Pfsense 2.2.2 -> cisco rv042

thepluralevan

Hey guys, looking to get some help setting up an IPSEC tunnel from a pfSense firewall to a Cisco RV042 Small Business Router. I was able to find a very old thread (2008) but the imageshack images the responder had posted of his configuration had expired, so maybe you guys can help!

Here are the relevant configurations from our pfSense box:
Phase 1:

Phase 2 :

And from the Cisco box:

And the logs from the IPSEC service on pfSense:
May 18 18:37:08 charon: 09[ENC] <con1000|4>generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
May 18 18:37:08 charon: 09[NET] <con1000|4>sending packet: from {{LOCAL IP}}[500] to {{CISCO IP}}[500] (380 bytes)
May 18 18:37:12 charon: 09[IKE] <con1000|4>sending retransmit 1 of request message ID 0, seq 1
May 18 18:37:12 charon: 09[IKE] <con1000|4>sending retransmit 1 of request message ID 0, seq 1
May 18 18:37:12 charon: 09[NET] <con1000|4>sending packet: from {{LOCAL IP}}[500] to {{CISCO IP}}[500] (380 bytes)
May 18 18:37:20 charon: 11[IKE] <con1000|4>sending retransmit 2 of request message ID 0, seq 1
May 18 18:37:20 charon: 11[IKE] <con1000|4>sending retransmit 2 of request message ID 0, seq 1
May 18 18:37:20 charon: 11[NET] <con1000|4>sending packet: from {{LOCAL IP}}[500] to {{CISCO IP}}[500] (380 bytes)
May 18 18:37:26 charon: 11[KNL] creating acquire job for policy {{LOCAL IP}}/32|/0 === {{CISCO IP}}/32|/0 with reqid {2}
May 18 18:37:26 charon: 06[CFG] ignoring acquire, connection attempt pending
May 18 18:37:33 charon: 06[IKE] <con1000|4>sending retransmit 3 of request message ID 0, seq 1
May 18 18:37:33 charon: 06[IKE] <con1000|4>sending retransmit 3 of request message ID 0, seq 1
May 18 18:37:33 charon: 06[NET] <con1000|4>sending packet: from {{LOCAL IP}}[500] to {{CISCO IP}}[500] (380 bytes)

Please note: I changed the IP addresses to {{LOCAL IP}} and {{CISCO IP}} for obvious reasons.</con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4>

cmb

What do the logs show on the Cisco side? That log snippet just shows it isn't replying, with no means of telling why.

thepluralevan

You are correct. The cisco side was behaving very strangely(thought it was online but it didn't respond to pings etc), rebooting it seemed to fix everything and the tunnel came right up. Feel free to use this config if anyone needs it. Im going to monitor it today and see if it rekeys and all that but it looks stable for now.

Thanks guys!

thepluralevan

Spoke too soon! Looks like I can get from the pfsense side to the cisco side just fine, but coming back the other way does not work. Below are the logs from both devices, you guys got any ideas?

This is what im looking at, some of the SAD entries are not found apparently?:
May 19 14:07:30 charon: 16[KNL] <con1000|127>unable to query SAD entry with SPI 8647058e: No such file or directory (2)

pfsense:

May 19 14:05:38	charon: 09[NET] <con1000|127> sending packet: from {{PFSENSE IP}}[500] to {{CISCO IP}}[500] (76 bytes)
May 19 14:05:38	charon: 15[NET] <con1000|127> received packet: from {{CISCO IP}}[500] to {{PFSENSE IP}}[500] (156 bytes)
May 19 14:05:38	charon: 15[ENC] <con1000|127> parsed QUICK_MODE request 2617592248 [ HASH SA No ID ID ]
May 19 14:05:38	charon: 15[ENC] <con1000|127> generating QUICK_MODE response 2617592248 [ HASH SA No ID ID ]
May 19 14:05:38	charon: 15[NET] <con1000|127> sending packet: from {{PFSENSE IP}}[500] to {{CISCO IP}}[500] (188 bytes)
May 19 14:05:38	charon: 15[KNL] creating acquire job for policy {{PFSENSE IP}}/32|/0 === {{CISCO IP}}/32|/0 with reqid {1}
May 19 14:05:38	charon: 09[ENC] <con1000|127> generating QUICK_MODE request 2499144683 [ HASH SA No ID ID ]
May 19 14:05:38	charon: 09[NET] <con1000|127> sending packet: from {{PFSENSE IP}}[500] to {{CISCO IP}}[500] (188 bytes)
May 19 14:05:39	charon: 09[NET] <con1000|127> received packet: from {{CISCO IP}}[500] to {{PFSENSE IP}}[500] (60 bytes)
May 19 14:05:39	charon: 09[ENC] <con1000|127> parsed QUICK_MODE request 2617592248 [ HASH ]
May 19 14:05:39	charon: 09[IKE] <con1000|127> CHILD_SA con1000{2} established with SPIs c7bc44b7_i 8647058e_o and TS 192.168.0.0/24|/0 === 192.168.10.0/24|/0
May 19 14:05:39	charon: 09[IKE] <con1000|127> CHILD_SA con1000{2} established with SPIs c7bc44b7_i 8647058e_o and TS 192.168.0.0/24|/0 === 192.168.10.0/24|/0
May 19 14:05:39	charon: 15[NET] <con1000|127> received packet: from {{CISCO IP}}[500] to {{PFSENSE IP}}[500] (156 bytes)
May 19 14:05:39	charon: 15[ENC] <con1000|127> parsed QUICK_MODE response 2499144683 [ HASH SA No ID ID ]
May 19 14:05:39	charon: 15[IKE] <con1000|127> CHILD_SA con1000{3} established with SPIs cd66e8c3_i 6e2a6744_o and TS 192.168.0.0/24|/0 === 192.168.10.0/24|/0
May 19 14:05:39	charon: 15[IKE] <con1000|127> CHILD_SA con1000{3} established with SPIs cd66e8c3_i 6e2a6744_o and TS 192.168.0.0/24|/0 === 192.168.10.0/24|/0
May 19 14:05:39	charon: 15[ENC] <con1000|127> generating QUICK_MODE request 2499144683 [ HASH ]
May 19 14:05:39	charon: 15[NET] <con1000|127> sending packet: from {{PFSENSE IP}}[500] to {{CISCO IP}}[500] (60 bytes)
May 19 14:07:30	charon: 16[KNL] <con1000|127> unable to query SAD entry with SPI 8647058e: No such file or directory (2)
May 19 14:10:24	charon: 16[KNL] <con1000|127> unable to query SAD entry with SPI 8647058e: No such file or directory (2)
May 19 14:16:27	charon: 16[KNL] <con1000|127> unable to query SAD entry with SPI 8647058e: No such file or directory (2)</con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127>
```</con1000|127>

thepluralevan

Cisco:

Jan 1 00:00:12 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jan 1 00:00:12 2010	VPN Log	(g2gips0) #1: ignoring Vendor ID payload [XAUTH]
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: ignoring Vendor ID payload [XAUTH]
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: received Vendor ID payload [Dead Peer Detection]
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: received Vendor ID payload [Dead Peer Detection]
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: ignoring Vendor ID payload [Cisco-Unity]
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: ignoring Vendor ID payload [Cisco-Unity]
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: Peer ID is ID_IPV4_ADDR: '{{PFSENSE IP}}'
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: ISAKMP SA established
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL {using isakmp#1}
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: esp_ealg_id=12-12,esp_ealg_keylen=256, key_len=256,esp_aalg_id=2-2.
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: esp_ealg_id=12-12,esp_ealg_keylen=256, key_len=256,esp_aalg_id=2-2.
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: [Tunnel Negotiation Info] Inbound SPI value = 8647058e
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: [Tunnel Negotiation Info] Inbound SPI value = 8647058e
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: [Tunnel Negotiation Info] Outbound SPI value = c7bc44b7
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: [Tunnel Negotiation Info] Outbound SPI value = c7bc44b7
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: up-client output: iptables: No chain/target/match by that name
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: up-client output: iptables: No chain/target/match by that name
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #2: sent QI2, IPsec SA established {ESP=>0xc7bc44b7 <0x8647058e
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #1: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #3: esp_ealg_id=12-12,esp_ealg_keylen=256, key_len=256,esp_aalg_id=2-2.
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #3: esp_ealg_id=12-12,esp_ealg_keylen=256, key_len=256,esp_aalg_id=2-2.
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #3: responding to Quick Mode
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #3: [Tunnel Negotiation Info] Inbound SPI value = 6e2a6744
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #3: [Tunnel Negotiation Info] Inbound SPI value = 6e2a6744
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #3: [Tunnel Negotiation Info] Outbound SPI value = cd66e8c3
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #3: [Tunnel Negotiation Info] Outbound SPI value = cd66e8c3
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #3: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Jan 1 00:00:14 2010	VPN Log	(g2gips0) #3: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
Jan 1 00:00:15 2010	VPN Log	(g2gips0) #3: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Jan 1 00:00:15 2010	VPN Log	(g2gips0) #3: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
Jan 1 00:00:15 2010	VPN Log	(g2gips0) #3: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 1 00:00:15 2010	VPN Log	(g2gips0) #3: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Jan 1 00:00:15 2010	VPN Log	(g2gips0) #3: IPsec SA established {ESP=>0xcd66e8c3 <0x6e2a6744 

thepluralevan

Here are trace routes from each side; just in case:
Cisco to Pfsense:

Tracing route to 192.168.0.1 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  192.168.10.1 
  2    <1 ms    <1 ms    <1 ms  192.168.10.3 
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *     

Pfsense to Cisco:

Tracing route to 192.168.10.1 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  192.168.0.1 
  2    <1 ms    <1 ms    <1 ms  192.168.0.3 
  3    57 ms    49 ms    49 ms  192.168.10.1 

Trace complete.

Ill be tinkering with it today, let me know if you guys have any ideas, here is my current list of possible problems:
1. ACLs on the Cisco side maybe?
2. the SAD entry not found error

Thanks again!
3. The time not being set on the cisco side (dont know if this matters but I feel like it should as it usually does with encryption/authentication)

thepluralevan

Update:

Got everything working by adding Pass rules to the LAN table on pfSense. Previously, we had 2 pfSense boxes doing this tunnel and we had our ACLs for the vpn exclusively in the IPSEC tab of the firewall rules, moving these rules to the LAN tab seemed to fix the issue.

As it stands I have these rules
LAN - VPN_Addresses -> * PASS
        * -> VPN_Addresses PASS
Same on IPSEC tab

No changes were made to the Cisco side. The configuration above is the one that works.

Harry569

Hi,

Can you please help me to configure IPSec between pfsense 2.2.2 to CISCO rv042.

I break my head from one week to figure out but no luck :'(.
PFsene is on Xen VM in data center. WAN network is a VLAN(73.241.202.232/29) and LAN is also a VLAN (172.51.130.160/27).

WAN IP : 73.241.202.238
Gateway(default) : 73.241.202.233
LAN  IP : 172.51.130.190 (Lan Only)
LANGW : 172.51.130.190 ( I made it I don't know where it is correct way or not) I am using same LANGW for all LAN.

CISCO RV 042

WAN : 35.31.39.153/29
GW : 35.31.39.158
LAN : 192.168.10.0/27
GW  : 192.168.10.1

I Enabled and Created IPSec in pfSense with the settings as you mentioned in your picture except Negotiation Mode "MAIN" . Connection is established but no to traffic is going. From pfSense I am able to ping only RV042(no computers). From CISCO Destination host not reachable.

I thought it might be the issue with Gateways or Firewall rules I am not getting anything or is it because of two different VLANS . Can you please help me to fix this. Thanking you in advance.

Thank You,
Harry.