<![CDATA[Site-2-Site with Cisco RV120W Wireless-N VPN Firewall]]>Hi guys,

Please help me to solve the following issue. I have a KVM based pfSense cluster on one side and Cisco RV120W on the other one. Last SOHO from Cisco I've touched was 800 Series and it was quite good, CLI, IOS, show, debug... you know. The las one (RV1200W) doesn't provide an interface except some weird GUI and very basic IPSec configuration. Three times I made symmetric IPSec configuration with different crypto/digest parameters obtaining the same result: IPSec phase 1 comes up but no traffic going in/from the tunnel. Here is a relevant part of /var/etc/ipsec/ipsec.conf file

conn con2000
        fragmentation = yes
        keyexchange = ikev1
        reauth = yes
        forceencaps = no
        mobike = no
        
        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        auto = route
        left = <WAN_CARP VIP>
        right = <Cisco RV120 IP>
        leftid = <WAN_CARP VIP>
        ikelifetime = 28800s
        lifetime = 3600s
        ike = aes128-sha256-modp1024!
        esp = aes128-sha256-modp1024!
        leftauth = psk
        rightauth = psk
        rightid = <Cisco RV120 IP>
        aggressive = no
        rightsubnet = 192.168.1.0/24
        leftsubnet = 10.0.0.0/14

On the Cisco RV120 I have:
1.png 2.png 3.png

]]>https://forum.netgate.com/topic/144379/site-2-site-with-cisco-rv120w-wireless-n-vpn-firewallRSS for NodeThu, 11 Jun 2026 15:59:05 GMTSun, 23 Jun 2019 16:47:50 GMT60<![CDATA[Reply to Site-2-Site with Cisco RV120W Wireless-N VPN Firewall on Tue, 25 Jun 2019 13:35:18 GMT]]>Hi guys,

Any ideas why it doesn't work? What's the reason of appearing such logs in pfSense:

Jun 23 12:49:06	charon		15[NET] <con2000|28> sending packet: from 154.61.34.210[500] to 195.177.74.126[500] (108 bytes)
Jun 23 12:49:06	charon		15[IKE] <con2000|28> activating new tasks
Jun 23 12:49:06	charon		15[IKE] <con2000|28> nothing to initiate

Why there are no outgoing ESP packets from pfSense and why IPSec SA counters doesn't increased?

]]>https://forum.netgate.com/post/850188https://forum.netgate.com/post/850188Tue, 25 Jun 2019 13:35:18 GMT<![CDATA[Reply to Site-2-Site with Cisco RV120W Wireless-N VPN Firewall on Mon, 24 Jun 2019 08:58:43 GMT]]>@Konstanti said in Site-2-Site with Cisco RV120W Wireless-N VPN Firewall:

tcpdump -netti enc0

While I'm pinging the destination behind the other site of the tunnel, I run tcpdump on enc0 and it doesn't show any relevant information, just traffic from the other IPSec VPNs.

]]>https://forum.netgate.com/post/849907https://forum.netgate.com/post/849907Mon, 24 Jun 2019 08:58:43 GMT<![CDATA[Reply to Site-2-Site with Cisco RV120W Wireless-N VPN Firewall on Mon, 24 Jun 2019 08:16:03 GMT]]>@shshs
try to start tcpdump on the enc0 interface
for example
tcpdump -netti enc0
what it shows ?

cc3952e7-389f-4cf8-8349-9b6caa714437-image.png

]]>https://forum.netgate.com/post/849903https://forum.netgate.com/post/849903Mon, 24 Jun 2019 08:16:03 GMT<![CDATA[Reply to Site-2-Site with Cisco RV120W Wireless-N VPN Firewall on Mon, 24 Jun 2019 07:19:27 GMT]]>@Konstanti
I have such rule, it's not the cause of the problem.

]]>https://forum.netgate.com/post/849901https://forum.netgate.com/post/849901Mon, 24 Jun 2019 07:19:27 GMT<![CDATA[Reply to Site-2-Site with Cisco RV120W Wireless-N VPN Firewall on Mon, 24 Jun 2019 06:20:47 GMT]]>@shshs

Hey
Check the firewall rules on the IPSEC interface (PFSense side)

6019db6e-d842-4d2e-98d8-7c791a873a95-image.png

For example

de72e5d0-fa81-4234-892c-202cca27d511-image.png

]]>https://forum.netgate.com/post/849895https://forum.netgate.com/post/849895Mon, 24 Jun 2019 06:20:47 GMT<![CDATA[Reply to Site-2-Site with Cisco RV120W Wireless-N VPN Firewall on Sun, 23 Jun 2019 17:16:16 GMT]]>When I try to ping the destination behind the Cisco router I don't see child SA counters increase, sometimes there are 2 IPSec SA created at a time:
Screen Shot 2019-06-23 at 8.12.27 PM.png

In IPSec logs on pfSense I get:

Jun 23 12:49:01	charon		11[IKE] <con2000|28> nothing to initiate
Jun 23 12:49:02	charon		15[CFG] vici client 2141 connected
Jun 23 12:49:02	charon		11[CFG] vici client 2141 registered for: list-sa
Jun 23 12:49:02	charon		11[CFG] vici client 2141 requests: list-sas
Jun 23 12:49:02	charon		11[CFG] vici client 2141 disconnected
Jun 23 12:49:03	charon		15[NET] <con1000|26> received packet: from 38.142.65.154[500] to 154.61.34.210[500] (76 bytes)
Jun 23 12:49:03	charon		15[ENC] <con1000|26> parsed INFORMATIONAL request 4746 [ ]
Jun 23 12:49:03	charon		15[ENC] <con1000|26> generating INFORMATIONAL response 4746 [ ]
Jun 23 12:49:03	charon		15[NET] <con1000|26> sending packet: from 154.61.34.210[500] to 38.142.65.154[500] (76 bytes)
Jun 23 12:49:06	charon		15[NET] <con2000|28> received packet: from 195.177.74.126[500] to 154.61.34.210[500] (108 bytes)
Jun 23 12:49:06	charon		15[ENC] <con2000|28> parsed INFORMATIONAL_V1 request 3823163103 [ HASH N(DPD) ]
Jun 23 12:49:06	charon		15[IKE] <con2000|28> queueing ISAKMP_DPD task
Jun 23 12:49:06	charon		15[IKE] <con2000|28> activating new tasks
Jun 23 12:49:06	charon		15[IKE] <con2000|28> activating ISAKMP_DPD task
Jun 23 12:49:06	charon		15[ENC] <con2000|28> generating INFORMATIONAL_V1 request 2486254723 [ HASH N(DPD_ACK) ]
Jun 23 12:49:06	charon		15[NET] <con2000|28> sending packet: from 154.61.34.210[500] to 195.177.74.126[500] (108 bytes)
Jun 23 12:49:06	charon		15[IKE] <con2000|28> activating new tasks
Jun 23 12:49:06	charon		15[IKE] <con2000|28> nothing to initiate

On Cisco's side I see the tunnel up and running, and when try to initiate ESP traffic from that side I see increasing Tx counters on Cisco's IPSec status.
Shh.png

On pfSense tcpdump I receive incoming ESP from Cisco, but I don't see any outgoing ESP packets toward Cisco.

Here is ipsec statusall output from the pfSense:

[$]/root: ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.1, FreeBSD 11.2-RELEASE-p10, amd64):
  uptime: 46 hours, since Jun 21 14:43:34 2019
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey ...
Listening IP addresses:
....
Connections:
   bypasslan:  %any...%any  IKEv1/2
   bypasslan:   local:  uses public key authentication
   bypasslan:   remote: uses public key authentication
   bypasslan:   child:  10.0.11.0/24|/0 === 10.0.11.0/24|/0 PASS
     con2000:  <WAN-CARP VIP>...<Cisco IP>  IKEv1, dpddelay=10s
     con2000:   local:  [<WAN-CARP VIP>] uses pre-shared key authentication
     con2000:   remote: [<Cisco IP>] uses pre-shared key authentication
     con2000:   child:  10.0.0.0/14|/0 === 192.168.1.0/24|/0 TUNNEL, dpdaction=restart
Shunted Connections:
   bypasslan:  10.0.11.0/24|/0 === 10.0.11.0/24|/0 PASS
Routed Connections:
     con2000{64}:  ROUTED, TUNNEL, reqid 4
     con2000{64}:   10.0.0.0/14|/0 === 192.168.1.0/24|/0
Security Associations (2 up, 0 connecting):
     con2000[28]: ESTABLISHED 38 minutes ago, <WAN-CARP VIP>[<WAN-CARP VIP>]...<Cisco IP>[<Cisco IP>]
     con2000[28]: IKEv1 SPIs: 2316dd2784d9bdac_i* 261b4138e97f82d0_r, pre-shared key reauthentication in 7 hours
     con2000[28]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
     con2000{62}:  INSTALLED, TUNNEL, reqid 4, ESP SPIs: c0a9a6e0_i 0675a2f5_o
     con2000{62}:  AES_CBC_128/HMAC_SHA2_256_128/MODP_1024, 0 bytes_i (0 pkts, 2336s ago), 0 bytes_o, rekeying in 4 minutes
     con2000{62}:   10.0.0.0/14|/0 === 192.168.1.0/24|/0
[$]/root:

What could it be, what do you suggest to test in addition?

]]>https://forum.netgate.com/post/849839https://forum.netgate.com/post/849839Sun, 23 Jun 2019 17:16:16 GMT