VPN IPSec don't work with Cisco router



  • Hi everybody,

    I have a problem to connect a VPN with my PFSense and a Cisco router that i don't have control (just mail with the partner).

    We agree the configuration of our equipment but the VPN don't up.
    When I initialize the connexion I have this log on my PFSense :
    Oct 9 19:09:07 charon 13[NET] <con1|8044>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:09:03 charon 03[NET] <con1|8044>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:09:03 charon 03[IKE] <con1|8044>initiating IKE_SA con1[8044] to 193.252.25.228
    Oct 9 19:07:47 charon 03[NET] <con1|8044>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:07:05 charon 09[NET] <con1|8044>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:06:42 charon 14[NET] <con1|8044>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:06:29 charon 11[NET] <con1|8044>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:06:22 charon 15[NET] <con1|8044>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:06:18 charon 15[NET] <con1|8044>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:06:18 charon 15[IKE] <con1|8044>initiating IKE_SA con1[8044] to 193.252.25.228
    Oct 9 19:06:09 charon 14[CFG] loaded IKE secret for %any 193.252.25.228
    Oct 9 19:06:04 charon 06[CFG] loaded IKE secret for %any 193.252.25.228
    Oct 9 19:05:55 charon 06[CFG] loaded IKE secret for %any 193.252.25.228
    Oct 9 19:05:23 charon 10[NET] <con1|8041>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:04:41 charon 13[NET] <con1|8041>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:04:17 charon 13[NET] <con1|8041>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:04:04 charon 13[NET] <con1|8041>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:03:57 charon 13[NET] <con1|8041>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:03:53 charon 09[NET] <con1|8041>sending packet: from 192.168.250.17[500] to 193.252.25.228[500] (584 bytes)
    Oct 9 19:03:53 charon 09[IKE] <con1|8041>initiating IKE_SA con1[8041] to 193.252.25.228

    A think the Cisco remote router don't reply to my request but I don't be certain (and the partner don't send me their log).

    The VPN connexion are configure to :
    Phase 1

    • IKEv2
    • Mutual PSK
    • Same algorithms on each router

    Phase 2

    • Mode : Tunnel IPv4
    • ESP
    • Same SA/Key Exchange on each router

    My PFSense is on version 2.3.4-RELEASE-p1

    For you, community, what is the element to verify and troubleshoot my VPN…

    Thank you,
    Regards</con1|8041></con1|8041></con1|8041></con1|8041></con1|8041></con1|8041></con1|8041></con1|8044></con1|8044></con1|8044></con1|8044></con1|8044></con1|8044></con1|8044></con1|8044></con1|8044></con1|8044>



  • @Mordi33:

    Oct 9 19:07:47 charon 03[NET] <con1|8044>sending packet: from 192.168.250.17[500] to 193.252.25.228[500]</con1|8044>

    The fact that you are sending from a private address space probably isn't helping.



  • It's exact !
    In my configuration I have a second router next my PFSense before Internet. (This router will be remove on the 1st quarter 2018). So, I have a private network for connect them.

    I have other VPN which connect to an other ZyXEL router (and I have the hand of this) and the VPN work correctly.

    Is it a problem to use a private address for initialize a VPN connexion while my second router change this private IP to a Public IP (know by the remote router).



  • Trying to run an IPSec tunnel through a natted private address makes things more difficult. Make sure the identifiers reference the public IP, and hope the router in front is passing all traffic. Beyond that, I can't help much. I try to avoid double nat situations.



  • I have a good new, the VPN connection is actually connect.
    For feedback, my problem was that my peer router are in the same situation that me (another router is on front internet and the VPN router are next that).
    So, when I configure my VPN I have indicate the Public IP for identify the remote router but, with the private IP the VPN work correctly. [The remote router don't modify his identify IP].

    Thank for your assist.