OPNsense Forum

English Forums => General Discussion => Topic started by: Lorenzo on September 08, 2016, 09:33:46 am

Title: VPN between OPNsense and Cisco Router cannot be estabilished
Post by: Lorenzo on September 08, 2016, 09:33:46 am
I'm trying to estabilish a site-to-site VPN between OPNsense and Cisco Router, taking as a reference the documentation at:
https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html

Versions:
OPNsense 16.7.3-amd64
Cisco 887VA-SEC-K9 (C880DATA-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)


on OPNSense
Set Phase1 with
   Key Exchange Version V1
   Authentication Method: Mutual PSK
   Negotiation Mode: Main
   Preshared key: xxxx
   Encryption: AES256
   HASH: SHA512 (DH Group14) Lifetime 28800
Set Phase2 with
   Protocol ESP
   Encryption Algorithms: AES-256
   Hash Alghoritms: SHA512
   PFS KeyGroup: 14


On Cisco

crypto isakmp key xxxx address xxx.xxx.xxx.xxx no-xauth
crypto ipsec security-association lifetime seconds 28800
crypto isakmp policy 5
 encr aes 256
 hash sha512
 authentication pre-share
 group 14
 lifetime 28800

crypto ipsec transform-set VPN-OPNSENSE esp-aes esp-sha512-hmac
 mode tunnel

crypto map sfarm 2 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx
 set security-association lifetime seconds 28800
 set transform-set VPN-OPNSENSE
 set pfs group14
 match address 160

access-list 160 permit ip yyy.yyy.yyy.yyy 0.0.255.255 yyy.zzz.0.0 0.0.255.255


There is something wrong with
190287: Sep  8 09:11:58.982 CET: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
190288: Sep  8 09:11:58.982 CET: ISAKMP:(0):Lifetime duration offered does not match [/color]policy!
(The complete log in attachment)

It seems that even if the specified Lifetime is 28800, it is like the policy contains 86400...

Thank for any help and suggestion.
Title: Re: VPN between OPNsense and Cisco Router cannot be estabilished
Post by: franco on September 19, 2016, 12:12:54 am
Hi Lorenzo,

Strongswan IKEv1 has several issues that I found during testing against a Fortgate IPsec. One of them manifests in ignoring the user-defined algorithms and lifetimes, in which case IKEv1 on the other side rejects the proposals naturally.

Try IKEv1 and debug what StrongSwan is actually proposing to the other side and put that in the Cisco device. Open a bug report with StrongSwan, wait for a while for these things to trickle back into a release...

Or try IKEv2, it's a lot less prone to such glitches.


Cheers,
Franco