Can't initiate VPN to pfsense, but pfsense can initiate VPN to our ASA

mcentirefj

We've got a Site to Site VPN setup between a branch office and our HQ.

VPN establishes and everything works fine if we're initiating from the branch office with the pfsense firewall

VPN fails to initiate from the HQ going from the Cisco ASA to the pfsense

I see these logs saying there is no matching child SA:

Dec 6 23:39:46 	charon: 11[CFG] <con1000|113> looking for a child config for 10.247.0.0/16|/0 === 10.241.0.0/16|/0
Dec 6 23:39:46 	charon: 11[CFG] <con1000|113> looking for a child config for 10.247.0.0/16|/0 === 10.241.0.0/16|/0
Dec 6 23:39:46 	charon: 11[IKE] <con1000|113> no matching CHILD_SA config found
Dec 6 23:39:46 	charon: 11[IKE] <con1000|113> no matching CHILD_SA config found</con1000|113></con1000|113></con1000|113></con1000|113>

But the matching configurations exist in the GUI:

PFSense version is currently 2.2.4.

I'm not sure where to go from here. It's telling me there's no match when I can see the match in the config. Any ideas?

mcentirefj

Further info:

I've added ping hosts to all the child SAs for now as a workaround. I don't like that my pfsense box can't respond to VPNs. Anyone have any suggestions?

tengtengvn

I have many S2S between pfSense & ASA.

Posting your configuration for both will help.

To get the ipsec configuration from pfsense run:
cat /var/etc/ipsec/ipsec.conf

In the ASA, look for it in your running config.