Bug #4719: IKEv2 to Cisco ASA results in TS mismatch when initiation triggered by traffic - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #4719

closed

IKEv2 to Cisco ASA results in TS mismatch when initiation triggered by traffic

Added by Chris Buechler almost 9 years ago. Updated about 8 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Chris Buechler

Category:

IPsec

Target version:

2.3

Start date:

05/20/2015

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.2.x

Affected Architecture:

Description

IKEv2 to Cisco ASA won't come up when initiation is triggered by traffic matching the P2. It results in the following on the ASA.

Local:172.27.44.49:500 Remote:172.27.44.26:500 Username:172.27.44.26 IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 192.168.152.0/192.168.152.255/0/65535/0 local traffic selector 192.168.25.0/192.168.25.255/0/65535/0!

But if you run 'ipsec up con1', it comes up and works fine. It also rekeys fine on its own.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Chris Buechler almost 9 years ago

Assignee set to Chris Buechler
Target version changed from 2.2.3 to 2.3

this is still replicable as described, but only with ASAs, and only as initiator when triggered by traffic. Manually connecting it is fine, it's fine if it's responder, it rekeys no problem indefinitely. Google GCE cloud VPNs, various strongswan versions on Linux all fine. openiked doesn't work with PSK apparently so not an exactly comparable test with certs, but it works too. Will revisit.

Actions

Copy link