ipsec site to site vpn



  • I have issues with connecting to RV042G Gigabit Dual WAN VPN Router

    Tunnel is established from pfsense but cannot initiate the tunnel from remote site to local pfsense site

    any ideas, same config on both sides


  • LAYER 8 Netgate

    Based on the information given the only idea anyone can have is, "I guess it doesn't work."

    Look at Status > System Logs, IPsec for the times when the remote tries to initiate the connection. Anything interesting there?



  • Hello,

    We are trying to setup a site to site ipsec vpn from PFSense to a Cisco RV042G Gigabit Dual WAN VPN Router. We have set it up on both sides. On Status > IPSec it says established but never seems to be established more then 5 minutes.

    As I was searching through the log this is what I keep seeing a lot.

    Feb 6 10:05:32	charon		15[CFG] vici client 121 disconnected
    Feb 6 10:05:32	charon		10[CFG] vici client 121 requests: list-sas
    Feb 6 10:05:32	charon		15[CFG] vici client 121 registered for: list-sa
    Feb 6 10:05:32	charon		10[CFG] vici client 121 connected
    Feb 6 10:05:27	charon		13[CFG] vici client 120 disconnected
    Feb 6 10:05:27	charon		10[CFG] vici client 120 requests: list-sas
    Feb 6 10:05:27	charon		13[CFG] vici client 120 registered for: list-sa
    Feb 6 10:05:27	charon		10[CFG] vici client 120 connected
    

    Also the error we are getting on the Cisco side is that it says "Waiting for Connection"



  • @acp

    This log shows that you went through the webgui to the status/ipsec page. Perhaps there is still data with the cause of the connection failure



