Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12760
Views
0
Helpful
25
Replies

VPN IPSec site-to-site tunnel between pfSense and Cisco RV042G is not working

nasolsi1
Level 1
Level 1

‎10-27-2017 02:52 AM - edited ‎03-12-2019 04:40 AM

Hello Support,

 

Could you please help me to fix VPN IPSec issue.
I've recently configured pfSense v.2.4.1-RELEASE (amd64) for VPN IPSec site-to-site tunnel to Cisco RV042G in mode Gateway but unfortunately it didn't work out as expected, and I'm not sure if the VPN issue is caused by either pfSense or Cisco side.
I can ping from pfSense's LAN subnet/WAN IP to Cisco's WAN IP and Gateway but cannot ping from Cisco's LAN subnet and WAN IP to pfSense WAN IP (note: both pfsense and cisco's WAN IPs and Gateway are in same subnet /29 provided by ISP). Cisco router has currently got other VPN IPSec tunnel connections established to our branch offices.
Firewall rules to allow vpn ipsec and ports have been configured on both sides.

Thank you in advance.

Labels:
0 Helpful
25 Replies 25

Francesco Molino
VIP Alumni
VIP Alumni

‎10-27-2017 05:38 AM

Hi

If I understand correctly you can ping Cisco WAN IP from Pfsense but not the other way around, is that correct?
If that's your issue, you need to concentrate on Pfsense side. Have you enabled icmp to your WAN interface on pfsense? Can you check on your system firewall logs if you see the incoming traffic and which rule denies it?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

nasolsi1
Level 1
Level 1
In response to Francesco Molino

‎10-27-2017 05:59 AM

H Francesco,

 

Thank you for your quick response.

I've just enabled ICMP on pfSense's WAN port and successfully managed to ping pfSense's WAN IP from Cisco's LAN/WAN but still unable to establish vpn ip sec tunnel.

Checked pfSense's logs and no any firewall, ipsec and vpn logs came up.

Checked also Cisco's vpn logs and got that message: 

VPN Log packet from 78.130.146....:500: ignoring informational payload, type AUTHENTICATION_FAILED

 

I'm sure that vpn ipsec phase1 and 2 settings on pfSense completely match to these on Cisco ones.

 

Please have a look at attached files with pfSense and Cisco vpn ipsec configuration.

 

Any help will be really appreciated. 

Preview file
70 KB
Preview file
22 KB
Preview file
70 KB
Preview file
68 KB
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to nasolsi1

‎10-27-2017 06:09 AM

On Cisco I guess by default it's IKEv1 (sorry I don't know too much RV042 devices) and on Pfsense you selected IKEv2.

Can you change it to IKEv1 and test it again?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

nasolsi1
Level 1
Level 1
In response to Francesco Molino

‎10-27-2017 06:30 AM

Hi Francesco,

I did change IKE from v2 to v1 on pfSense and managed to established vpn connection to Cisco but unfortunately no any packets are going through the tunnel. 

Tried vpn connection from cisco to pfsense but didn't work.

I couldn't ping pfSense's LAN subnet from Cisco's LAN.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to nasolsi1

‎10-27-2017 06:32 AM

When the tunnel is up, can you take a look on sh crypto ipsec to see if you see encaps / decaps packets to determine if the issue is on Cisco or Pfsense side,

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

nasolsi1
Level 1
Level 1
In response to Francesco Molino

‎10-27-2017 06:43 AM

I don't think the tunnel will be up any time soon as I said before vpn ipsec connection was established only from pfsense to cisco but not the other way around.

I don;t understand how the vpn was established from pfsense to cisco and not the other way around either.

the same vpn log appeared on cisco.

I'm a bit stuck where else to look at.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to nasolsi1

‎10-27-2017 07:01 AM

Ok I got it wrong I understood the tunnel was up but no packets passing through that tunnel.

