (RFC 3947) > vendor ID > Jul 16 00:05:53 charon: 10[ENC] <con2000|671> parsed ID_PROT response 0 [ > SA V V ] > Jul 16 00:05:53 charon: 10[NET] <con2000|671> received packet: from > y.y.y.y[500] to x.x.x.x[500] (128 bytes) > Jul 16 00:05:53 charon: 15[CFG] received stroke: initiate 'con2000' > Jul 16 00:05:53 charon: 10[CFG] no IKE_SA named 'con2001' found > Jul 16 00:05:53 charon: 10[CFG] received stroke: terminate 'con2001' > Jul 16 00:05:53 charon: 15[NET] <con2000|671> sending packet: from > x.x.x.x[500] to y.y.y.y[500] (200 bytes) > Jul 16 00:05:53 charon: 15[ENC] <con2000|671> generating ID_PROT request 0 > [ SA V V V V V V ] > Jul 16 00:05:53 charon: 15[IKE] <con2000|671> initiating Main Mode IKE_SA > con2000[671] to y.y.y.y > Jul 16 00:05:53 charon: 11[CFG] received stroke: initiate 'con2001' > Jul 16 00:05:53 charon: 15[CFG] no IKE_SA named 'con2000' found > Jul 16 00:05:53 charon: 15[CFG] received stroke: terminate 'con2000' > > Marc R. Meshurle, Jr. > Sr. Engineer > KatoTech > (Division of Bullets & Bytes, Inc.) > Exton, PA. 19341 > 610-280-3566 > > ________________________________________ > From: List <[email protected]> on behalf of Chris Buechler < > [email protected]> > Sent: Friday, July 15, 2016 14:29 > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] PFS 2.3.1-RELEASE-p5 and Cisco 5520 IPSEC > > On Fri, Jul 15, 2016 at 11:32 AM, Marc R. Meshurle Jr. > <[email protected]> wrote: > > I'm having an issue connecting to a Cisco ASA5520 with IPSEC. The vendor > with the Cisco states that Phase 1 is good, but dropping out on Phase 2. > We've matched the Phase 2 proposals up and it still fails on the Phase 2 > side. I've tried every combination of SA protocols and none stay connected. > > > > Any thoughts? > > > > What do your IPsec logs show? > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