  • @acp This is the part of the log that keeps repeating itself

    Feb 6 10:51:48	charon		09[CFG] vici client 238 disconnected
    Feb 6 10:51:48	charon		09[CFG] vici client 238 requests: list-sas
    Feb 6 10:51:48	charon		07[CFG] vici client 238 registered for: list-sa
    Feb 6 10:51:48	charon		16[CFG] vici client 238 connected
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> nothing to initiate
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> activating new tasks
    Feb 6 10:51:43	charon		16[NET] <con1000|765> sending packet: from ##.##.###.###[500] to ###.###.###.###[500] (76 bytes)
    Feb 6 10:51:43	charon		16[ENC] <con1000|765> generating INFORMATIONAL_V1 request 3399274438 [ HASH N(NO_PROP) ]
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> activating INFORMATIONAL task
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> activating new tasks
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> queueing INFORMATIONAL task
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> no matching proposal found, sending NO_PROPOSAL_CHOSEN
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> received 86400s lifetime, configured 0s
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> configured proposals: ESP:AES_CBC_128/HMAC_MD5_96/MODP_768/NO_EXT_SEQ
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> received proposals:
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> config: ##.#.##.#/24|/0, received: ##.#.##.#/24|/0 => match: ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> selecting traffic selectors for us:
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> config: ##.#.##.#/24|/0, received: ##.#.##.#/24|/0 => match: ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> selecting traffic selectors for other:
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> found matching child config "con1000" with prio 10
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> candidate "con1000" with prio 5+5
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> proposing traffic selectors for other:
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> proposing traffic selectors for us:
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> looking for a child config for ##.#.##.#/24|/0 === ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		16[ENC] <con1000|765> parsed QUICK_MODE request 3078259857 [ HASH SA No ID ID ]
    Feb 6 10:51:43	charon		16[NET] <con1000|765> received packet: from ###.###.###.###[500] to ##.##.###.###[500] (204 bytes)
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> nothing to initiate
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> activating new tasks
    Feb 6 10:51:43	charon		16[NET] <con1000|765> sending packet: from ##.##.###.###[500] to ###.###.###.###[500] (76 bytes)
    Feb 6 10:51:43	charon		16[ENC] <con1000|765> generating INFORMATIONAL_V1 request 3424543902 [ HASH N(NO_PROP) ]
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> activating INFORMATIONAL task
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> activating new tasks
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> queueing INFORMATIONAL task
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> no matching proposal found, sending NO_PROPOSAL_CHOSEN
    Feb 6 10:51:43	charon		16[IKE] <con1000|765> received 86400s lifetime, configured 0s
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> configured proposals: ESP:AES_CBC_128/HMAC_MD5_96/MODP_768/NO_EXT_SEQ
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> received proposals:
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> config: ##.#.##.#/24|/0, received: ##.#.##.#/24|/0 => match: ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> selecting traffic selectors for us:
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> config: ##.#.##.#/24|/0, received: ##.#.##.#/24|/0 => match: ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> selecting traffic selectors for other:
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> found matching child config "con1000" with prio 10
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> candidate "con1000" with prio 5+5
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> proposing traffic selectors for other:
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> proposing traffic selectors for us:
    Feb 6 10:51:43	charon		16[CFG] <con1000|765> looking for a child config for ##.#.##.#/24|/0 === ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		16[ENC] <con1000|765> parsed QUICK_MODE request 1894048691 [ HASH SA No ID ID ]
    Feb 6 10:51:43	charon		16[NET] <con1000|765> received packet: from ###.###.###.###[500] to ##.##.###.###[500] (204 bytes)
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> nothing to initiate
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> activating new tasks
    Feb 6 10:51:43	charon		01[NET] <con1000|765> sending packet: from ##.##.###.###[500] to ###.###.###.###[500] (76 bytes)
    Feb 6 10:51:43	charon		01[ENC] <con1000|765> generating INFORMATIONAL_V1 request 660758989 [ HASH N(NO_PROP) ]
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> activating INFORMATIONAL task
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> activating new tasks
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> queueing INFORMATIONAL task
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> no matching proposal found, sending NO_PROPOSAL_CHOSEN
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> received 86400s lifetime, configured 0s
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> configured proposals: ESP:AES_CBC_128/HMAC_MD5_96/MODP_768/NO_EXT_SEQ
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> received proposals:
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> config: ##.#.##.#/24|/0, received: ##.#.##.#/24|/0 => match: ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> selecting traffic selectors for us:
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> config: ##.#.##.#/24|/0, received: ##.#.##.#/24|/0 => match: ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> selecting traffic selectors for other:
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> found matching child config "con1000" with prio 10
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> candidate "con1000" with prio 5+5
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> proposing traffic selectors for other:
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> proposing traffic selectors for us:
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> looking for a child config for ##.#.##.#/24|/0 === ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		01[ENC] <con1000|765> parsed QUICK_MODE request 3142705628 [ HASH SA No ID ID ]
    Feb 6 10:51:43	charon		01[NET] <con1000|765> received packet: from ###.###.###.###[500] to ##.##.###.###[500] (204 bytes)
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> nothing to initiate
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> activating new tasks
    Feb 6 10:51:43	charon		01[NET] <con1000|765> sending packet: from ##.##.###.###[500] to ###.###.###.###[500] (76 bytes)
    Feb 6 10:51:43	charon		01[ENC] <con1000|765> generating INFORMATIONAL_V1 request 3725265604 [ HASH N(NO_PROP) ]
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> activating INFORMATIONAL task
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> activating new tasks
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> queueing INFORMATIONAL task
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> no matching proposal found, sending NO_PROPOSAL_CHOSEN
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> received 86400s lifetime, configured 0s
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> configured proposals: ESP:AES_CBC_128/HMAC_MD5_96/MODP_768/NO_EXT_SEQ
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> received proposals:
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> config: ##.#.##.#/24|/0, received: ##.#.##.#/24|/0 => match: ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> selecting traffic selectors for us:
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> config: ##.#.##.#/24|/0, received: ##.#.##.#/24|/0 => match: ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> selecting traffic selectors for other:
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> found matching child config "con1000" with prio 10
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> candidate "con1000" with prio 5+5
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> proposing traffic selectors for other:
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> proposing traffic selectors for us:
    Feb 6 10:51:43	charon		01[CFG] <con1000|765> looking for a child config for ##.#.##.#/24|/0 === ##.#.##.#/24|/0
    Feb 6 10:51:43	charon		01[ENC] <con1000|765> parsed QUICK_MODE request 2151465811 [ HASH SA No ID ID ]
    Feb 6 10:51:43	charon		01[NET] <con1000|765> received packet: from ###.###.###.###[500] to ##.##.###.###[500] (204 bytes)
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> QUICK_MODE request with message ID 2308406374 processing failed
    Feb 6 10:51:43	charon		01[NET] <con1000|765> sending packet: from ##.##.###.###[500] to ###.###.###.###[500] (76 bytes)
    Feb 6 10:51:43	charon		01[ENC] <con1000|765> generating INFORMATIONAL_V1 request 3082009329 [ HASH N(INVAL_HASH) ]
    Feb 6 10:51:43	charon		01[IKE] <con1000|765> integrity check failed
    Feb 6 10:51:43	charon		01[ENC] <con1000|765> received HASH payload does not match
    Feb 6 10:51:43	charon		01[ENC] <con1000|765> parsed QUICK_MODE request 2308406374 [ HASH SA No ID ID ]
    Feb 6 10:51:43	charon		01[NET] <con1000|765> received packet: from ###.###.###.###[500] to ##.##.###.###[500] (204 bytes)
    Feb 6 10:51:34	charon		01[IKE] <con1000|765> nothing to initiate
    Feb 6 10:51:34	charon		01[IKE] <con1000|765> activating new tasks
    Feb 6 10:51:34	charon		01[ENC] <con1000|765> parsed INFORMATIONAL_V1 request 997694365 [ HASH N(DPD_ACK) ]
    Feb 6 10:51:34	charon		01[NET] <con1000|765> received packet: from ###.###.###.###[500] to ##.##.###.###[500] (92 bytes)
    