Can you run debug cry isakmp and debug cry ipsec on cisco to see what's going on?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

nasolsi1
Level 1
Level 1
In response to Francesco Molino

‎10-27-2017 07:11 AM

Hi Francesco,

 

you made my day:).

 

The vpn ip sec tunnel just came up and I don't know why it took too long from cisco to pfsense to get established.

Now I can get ping response and establish rdp from pfSense's LAN to Cisco's LAN but not the other way around.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to nasolsi1

‎10-27-2017 07:14 AM

Oh just talking it came up, I'll need to play the lottery :-)
Ok then share some logs from Cisco and Pfsense please.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

nasolsi1
Level 1
Level 1
In response to Francesco Molino

‎10-30-2017 05:46 AM

Hi Francesco,

I got problem again.

VPN IPSec tunnel have been up for the last two days and it has gone down an hour ago. I did try to reconnect it from pfsense but didn't work out.

What really interesting for me is that VPN status appears connected on Cisco router (note: I did try to disconnect it on Cisco router a few times either but to no avail as it just stays as connected) and disconnected on pfSense, and still no any system, firewall or ipsec logs appear on pfSense.

I've also tried restarting ipsec service on pfsense and then reconnecting it but it didn't make any difference. 

Now vpn appears connected on Cisco and disconnected on pfSense.

Attached some of the vpn logs taken from Cisco router.

 

 

Preview file
89 KB
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to nasolsi1

‎10-30-2017 03:32 PM

Hi

Can you activate debugs on Cisco and do a clear crypto ipsec and clear crypto isakmp to force there tunnel to come back up?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

nasolsi1
Level 1
Level 1
In response to Francesco Molino

‎10-30-2017 11:42 PM

Hi Francesco,

 

I couldn't find on how to enable debug for IPSec and ISAKMP on Cisco RV042G.

 

Could you please send me an instructions on this.

 

Thanks a lot for your help. 

0 Helpful

nasolsi1
Level 1
Level 1
In response to nasolsi1

‎10-31-2017 12:23 AM

Hi Francesco,

 

I did try disabling VPN IPSec on pfSense for 10-15 mins but didn't work out  I've also tried to disconnect vpn ipsec from Cisco since I did disable vpn ipsec on pfsesne but to no avail as vpn status kept coming up as connected on cisco firewall. 

I've also checked the vpn logs on Cisco and as result the same logs came up:
Oct 30 10:27:08 2017 VPN Log (g2gips3) #12076: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
Oct 30 10:27:01 2017 VPN Log (g2gips3) #10601: Informational Exchange message must be encrypted
Oct 30 10:27:01 2017 VPN Log (g2gips3) #10601: Informational Exchange message must be encrypted
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] Outbound SPI value = 34591ed1
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] Outbound SPI value = 34591ed1
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] Inbound SPI value = 56dd62df
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] Inbound SPI value = 56dd62df
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: responding to Quick Mode
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=2-2.
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=2-2.
Oct 30 10:27:01 2017 VPN Log (g2gips3) #10601: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Oct 30 10:27:01 2017 VPN Log (g2gips3) #10601: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12075: max number of retransmissions (2) reached STATE_QUICK_R1
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12075: max number of retransmissions (2) reached STATE_QUICK_R1
Oct 30 10:26:56 2017 VPN Log packet from 78.130.146....:500: ignoring informational payload, type AUTHENTICATION_FAILED

 

As you can see there was no any vpn logs from today 31/10/17 on Cisco.

And again no any system, firewall,ipsec and vpn logs found on pfsense.

 

I don't know where else to look at.

 

Any further help will be really appreciated.

0 Helpful

nasolsi1
Level 1
Level 1
In response to nasolsi1

‎10-31-2017 04:10 AM

Hi Support,

I've deleted the whole vpn ipsec configurations on both pfsense and cisco, and re-created it again but it didn't work.
When I first got it configured I managed to get vpn ipsec tunnel up and running for 2 days but now I can see no way of that to happens.

Please advise me on that.

Thank you in advance.

0 Helpful
Customers Also Viewed These Support Documents