Show Posts
1
General Discussion / VPN between OPNsense and Cisco Router cannot be estabilished
« on: September 08, 2016, 09:33:46 am »
I'm trying to estabilish a site-to-site VPN between OPNsense and Cisco Router, taking as a reference the documentation at:
https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html
Versions:
OPNsense 16.7.3-amd64
Cisco 887VA-SEC-K9 (C880DATA-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)
on OPNSense
Set Phase1 with
Key Exchange Version V1
Authentication Method: Mutual PSK
Negotiation Mode: Main
Preshared key: xxxx
Encryption: AES256
HASH: SHA512 (DH Group14) Lifetime 28800
Set Phase2 with
Protocol ESP
Encryption Algorithms: AES-256
Hash Alghoritms: SHA512
PFS KeyGroup: 14
On Cisco
crypto isakmp key xxxx address xxx.xxx.xxx.xxx no-xauth
crypto ipsec security-association lifetime seconds 28800
crypto isakmp policy 5
encr aes 256
hash sha512
authentication pre-share
group 14
lifetime 28800
crypto ipsec transform-set VPN-OPNSENSE esp-aes esp-sha512-hmac
mode tunnel
crypto map sfarm 2 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set security-association lifetime seconds 28800
set transform-set VPN-OPNSENSE
set pfs group14
match address 160
access-list 160 permit ip yyy.yyy.yyy.yyy 0.0.255.255 yyy.zzz.0.0 0.0.255.255
There is something wrong with
190287: Sep 8 09:11:58.982 CET: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
190288: Sep 8 09:11:58.982 CET: ISAKMP:(0):Lifetime duration offered does not match [/color]policy!
(The complete log in attachment)
It seems that even if the specified Lifetime is 28800, it is like the policy contains 86400...
Thank for any help and suggestion.
https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html
Versions:
OPNsense 16.7.3-amd64
Cisco 887VA-SEC-K9 (C880DATA-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)
on OPNSense
Set Phase1 with
Key Exchange Version V1
Authentication Method: Mutual PSK
Negotiation Mode: Main
Preshared key: xxxx
Encryption: AES256
HASH: SHA512 (DH Group14) Lifetime 28800
Set Phase2 with
Protocol ESP
Encryption Algorithms: AES-256
Hash Alghoritms: SHA512
PFS KeyGroup: 14
On Cisco
crypto isakmp key xxxx address xxx.xxx.xxx.xxx no-xauth
crypto ipsec security-association lifetime seconds 28800
crypto isakmp policy 5
encr aes 256
hash sha512
authentication pre-share
group 14
lifetime 28800
crypto ipsec transform-set VPN-OPNSENSE esp-aes esp-sha512-hmac
mode tunnel
crypto map sfarm 2 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set security-association lifetime seconds 28800
set transform-set VPN-OPNSENSE
set pfs group14
match address 160
access-list 160 permit ip yyy.yyy.yyy.yyy 0.0.255.255 yyy.zzz.0.0 0.0.255.255
There is something wrong with
190287: Sep 8 09:11:58.982 CET: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
190288: Sep 8 09:11:58.982 CET: ISAKMP:(0):Lifetime duration offered does not match [/color]policy!
(The complete log in attachment)
It seems that even if the specified Lifetime is 28800, it is like the policy contains 86400...
Thank for any help and suggestion.