IPSEC from FreeBSD (racoon) to Cisco ASA

be_root
be_root used Ask the Experts™
on
FreeBSD 8.1-RELEASE-p1
Cisco ASA Cisco Adaptive Security Appliance Software Version 8.3(1)
ipsec-tools-0.7.3

Hello dear experts. Please help me to submit this question.  In my branch office fault down 5505 ASA, and i change it on FreeBSD PC. But i cant understand, way my head ASA receiving not decrypted traffic from FreeBSD. I need only to ping it from my main office, and traffic start running inside the tunnel.
On FreeBSD ive got nex message

Open in new window

ipsec_common_input: no key association found for SA Branch_ip/0552a69a/50

Open in new window

Config is correct from both sides. Is it problems with ipsectools?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Tunnel is up
20  IKE Peer: ¿¿¿¿¿¿
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA
    Auth    : preshared       Lifetime: 3600
    Lifetime Remaining: 2871
But it works only after generating traffic from my side.

Author

Commented:
ASDM logging
4   Oct 19 2010   09:16:39   402116  
BranchIP -My IP      IPSEC: Received an ESP packet (SPI= 0x6925EDD3, sequence number= 0x6) from BranchIP (user= BranchIP) to My IP.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 192.168.240.1, its source as 192.168.232.1, and its protocol as 1.  The SA specifies its local proxy as 192.168.2.0/255.255.255.0/0/0 and its remote_proxy as 192.168.232.0/255.255.255.224/0/0.

Commented:
There is a freebsd based router installed on PC called Pfsense.

www.pfsens.org

It's free.

Here is a guide how to connect it with Cisco device (example is for router but if you keep ipsec algorithms same on both sides of the tunnel it should work).

http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS

HTH

Chris
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
piwowarc: Thank you for advise, ill check in future, but now i need try to fix FreeBSD with racoon connection. Now im using ping from crone script)))

Commented:
This is verbatim from your description:

The packet specifies its destination as 192.168.240.1, its source as 192.168.232.1, and its protocol as 1.  The SA specifies its local proxy as 192.168.2.0/255.255.255.0/0/0 and its remote_proxy as 192.168.232.0/255.255.255.224/0/0.

It's a mistmatch in the policies meaning you receive a packet that should have not been encrypted.
Packet DST=192.168.240.1  SRC=192.168.232.1
Policy local 192.168.2.0/24  remoe 192.168.232.0/27

packet source is covered by the policy but the destination 192.168,.240.1 does not fall in the 192.168.2.0/24 range.

Author

Commented:
Well, let i show you my config(with ASA to ASA its work perfect)
From FreeBSD:
ipsec.conf
spdadd 192.168.232.0/27 192.168.2.0/24 any -P out ipsec esp/tunnel/Branch_IP-HQ_IP/require;
spdadd 192.168.2.0/24 192.168.232.0/27 any -P in ipsec esp/tunnel/Branch_IP-HQ_IP/require;

spdadd 192.168.232.0/27 192.168.3.0/24 any -P out ipsec esp/tunnel/Branch_IP-HQ_IP/require;
spdadd 192.168.3.0/24 192.168.232.0/27 any -P in ipsec esp/tunnel/Branch_IP-HQ_IP/require;

spdadd 192.168.232.0/27 192.168.64.0/24 any -P out ipsec esp/tunnel/Branch_IP-HQ_IP/require;
spdadd 192.168.64.0/24 192.168.232.0/27 any -P in ipsec esp/tunnel/Branch_IP-HQ_IP2/require;

spdadd 192.168.232.0/27 192.168.240.0/24 any -P out ipsec esp/tunnel/Branch_IP-HQ_IP/require;
spdadd 192.168.240.0/24 192.168.232.0/27 any -P in ipsec esp/tunnel/Branch_IP-HQ_IP/require;

