On Fri, May 3, 2013 at 4:04 PM, Mark Street <mstr...@alliancemed.org> wrote: > Hi, > > I am creating a tunnel with another party that is using a Cisco ASA5520. > Phase 1 is negotiating just fine. > > Phase 2 will not come up. I am using my LAN Subnet on my side and made sure > they have the same settings. They are using a public routable IP on their > side for the remote network. ex. Their VPN endpoint of the ASA is > 111.222.333.25 and they are using 111.222.333.140/32 for the remote network. > I have that remote network set on my side in Phase 2 - 111.222.333.140/32 > > When I go to pfSense Status and click on the little start icon next to the > phase 2 entry it is yellow with an x, once pushed the tunnel does not come > up green, but stays yellow with and x. Am I setting the remote network > properly on my side of phase 2? >
There can be a difference between an address and a /32 network in phase 2, might want to try the opposite of what you're using now. > I have seen some cryptic error messages in the log viewer in pfsense. Is > there a key to decode these message codes? > That's generally what gets spewed when you have a P2 mismatch with a Cisco, it in and of itself isn't helpful. Enabling "Start racoon in debug mode" under System>Advanced, Misc may give you more useful logs. Though maybe not since you're the initiator, in many cases of mismatch as the initiator you won't get very telling logs on your end for why the remote end is refusing to accept, if it's just timing out. _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
