VPN IPsec tunnel between pfSense and Cisco RV042G keeps disconnecting



  • Hi Support,

    I need your help.

    I've recently configured pfSense v.2.4.1-RELEASE (amd64) for VPN IPSec site-to-site tunnel to Cisco RV042G in mode Gateway but unfortunately it didn't work out as expected, and I was not sure if the VPN issue was caused by either pfSense or Cisco side. Finally I successfully managed to establish vpn connection from pfSense to Cisco by changing IKE from v2 to v1 on pfSense as Cisco appeared to use IKEv1 by default.
    VPN IPSec tunnel have been up for the last two days and it has gone down an hour ago. I did try to reconnect it from pfsense but didn't work out.
    What really interesting for me is that VPN status appears connected on Cisco router (note: I did try to disconnect it on Cisco router a few times but to no avail as it keeps coming up as connected) and disconnected on pfSense, and still no any system, firewall or ipsec logs came up on pfSense.
    I've also tried restarting ipsec service on pfsense and then reconnecting it again but it didn't make any difference.
    Now vpn appears connected on Cisco and disconnected on pfSense.
    Attached some of the vpn logs taken from Cisco router.

    Any help will be really appreciated.
    ![Cisco VPN logs.PNG](/public/imported_attachments/1/Cisco VPN logs.PNG)
    ![Cisco VPN logs.PNG_thumb](/public/imported_attachments/1/Cisco VPN logs.PNG_thumb)



  • i had the same problem with pfsense, and i must disabled the VPN for 10 or 15 minutes in the ipsec section, look in the status-ipsec page that it does not show anymore and enable again the VPN.



  • Hi gajimenez,

    Thank you for your quick response.

    Unfortunately disabling VPN IPSec on pfSense for 10-15 mins didn't work out for me. I've also tried to disconnect vpn ipsec from Cisco since I did disable vpn ipsec on pfsesne but to no avail as vpn status kept coming up as connected on cisco firewall.
    I've also checked the vpn logs on Cisco and as result the same logs came up:
    Oct 30 10:27:08 2017 VPN Log (g2gips3) #12076: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #10601: Informational Exchange message must be encrypted 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #10601: Informational Exchange message must be encrypted 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] Outbound SPI value = 34591ed1 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] Outbound SPI value = 34591ed1 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] Inbound SPI value = 56dd62df 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: [Tunnel Negotiation Info] Inbound SPI value = 56dd62df 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: responding to Quick Mode 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=2-2. 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #12081: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=2-2. 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #10601: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #10601: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #12075: max number of retransmissions (2) reached STATE_QUICK_R1 
    Oct 30 10:27:01 2017 VPN Log (g2gips3) #12075: max number of retransmissions (2) reached STATE_QUICK_R1 
    Oct 30 10:26:56 2017 VPN Log packet from 78.130.146….:500: ignoring informational payload, type AUTHENTICATION_FAILED

    And again no any system, firewall,ipsec and vpn logs found on pfsense.

    I don't know where else to look at.

    Any further help will be really appreciated.



  • As you can see there was no any vpn logs from today 31/10/17 on Cisco.



  • Hi Support,

    I've deleted the whole vpn ipsec configurations on both pfsense and cisco, and re-created it again but it didn't work.
    When I first got it configured I managed to get vpn ipsec tunnel up and running for 2 days but now I can see no way of that to happens.

    Please advise me on that.

    Thank you in advance.



  • Hi Support,

    Is there anyone else from pfSense support community to help us with that issue?

    As I said before when I first got vpn ipsec configured I managed to get vpn ipsec tunnel up and running for 2 days and then on 30/10/17 it has gone down and never came back up since.
    There haven't been any firewall, ipsec or vpn logs on pfSense despite a multiple attempts for vpn connection or deleting and recreating the whole vpn ipsec config, and creating firewall rules.
    There haven't been any new vpn logs on Cisco for the last two days (latest vpn logs are from 30/10/17 when vpn ipsec tunnel has gone down and never come back up). VPN status on Cisco RV042G still coming up as connected but unfortunately no any vpn connection established from pfSense to Cisco (see attach screenshot)

    Attached files with vpn ipsec conf on pfSense and Cisco and the latest Cisco vpn logs.

    Any further help will be really appreciated.

    Thank you in advance.

    ![Cisco RV042G 1.PNG](/public/imported_attachments/1/Cisco RV042G 1.PNG)
    ![Cisco RV042G 1.PNG_thumb](/public/imported_attachments/1/Cisco RV042G 1.PNG_thumb)
    ![Cisco RV042G 2.PNG](/public/imported_attachments/1/Cisco RV042G 2.PNG)
    ![Cisco RV042G 2.PNG_thumb](/public/imported_attachments/1/Cisco RV042G 2.PNG_thumb)
    ![Cisco-pfSense VPN.PNG](/public/imported_attachments/1/Cisco-pfSense VPN.PNG)
    ![Cisco-pfSense VPN.PNG_thumb](/public/imported_attachments/1/Cisco-pfSense VPN.PNG_thumb)
    ![Cisco VPN logs.PNG](/public/imported_attachments/1/Cisco VPN logs.PNG)
    ![Cisco VPN logs.PNG_thumb](/public/imported_attachments/1/Cisco VPN logs.PNG_thumb)
    ![pfSense phase1.PNG](/public/imported_attachments/1/pfSense phase1.PNG)
    ![pfSense phase1.PNG_thumb](/public/imported_attachments/1/pfSense phase1.PNG_thumb)
    ![pfSense phase2.PNG](/public/imported_attachments/1/pfSense phase2.PNG)
    ![pfSense phase2.PNG_thumb](/public/imported_attachments/1/pfSense phase2.PNG_thumb)


  • LAYER 8 Netgate

    What is Status > System Logs, IPsec showing. Anything interesting?



  • Hi Derelict,

    Thank you for your quick response.

    As I mentioned before there have never been any ipsec, firewall or vpn logs on pfSense since it was installed and configured or when vpn connection between pfSesne and Cisco was established despite the checkbox to log packets is ticked for these firewall and ipsec rules.


  • LAYER 8 Netgate

    Not sure where you expect us to go from there. Have you asked Cisco?

    Logging packets has absolutely nothing to do with Status > System Logs, IPsec



  • Yes, I did log a call with cisco and still waiting for their reply.

    What's really interesting for me is how vpn status still appears as ''connected'' on Cisco side as no vpn connection established from pfsense to Cisco.
    I've been struggling to figure out where the problem lies- on Cisco or pfSense side.

    ![Cisco-pfSense VPN.PNG](/public/imported_attachments/1/Cisco-pfSense VPN.PNG)
    ![Cisco-pfSense VPN.PNG_thumb](/public/imported_attachments/1/Cisco-pfSense VPN.PNG_thumb)



  • Hi again,

    just to let you know that I received a reply from cisco support saying that based on provided screenshot they can see on Cisco that I setup aggressive mode while Pfsense is in main mode. On Cisco, PFS isn't activated while on Pfsense it seems. All the rest seems to be ok.

    I did set an aggressive mode on both pfsense and cisco, and gave it a test and as result didn't work out. Then I set a main mode on both and tested it again, and didn't work either.

    I don't know what else to try.

    I've run out of ideas.

    Thank you for your help.



  • Hi Support,

    Let give you a brief update on what happened on Friday 3/11/17. I did first reboot Cisco RV042G firewall/vpn and tried vpn connection from pfsense, and as result the vpn connection between pfsense and cisco got established but unfortunately it didn't last long and got dropped again.
    Attached the latest cisco vpn logs taken after the vpn connection got dropped.
    Hope these logs will help you a bit to figure it out.

    Thank you in advance.

    ![Cisco VPN logs.PNG](/public/imported_attachments/1/Cisco VPN logs.PNG)
    ![Cisco VPN logs.PNG_thumb](/public/imported_attachments/1/Cisco VPN logs.PNG_thumb)


  • LAYER 8 Netgate

    You keep posting Cisco logs to a pfSense forum. Where are the pfSense logs?



  • Hi Derelict,

    That's why I keep asking myself where are the pfsense logs.

    As said before there haven't been any pfsense firewall/ipsec/vpn logs in Status- System Logs since I got it configured and when vpn connection was temporarily established. System logs are also turned on.

    Could you please let me where else to look into so I can provide you with pfsesne logs.

    Thank you in advance.


  • LAYER 8 Netgate

    By default they are there. Hard to say if someone changed the defaults.

    Someone could have disabled the logs in Status > System Logs, Settings. There is a checkbox there to disable local logging. That page will also tell you if the logs are being sent to an external syslog server.



  • Attached current pfSense logging settings.

    Just to let you know that I've successfully configured OpenVPN on pfSesne and managed to establish openvpn connection to pfSense from my Win 10 machine. Checked OpenVPN status and as result my client connection came up but no any openvpn logs displayed (see a screenshot)

    ![pfSense logging 1.PNG](/public/imported_attachments/1/pfSense logging 1.PNG)
    ![pfSense logging 1.PNG_thumb](/public/imported_attachments/1/pfSense logging 1.PNG_thumb)
    ![pfSense logging 2.PNG](/public/imported_attachments/1/pfSense logging 2.PNG)
    ![pfSense logging 2.PNG_thumb](/public/imported_attachments/1/pfSense logging 2.PNG_thumb)
    ![pfSense logging 3.PNG](/public/imported_attachments/1/pfSense logging 3.PNG)
    ![pfSense logging 3.PNG_thumb](/public/imported_attachments/1/pfSense logging 3.PNG_thumb)


  • LAYER 8 Netgate

    That is strange. I would try resetting log files. If you are on pfSense 2.4.0 I would upgrade to 2.4.1 and reset log files.



  • Hi Derelict,

    Sorry for my delay.

    Let me give you an update on this.

    My pfSense was already upgraded to 2.4.1-RELEASE (amd64) version.

    Finally I've managed to establish vpn ipsec tunnel by changing a negotiation mode from main to aggressive on pfSense as Cisco's negotiation mode was set to aggressive also and after restarting both devices. I've tried that before and it didn't work but it suddenly started working now, but I'm not sure how long vpn is going to be up and running (note: vpn connection has so far been up and running for more than 2 hours).
    An another problem followed by since vpn ipsec tunnel was established and the problem is there is no ping or any packets going through the tunnel. I cannot ping or rdp to remote LAN or other way back.
    Here are the ping results:
    pfSense side:
    pfSense WAN- Cisco WAN- ping test successfull 0% packets lost
    pfSense LAN- Cisco WAN IP- ping test successfull 0% packets lost
    pfSense LAN- Cisco LAN IP- variable- ping test either failed with 100% packets lost or successful with 0% packets lost

    Cisco side:
    Cisco WAN- pfSense WAN IP- ping test successfull 0% packets lost
    Cisco LAN- pfSense LAN IP- variable- ping test either failed with 100% packets lost or successful with 0% packets lost, or partial 25%/75% packets lost

    Do I miss any firewall rules?
    What should I do next?


  • LAYER 8 Netgate

    If it works unreliably it is not firewall rules.

    Hard to say here what needs to be done on the Cisco side to allow pings to its LAN address.

    If your pfSense firewall rules on LAN allow traffic to the remote network and the IPsec tunnel is up, that is all that needs to be done.

    Rules allowing connections from the remote network go on the IPsec tab.


Log in to reply