spdadd 192.168.232.0/27 192.168.245.0/24 any -P out ipsec esp/tunnel/Branch_IP-HQ_IP/require;
spdadd 192.168.245.0/24 192.168.232.0/27 any -P in ipsec esp/tunnel/Branch_IP-HQ_IP/require;

spdadd 192.168.232.0/27 10.200.200.0/21 any -P out ipsec esp/tunnel/Branch_IP-HQ_IP/require;
spdadd 10.200.200.0/21 192.168.232.0/27 any -P in ipsec esp/tunnel/Branch_IP-HQ_IP/require;

spdadd 192.168.232.0/27 172.16.0.0/24 any -P out ipsec esp/tunnel/Branch_IP-HQ_IP/require;
spdadd 172.16.0.0/24 192.168.232.0/27 any -P in ipsec esp/tunnel/Branch_IP-HQ_IP/require;

spdadd 192.168.232.0/27 10.100.100.0/24 any -P out ipsec esp/tunnel/Branch_IP-HQ_IP/require;
spdadd 10.100.100.0/24 192.168.232.0/27 any -P in ipsec esp/tunnel/Branch_IP-HQ_IP/require;

and Branch racoon.conf(its realy same for all subnets)
remote HQ_IP[500]
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 86400 sec;
initial_contact on;
support_mip6 on;
proposal_check obey;
    proposal{
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}

        sainfo address 192.168.232.0/27 any address 192.168.240.0/24 any
        {
        pfs_group 2;
        lifetime time 3600 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        }

From ASA Side im using next acl

access-list RGN-VPN-*** extended permit ip object-group REGION-ACCESS 192.168.232.32 255.255.255.248

object-group network REGION-ACCESS
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.64.0 255.255.255.0
 network-object 192.168.240.0 255.255.255.0
 network-object 192.168.245.0 255.255.255.0
 network-object 10.200.200.0 255.255.248.0
 network-object 172.16.0.0 255.255.255.0
 network-object 10.100.100.0 255.255.255.

and my crypto map

crypto map outside_10mb 35 match address RGN-VPN-****
crypto map outside_10mb 35 set pfs
crypto map outside_10mb 35 set peer Branch_IP
crypto map outside_10mb 35 set transform-set 3DES-SHA-HMAC
crypto map outside_10mb 35 set security-association lifetime seconds 3600

All work perfect with cisco routers and ASA. Please can anyone help with FreeBSD(

Author

Commented:
Sorry, my mistake, posted error.
spdadd 192.168.232.0/27 10.100.100.0/24 any -P out ipsec esp/tunnel/Branch_IP-HQ_IP/require;
spdadd 10.100.100.0/24 192.168.232.0/27 any -P in ipsec esp/tunnel/HQ_IP-Branch_IP/require;

Author

Commented:
Most interesting think, that for example when im restarting racoon, only one subnet included in ipsec sa
sh ipsec sa | grep 192.168.232.0
      access-list RGN-VPN-*** extended permit ip 10.100.100.0 255.255.255.0 192.168.232.0 255.255.255.224
      remote ident (addr/mask/prot/port): (192.168.232.0/255.255.255.224/0/0)

