IPSec VPN from pfSense to Cisco 1941 dropping connection (redacted)



  • Hello, everyone. I recently installed a Netgate SG-3100 device, running pfSense 2.4.4_p2. This box replaced a Cisco 881 ISR that was having issues.
    The Cisco maintained a site-to-site connection to a branch office, and I was able to connect to the remote router, and reconfigure the VPN for our new IPsec VPN connection. After twenty minutes of messing around in Putty, the remote Cisco1941 was configured how I wanted it, I added the pfSense P1 and P2 configurations, and tada! Connection established! ... for 30 seconds. The connection will re-establish itself, but for a maximum of 30 seconds before dropping out and re-establishing again.

    Here is my setup:

    MainOffice(192.168.3.0) --- pfSense(50.196.x.x) ------------ Cisco1941(173.220.x.x ) --- BranchOffice(192.168.16.0)

    Here's the P1/P2 settings on my pfSense:
    0_1547222689854_dc278813-7080-4a2b-9724-b6829f61b037-image.png

    Below is the settings on the Cisco router.

    ```Crypto Map IPv4 "pfsense" 15 ipsec-isakmp
            Peer = 50.196.x.x
            Peer = 96.65.x.x
            Extended IP access list 150
                access-list 150 permit ip 192.168.3.0 0.0.0.255 192.168.16.0 0.0.0.255
                access-list 150 permit ip 192.168.16.0 0.0.0.255 192.168.3.0 0.0.0.255
            Current peer: 96.65.x.x
            Security association lifetime: 4608000 kilobytes/28800 seconds
            Responder-Only (Y/N): N
            PFS (Y/N): Y
            DH group:  group2
            Mixed-mode : Disabled
            Transform sets={
                    NEW256:  { esp-256-aes esp-sha-hmac  } ,
            }
            Interfaces using crypto map pfsense:
                    GigabitEthernet0/1
    

    ===

    As you can see above, there are two peers listed. The second peer is an unrelated office of another client, but they also have the same Netgate SG-3100. Mirroring the settings from the first for P1 and P2, however, this unrelated Netgate is able to maintain connection. The only difference I can find between the two boxes is that the one having issues is running pfSense 2.4.4_p2, where as the unrelated-but-working Netgate is running pfSense 2.4.4_p1. I have added the IPSec logs from my non-working device as an attachment, but my questions are this: Does the newest pfSense have an issue with IPSec tunnels, or is there anything in my logs/configs that anyone can find that can tell me what I have misconfigured or need to change in order to get this working? Please let me know if I need to provide more information.

    Thank you,
    Josh

    0_1547225748823_IPSec logs Redacted.txt



  • @thewhitewing01

    Hello again.
    I'll try again to clarify
    Pfsense is also Ikev1 main mode ?
    Cisco Ikev1 quick (aggresive ) mode ?



  • @konstanti Yes to both.



  • @thewhitewing01
    I beg your pardon
    Friday afternoon
    Do not look back
    phase 1 is fine.
    For some reason , problems with the phase 2



  • @thewhitewing01
    Phase2
    if you change the hash algorithm to sha256 on both sides
    will anything change ?



  • @konstanti I will try right now.



  • @konstanti Negative. No change in status. I am confused as to why the second pfSense is able to maintain connection with zero issues while this one cannot, despite using the same settings.



  • @thewhitewing01
    can you send me a picture like this when the connection is established ?
    Ideally, you need pictures from two pfssense

    0_1547233639076_58657f38-1433-465d-9c5f-fcc5aef758a3-image.png



  • @thewhitewing01
    See more here
    I wonder what information is provided by cisco

    https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
    On one of forums I read that the problem can be in mismatch of param
    eters of lifetime pf / Cisco or dpddelay, dpdtimeout pfsense (keepalive Cisco)
    You can try to enable/disable DPD on the cisco side
    For example ,
    crypto isakmp keepalive 10 5 (enable )
    or
    no crypto isakmp keepalive



  • @thewhitewing01
    Even as an option - you're blocking all incoming packets on the ipsec interface or WAN interface (500,4500 udp or ESP) of pfsense is also and cisco believes that PF is not available, and breaks the connection
    What are the rules on IPSEC interface and WAN interface?


  • LAYER 8 Netgate

    Jan 11 10:21:26 charon 05[NET] <con1000|17> received packet: from 173.220.x.x[500] to 50.196.x.x[500] (380 bytes)
    Jan 11 10:21:26 charon 05[ENC] <con1000|17> parsed QUICK_MODE request 3356035729 [ HASH SA No KE ID ID ]
    Jan 11 10:21:26 charon 05[ENC] <con1000|17> received HASH payload does not match
    Jan 11 10:21:26 charon 05[IKE] <con1000|17> integrity check failed
    Jan 11 10:21:26 charon 05[ENC] <con1000|17> generating INFORMATIONAL_V1 request 3233859265 [ HASH N(INVAL_HASH) ]
    Jan 11 10:21:26 charon 05[NET] <con1000|17> sending packet: from 50.196.x.x[500] to 173.220.x.x[500] (76 bytes)
    Jan 11 10:21:26 charon 05[IKE] <con1000|17> QUICK_MODE request with message ID 3356035729 processing failed
    Jan 11 10:21:26 charon 05[NET] <con1000|17> received packet: from 173.220.x.x[500] to 50.196.x.x[500] (92 bytes)
    Jan 11 10:21:26 charon 05[ENC] <con1000|17> parsed INFORMATIONAL_V1 request 2703109558 [ HASH D ]
    Jan 11 10:21:26 charon 05[IKE] <con1000|17> received DELETE for IKE_SA con1000[17]
    Jan 11 10:21:26 charon 05[IKE] <con1000|17> deleting IKE_SA con1000[17] between 50.196.x.x[50.196.x.x]...173.220.x.x[173.220.x.x]
    Jan 11 10:21:26 charon 05[IKE] <con1000|17> IKE_SA con1000[17] state change: ESTABLISHED => DELETING
    Jan 11 10:21:26 charon 05[IKE] <con1000|17> IKE_SA con1000[17] state change: DELETING => DELETING
    Jan 11 10:21:26 charon 05[IKE] <con1000|17> IKE_SA con1000[17] state change: DELETING => DESTROYING

    Your side does not like the traffic selector in the P2 being sent by the other side.

    Please send the output from each of these on each node - the one that's working and the one that isn't:

    swanctl --list-conns

    swanctl --list-sas

    cat /var/etc/ipsec/ipsec.conf

    Send them in chat or I can send you a nextcloud upload link.