    


  • @acp
    I understand correctly that the connection is established and the traffic goes through the tunnel ? And after 5 minutes, the connection drops ?
    Can I see the Cisco log ?
    And see the connection establishment log and the moment of the tunnel drop ?


  • LAYER 8 Netgate

    @acp said in ipsec site to site vpn:

    Feb 6 10:51:43 charon 16[NET] <con1000|765> received packet: from ###.###.###.###[500] to ##.##.###.###[500] (204 bytes)
    Feb 6 10:51:43 charon 16[ENC] <con1000|765> parsed QUICK_MODE request 3078259857 [ HASH SA No ID ID ]
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> looking for a child config for ##.#.##.#/24|/0 === ##.#.##.#/24|/0
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> proposing traffic selectors for us:
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> ##.#.##.#/24|/0
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> proposing traffic selectors for other:
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> ##.#.##.#/24|/0
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> candidate "con1000" with prio 5+5
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> found matching child config "con1000" with prio 10
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> selecting traffic selectors for other:
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> config: ##.#.##.#/24|/0, received: ##.#.##.#/24|/0 => match: ##.#.##.#/24|/0
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> selecting traffic selectors for us:
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> config: ##.#.##.#/24|/0, received: ##.#.##.#/24|/0 => match: ##.#.##.#/24|/0
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> received proposals:
    Feb 6 10:51:43 charon 16[CFG] <con1000|765> configured proposals: ESP:AES_CBC_128/HMAC_MD5_96/MODP_768/NO_EXT_SEQ
    Feb 6 10:51:43 charon 16[IKE] <con1000|765> received 86400s lifetime, configured 0s
    Feb 6 10:51:43 charon 16[IKE] <con1000|765> no matching proposal found, sending NO_PROPOSAL_CHOSEN
    

    The other side is trying to bring up a "Phase 2"

    They are sending no encryption/hashing proposal (which is strange. I don't recall ever seeing that before.)

    You side is set for AES-128-CBC, MD5, PFS Group 1.

    There is no match and your side rejects the attempt.



  • OK matched the Encryption Algorithm and Hash algorithm and PFS key group again on both pfsesne and cisco and added Lan ip of Cisco to advanced config on pfsese to ping.

    and it all now works, can ping from the firewall on both sides to local internal pcs.

    but now need to figure out routing from local subnet of site A to local subnet of site B and vice versa