Author

Commented:
But setkey -D -P show all subnets
192.168.232.0/27[any] 192.168.2.0/24[any] any
        out ipsec
        esp/tunnel/Branch_IP-HQ_IP//require
        spid=49 seq=7 pid=26326
        refcnt=1
192.168.232.0/27[any] 192.168.3.0/24[any] any
        out ipsec
        esp/tunnel/Branch_IP-HQ_IP//require
        spid=51 seq=6 pid=26326
        refcnt=1
192.168.232.0/27[any] 192.168.64.0/24[any] any
        out ipsec
        esp/tunnel/Branch_IP-HQ_IP//require
        spid=53 seq=5 pid=26326
        refcnt=1
192.168.232.0/27[any] 192.168.240.0/24[any] any
        out ipsec
        esp/tunnel/Branch_IP-HQ_IP//require
        spid=55 seq=4 pid=26326
        refcnt=1
192.168.232.0/27[any] 192.168.245.0/24[any] any
        out ipsec
        esp/tunnel/Branch_IP-HQ_IP//require
        spid=57 seq=3 pid=26326
        refcnt=1
192.168.232.0/27[any] 10.200.200.0/21[any] any
        out ipsec
        esp/tunnel/Branch_IP-HQ_IP//require
        spid=59 seq=2 pid=26326
        refcnt=1
192.168.232.0/27[any] 172.16.0.0/24[any] any
        out ipsec
        esp/tunnel/Branch_IP-HQ_IP//require
        spid=61 seq=1 pid=26326
        refcnt=1
192.168.232.0/27[any] 10.100.100.0/24[any] any
        out ipsec
        esp/tunnel/Branch_IP-HQ_IP//require
        spid=63 seq=0 pid=26326
        refcnt=1

Commented:
Is there a typo in the config you posted?

On the ASA you have
access-list RGN-VPN-*** extended permit ip object-group REGION-ACCESS 192.168.232.32 255.255.255.248

192.168.232.32/29 - host range is 192.168.232.33 - 192.168.232.38

on the other side (FreeBSD)
192.168.232.0/27 - host range is 192.168.232.1 - 192.168.232.30

Author

Commented:
2 DanJ yes((( sorry, post mistake. There is 2 Branch in this city and 2 subnets
right acl is

access-list RGN-VPN-1OFFICE extended permit ip object-group REGION-ACCESS 192.168.232.32 255.255.255.248

access-list RGN-VPN-2OFFICE extended permit ip object-group REGION-ACCESS 192.168.232.0 255.255.255.224
Commented:
OK, the bsd is not initiating the IPSec exchange, it only accepts the conenction from the ASA. What I suggest is that you need to add the  following entries to your config

my_identifier   address YOR_IP_IN_HERE;
peers_identifier address HQ_IP;


remote HQ_IP[500]
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier   address YOR_IP_IN_HERE;
peers_identifier address HQ_IP;
nonce_size 16;
lifetime time 86400 sec;
initial_contact on;
support_mip6 on;
proposal_check obey;
    proposal{
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}

Author

Commented:
Thank you DanJ for yore answer. I did all exactly as you sad. But no result. Most interesting think, that when im restarting racoon,  on ASA i can see next input:

sh ipsec sa | grep 192.168.232.0 (its clear)

But when in trying to ping:

ping -S 192.168.232.1 192.168.245.1
PING 192.168.245.1 (192.168.245.1) from 192.168.232.1: 56 data bytes
64 bytes from 192.168.245.1: icmp_seq=2 ttl=63 time=47.986 ms
64 bytes from 192.168.245.1: icmp_seq=3 ttl=63 time=47.863 ms
64 bytes from 192.168.245.1: icmp_seq=4 ttl=63 time=49.560 ms
64 bytes from 192.168.245.1: icmp_seq=5 ttl=63 time=48.570 ms
64 bytes from 192.168.245.1: icmp_seq=6 ttl=63 time=52.979 ms
64 bytes from 192.168.245.1: icmp_seq=7 ttl=63 time=48.341 ms
64 bytes from 192.168.245.1: icmp_seq=8 ttl=63 time=50.071 ms

int shows
remote ident (addr/mask/prot/port): (192.168.232.0/255.255.255.224/0/0)
      access-list RGN-VPN-2OFFICE extended permit ip 192.168.245.0 255.255.255.0 192.168.232.0 255.255.255.224
      remote ident (addr/mask/prot/port): (192.168.232.0/255.255.255.224/0/0)

but other subnets is now reachable.

Commented:
can you post the routing tables on both ends?

Author

Commented:
2 DanJ, its working perfectly with ASA 5505. Today ive received new equipment for SOHO offices, and soon i can change it back. Thank you for the help.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial