VPN IPsec tunnel between pfSense and Cisco RV042G keeps disconnecting

nasolsi

Hi Support,

I need your help.

I've recently configured pfSense v.2.4.1-RELEASE (amd64) for VPN IPSec site-to-site tunnel to Cisco RV042G in mode Gateway but unfortunately it didn't work out as expected, and I was not sure if the VPN issue was caused by either pfSense or Cisco side. Finally I successfully managed to establish vpn connection from pfSense to Cisco by changing IKE from v2 to v1 on pfSense as Cisco appeared to use IKEv1 by default.
VPN IPSec tunnel have been up for the last two days and it has gone down an hour ago. I did try to reconnect it from pfsense but didn't work out.
What really interesting for me is that VPN status appears connected on Cisco router (note: I did try to disconnect it on Cisco router a few times but to no avail as it keeps coming up as connected) and disconnected on pfSense, and still no any system, firewall or ipsec logs came up on pfSense.
I've also tried restarting ipsec service on pfsense and then reconnecting it again but it didn't make any difference.
Now vpn appears connected on Cisco and disconnected on pfSense.
Attached some of the vpn logs taken from Cisco router.

Any help will be really appreciated.

gajimenez

i had the same problem with pfsense, and i must disabled the VPN for 10 or 15 minutes in the ipsec section, look in the status-ipsec page that it does not show anymore and enable again the VPN.

nasolsi

Hi gajimenez,

Thank you for your quick response.

Unfortunately disabling VPN IPSec on pfSense for 10-15 mins didn't work out for me. I've also tried to disconnect vpn ipsec from Cisco since I did disable vpn ipsec on pfsesne but to no avail as vpn status kept coming up as connected on cisco firewall.
I've also checked the vpn logs on Cisco and as result the same logs came up:
Oct 30 10:27:08 2017 VPN Log (g2gips3) #12076: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #10601: Informational Exchange message must be encrypted 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #10601: Informational Exchange message must be encrypted 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] Outbound SPI value = 34591ed1 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] Outbound SPI value = 34591ed1 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] Inbound SPI value = 56dd62df 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] Inbound SPI value = 56dd62df 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: responding to Quick Mode 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=2-2. 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=2-2. 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #10601: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #10601: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12075: max number of retransmissions (2) reached STATE_QUICK_R1 
Oct 30 10:27:01 2017 VPN Log (g2gips3) #12075: max number of retransmissions (2) reached STATE_QUICK_R1 
Oct 30 10:26:56 2017 VPN Log packet from 78.130.146….:500: ignoring informational payload, type AUTHENTICATION_FAILED

And again no any system, firewall,ipsec and vpn logs found on pfsense.

I don't know where else to look at.

Any further help will be really appreciated.

nasolsi

As you can see there was no any vpn logs from today 31/10/17 on Cisco.

nasolsi

Hi Support,

I've deleted the whole vpn ipsec configurations on both pfsense and cisco, and re-created it again but it didn't work.
When I first got it configured I managed to get vpn ipsec tunnel up and running for 2 days but now I can see no way of that to happens.

Please advise me on that.

Thank you in advance.

nasolsi

Hi Support,

Is there anyone else from pfSense support community to help us with that issue?

As I said before when I first got vpn ipsec configured I managed to get vpn ipsec tunnel up and running for 2 days and then on 30/10/17 it has gone down and never came back up since.
There haven't been any firewall, ipsec or vpn logs on pfSense despite a multiple attempts for vpn connection or deleting and recreating the whole vpn ipsec config, and creating firewall rules.
There haven't been any new vpn logs on Cisco for the last two days (latest vpn logs are from 30/10/17 when vpn ipsec tunnel has gone down and never come back up). VPN status on Cisco RV042G still coming up as connected but unfortunately no any vpn connection established from pfSense to Cisco (see attach screenshot)

Attached files with vpn ipsec conf on pfSense and Cisco and the latest Cisco vpn logs.

Any further help will be really appreciated.

Thank you in advance.


Derelict

What is Status > System Logs, IPsec showing. Anything interesting?

nasolsi

Hi Derelict,

Thank you for your quick response.

As I mentioned before there have never been any ipsec, firewall or vpn logs on pfSense since it was installed and configured or when vpn connection between pfSesne and Cisco was established despite the checkbox to log packets is ticked for these firewall and ipsec rules.

Derelict

Not sure where you expect us to go from there. Have you asked Cisco?

Logging packets has absolutely nothing to do with Status > System Logs, IPsec

nasolsi

Yes, I did log a call with cisco and still waiting for their reply.

What's really interesting for me is how vpn status still appears as ''connected'' on Cisco side as no vpn connection established from pfsense to Cisco.
I've been struggling to figure out where the problem lies- on Cisco or pfSense side.


nasolsi

Hi again,

just to let you know that I received a reply from cisco support saying that based on provided screenshot they can see on Cisco that I setup aggressive mode while Pfsense is in main mode. On Cisco, PFS isn't activated while on Pfsense it seems. All the rest seems to be ok.

I did set an aggressive mode on both pfsense and cisco, and gave it a test and as result didn't work out. Then I set a main mode on both and tested it again, and didn't work either.

I don't know what else to try.

I've run out of ideas.

Thank you for your help.

nasolsi

Hi Support,

Let give you a brief update on what happened on Friday 3/11/17. I did first reboot Cisco RV042G firewall/vpn and tried vpn connection from pfsense, and as result the vpn connection between pfsense and cisco got established but unfortunately it didn't last long and got dropped again.
Attached the latest cisco vpn logs taken after the vpn connection got dropped.
Hope these logs will help you a bit to figure it out.

Thank you in advance.


Derelict

You keep posting Cisco logs to a pfSense forum. Where are the pfSense logs?

nasolsi

Hi Derelict,

That's why I keep asking myself where are the pfsense logs.

As said before there haven't been any pfsense firewall/ipsec/vpn logs in Status- System Logs since I got it configured and when vpn connection was temporarily established. System logs are also turned on.

Could you please let me where else to look into so I can provide you with pfsesne logs.

Thank you in advance.

Derelict

By default they are there. Hard to say if someone changed the defaults.

Someone could have disabled the logs in Status > System Logs, Settings. There is a checkbox there to disable local logging. That page will also tell you if the logs are being sent to an external syslog server.

nasolsi

Attached current pfSense logging settings.

Just to let you know that I've successfully configured OpenVPN on pfSesne and managed to establish openvpn connection to pfSense from my Win 10 machine. Checked OpenVPN status and as result my client connection came up but no any openvpn logs displayed (see a screenshot)


Derelict

That is strange. I would try resetting log files. If you are on pfSense 2.4.0 I would upgrade to 2.4.1 and reset log files.

nasolsi

Hi Derelict,

Sorry for my delay.

Let me give you an update on this.

My pfSense was already upgraded to 2.4.1-RELEASE (amd64) version.

Finally I've managed to establish vpn ipsec tunnel by changing a negotiation mode from main to aggressive on pfSense as Cisco's negotiation mode was set to aggressive also and after restarting both devices. I've tried that before and it didn't work but it suddenly started working now, but I'm not sure how long vpn is going to be up and running (note: vpn connection has so far been up and running for more than 2 hours).
An another problem followed by since vpn ipsec tunnel was established and the problem is there is no ping or any packets going through the tunnel. I cannot ping or rdp to remote LAN or other way back.
Here are the ping results:
pfSense side:
pfSense WAN- Cisco WAN- ping test successfull 0% packets lost
pfSense LAN- Cisco WAN IP- ping test successfull 0% packets lost
pfSense LAN- Cisco LAN IP- variable- ping test either failed with 100% packets lost or successful with 0% packets lost

Cisco side:
Cisco WAN- pfSense WAN IP- ping test successfull 0% packets lost
Cisco LAN- pfSense LAN IP- variable- ping test either failed with 100% packets lost or successful with 0% packets lost, or partial 25%/75% packets lost

Do I miss any firewall rules?
What should I do next?

Derelict

If it works unreliably it is not firewall rules.

Hard to say here what needs to be done on the Cisco side to allow pings to its LAN address.

If your pfSense firewall rules on LAN allow traffic to the remote network and the IPsec tunnel is up, that is all that needs to be done.

Rules allowing connections from the remote network go on the IPsec tab.