Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense -> Cisco WRVS4400N

    IPsec
    2
    4
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fk4rp6
      last edited by

      Having trouble setting up IPsec VPN between a pfSense box, and a Cisco WRVS4400N wireless router.  I've searched through the forums and online and haven't been able to find much.

      Can I set up a normal tunnel, as I would when setting IPsec up between 2 pfSense boxes?  Or do I have to use the mobile client sections?  I've only been able to get a tunnel established by setting it up through mobile clients.  Even with tunnel established I never was able to get any traffic through.

      1 Reply Last reply Reply Quote 0
      • A
        azzido
        last edited by

        Regarding the traffic not passing through, do you by any chance see 'ERROR: failed to begin ipsec sa negotication.' in your logs? If so check these two bug reports:

        http://redmine.pfsense.org/issues/1351
        http://redmine.pfsense.org/issues/1970

        there seems to be a bug in racoon that prevents traffic from being routed properly. I encountered this issue in one of my setups. VPN traffic was entering pfSense, but no traffic was being sent back to the client.

        1 Reply Last reply Reply Quote 0
        • F
          fk4rp6
          last edited by

          I do get that error.  I've ran racoon in diagnostic mode, and here is what it shows -

          I've changed the local site public IP to 1.1.1.1 and the remote site to 2.2.2.2.

          Mar 13 10:55:41 racoon: ERROR: failed to begin ipsec sa negotication.
          Mar 13 10:55:41 racoon: ERROR: no configuration found for 2.2.2.2.
          Mar 13 10:55:41 racoon: [RemoteSite]: [2.2.2.2] DEBUG: no remote configuration found.
          Mar 13 10:55:41 racoon: DEBUG: in post_acquire
          Mar 13 10:55:41 racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha)
          Mar 13 10:55:41 racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=1:1)
          Mar 13 10:55:41 racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=5
          Mar 13 10:55:41 racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
          Mar 13 10:55:41 racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
          Mar 13 10:55:41 racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=5
          Mar 13 10:55:41 racoon: DEBUG: remoteid mismatch: 3 != 5
          Mar 13 10:55:41 racoon: DEBUG: evaluating sainfo: loc='192.168.1.0/24', rmt='192.168.3.0/24', peer='ANY', id=3
          Mar 13 10:55:41 racoon: DEBUG: remoteid mismatch: 2 != 5
          Mar 13 10:55:41 racoon: DEBUG: evaluating sainfo: loc='192.168.1.0/24', rmt='192.168.2.0/24', peer='ANY', id=2
          Mar 13 10:55:41 racoon: DEBUG: remoteid mismatch: 1 != 5
          Mar 13 10:55:41 racoon: DEBUG: evaluating sainfo: loc='192.168.1.0/24', rmt='192.168.109.0/24', peer='ANY', id=1
          Mar 13 10:55:41 racoon: DEBUG: getsainfo params: loc='192.168.1.0/24' rmt='192.168.30.0/24' peer='NULL' client='NULL' id=5
          Mar 13 10:55:41 racoon: [RemoteSite]: [2.2.2.2] DEBUG: configuration "anonymous" selected.
          Mar 13 10:55:41 racoon: DEBUG: new acquire 192.168.1.0/24[0] 192.168.30.0/24[0] proto=any dir=out
          Mar 13 10:55:41 racoon: DEBUG: suitable inbound SP found: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in.
          Mar 13 10:55:41 racoon: DEBUG: db :0x28549408: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: db :0x28549048: 192.168.1.0/24[0] 192.168.3.0/24[0] proto=any dir=out
          Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: db :0x28548dc8: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
          Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: db :0x28548b48: 192.168.1.0/24[0] 192.168.109.0/24[0] proto=any dir=out
          Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: db :0x28548a08: 192.168.1.254/32[0] 192.168.1.0/24[0] proto=any dir=out
          Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: db :0x28548788: 192.168.3.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: db :0x28548508: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: db :0x28548288: 192.168.109.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: db :0x28548148: 192.168.1.0/24[0] 192.168.1.254/32[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
          Mar 13 10:55:41 racoon: DEBUG: suitable outbound SP found: 192.168.1.0/24[0] 192.168.30.0/24[0] proto=any dir=out.

          I copied the few lines that stood out to me below.

          Mar 13 10:55:41 racoon: ERROR: failed to begin ipsec sa negotication.
          Mar 13 10:55:41 racoon: ERROR: no configuration found for 2.2.2.2.
          Mar 13 10:55:41 racoon: [RemoteSite]: [2.2.2.2] DEBUG: no remote configuration found.
          Mar 13 10:55:41 racoon: DEBUG: remoteid mismatch: 3 != 5
          Mar 13 10:55:41 racoon: DEBUG: remoteid mismatch: 2 != 5
          Mar 13 10:55:41 racoon: DEBUG: remoteid mismatch: 1 != 5
          Mar 13 10:55:41 racoon: DEBUG: db :0x28548a08: 192.168.1.254/32[0] 192.168.1.0/24[0] proto=any dir=out
          Mar 13 10:55:41 racoon: DEBUG: db :0x28548148: 192.168.1.0/24[0] 192.168.1.254/32[0] proto=any dir=in

          When I tell the client to connect, everything looks fine.  Soon as I try and ping a device in the remote site.  The entries listed above show up in the log files.

          1 Reply Last reply Reply Quote 0
          • F
            fk4rp6
            last edited by

            I've checked out the bug reports and haven't found any information that helped.  I've also been through the recommendations listed on http://forum.pfsense.org/index.php?topic=46917.0.  Still haven't found anything that works.  While digging around and trying out different setting I have noticed a couple of other things though.

            When I tell Cisco wireless router to connect it shows a status of up. I can see the connection initialized in the IPsec logs on my pfSense box. But if I look in my state table I don't see the client listed as I do with my other VPN tunnels that are working. Also when looking under the system logs I see the following error "php: /vpn_ipsec.php: Could not determine VPN endpoint for 'Mobile Client Access'".

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.