Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-2-Site with Cisco RV120W Wireless-N VPN Firewall

    Scheduled Pinned Locked Moved IPsec
    8 Posts 2 Posters 768 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shshs
      last edited by shshs

      Hi guys,

      Please help me to solve the following issue. I have a KVM based pfSense cluster on one side and Cisco RV120W on the other one. Last SOHO from Cisco I've touched was 800 Series and it was quite good, CLI, IOS, show, debug... you know. The las one (RV1200W) doesn't provide an interface except some weird GUI and very basic IPSec configuration. Three times I made symmetric IPSec configuration with different crypto/digest parameters obtaining the same result: IPSec phase 1 comes up but no traffic going in/from the tunnel. Here is a relevant part of /var/etc/ipsec/ipsec.conf file

      conn con2000
              fragmentation = yes
              keyexchange = ikev1
              reauth = yes
              forceencaps = no
              mobike = no
              
              rekey = yes
              installpolicy = yes
              type = tunnel
              dpdaction = restart
              dpddelay = 10s
              dpdtimeout = 60s
              auto = route
              left = <WAN_CARP VIP>
              right = <Cisco RV120 IP>
              leftid = <WAN_CARP VIP>
              ikelifetime = 28800s
              lifetime = 3600s
              ike = aes128-sha256-modp1024!
              esp = aes128-sha256-modp1024!
              leftauth = psk
              rightauth = psk
              rightid = <Cisco RV120 IP>
              aggressive = no
              rightsubnet = 192.168.1.0/24
              leftsubnet = 10.0.0.0/14
      

      On the Cisco RV120 I have:
      1.png 2.png 3.png

      1 Reply Last reply Reply Quote 0
      • S
        shshs
        last edited by shshs

        This post is deleted!
        1 Reply Last reply Reply Quote 0
        • S
          shshs
          last edited by shshs

          When I try to ping the destination behind the Cisco router I don't see child SA counters increase, sometimes there are 2 IPSec SA created at a time:
          Screen Shot 2019-06-23 at 8.12.27 PM.png

          In IPSec logs on pfSense I get:

          Jun 23 12:49:01	charon		11[IKE] <con2000|28> nothing to initiate
          Jun 23 12:49:02	charon		15[CFG] vici client 2141 connected
          Jun 23 12:49:02	charon		11[CFG] vici client 2141 registered for: list-sa
          Jun 23 12:49:02	charon		11[CFG] vici client 2141 requests: list-sas
          Jun 23 12:49:02	charon		11[CFG] vici client 2141 disconnected
          Jun 23 12:49:03	charon		15[NET] <con1000|26> received packet: from 38.142.65.154[500] to 154.61.34.210[500] (76 bytes)
          Jun 23 12:49:03	charon		15[ENC] <con1000|26> parsed INFORMATIONAL request 4746 [ ]
          Jun 23 12:49:03	charon		15[ENC] <con1000|26> generating INFORMATIONAL response 4746 [ ]
          Jun 23 12:49:03	charon		15[NET] <con1000|26> sending packet: from 154.61.34.210[500] to 38.142.65.154[500] (76 bytes)
          Jun 23 12:49:06	charon		15[NET] <con2000|28> received packet: from 195.177.74.126[500] to 154.61.34.210[500] (108 bytes)
          Jun 23 12:49:06	charon		15[ENC] <con2000|28> parsed INFORMATIONAL_V1 request 3823163103 [ HASH N(DPD) ]
          Jun 23 12:49:06	charon		15[IKE] <con2000|28> queueing ISAKMP_DPD task
          Jun 23 12:49:06	charon		15[IKE] <con2000|28> activating new tasks
          Jun 23 12:49:06	charon		15[IKE] <con2000|28> activating ISAKMP_DPD task
          Jun 23 12:49:06	charon		15[ENC] <con2000|28> generating INFORMATIONAL_V1 request 2486254723 [ HASH N(DPD_ACK) ]
          Jun 23 12:49:06	charon		15[NET] <con2000|28> sending packet: from 154.61.34.210[500] to 195.177.74.126[500] (108 bytes)
          Jun 23 12:49:06	charon		15[IKE] <con2000|28> activating new tasks
          Jun 23 12:49:06	charon		15[IKE] <con2000|28> nothing to initiate
          

          On Cisco's side I see the tunnel up and running, and when try to initiate ESP traffic from that side I see increasing Tx counters on Cisco's IPSec status.
          Shh.png

          On pfSense tcpdump I receive incoming ESP from Cisco, but I don't see any outgoing ESP packets toward Cisco.

          Here is ipsec statusall output from the pfSense:

          [$]/root: ipsec statusall
          Status of IKE charon daemon (strongSwan 5.7.1, FreeBSD 11.2-RELEASE-p10, amd64):
            uptime: 46 hours, since Jun 21 14:43:34 2019
            worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
            loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey ...
          Listening IP addresses:
          ....
          Connections:
             bypasslan:  %any...%any  IKEv1/2
             bypasslan:   local:  uses public key authentication
             bypasslan:   remote: uses public key authentication
             bypasslan:   child:  10.0.11.0/24|/0 === 10.0.11.0/24|/0 PASS
               con2000:  <WAN-CARP VIP>...<Cisco IP>  IKEv1, dpddelay=10s
               con2000:   local:  [<WAN-CARP VIP>] uses pre-shared key authentication
               con2000:   remote: [<Cisco IP>] uses pre-shared key authentication
               con2000:   child:  10.0.0.0/14|/0 === 192.168.1.0/24|/0 TUNNEL, dpdaction=restart
          Shunted Connections:
             bypasslan:  10.0.11.0/24|/0 === 10.0.11.0/24|/0 PASS
          Routed Connections:
               con2000{64}:  ROUTED, TUNNEL, reqid 4
               con2000{64}:   10.0.0.0/14|/0 === 192.168.1.0/24|/0
          Security Associations (2 up, 0 connecting):
               con2000[28]: ESTABLISHED 38 minutes ago, <WAN-CARP VIP>[<WAN-CARP VIP>]...<Cisco IP>[<Cisco IP>]
               con2000[28]: IKEv1 SPIs: 2316dd2784d9bdac_i* 261b4138e97f82d0_r, pre-shared key reauthentication in 7 hours
               con2000[28]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
               con2000{62}:  INSTALLED, TUNNEL, reqid 4, ESP SPIs: c0a9a6e0_i 0675a2f5_o
               con2000{62}:  AES_CBC_128/HMAC_SHA2_256_128/MODP_1024, 0 bytes_i (0 pkts, 2336s ago), 0 bytes_o, rekeying in 4 minutes
               con2000{62}:   10.0.0.0/14|/0 === 192.168.1.0/24|/0
          [$]/root: 
          

          What could it be, what do you suggest to test in addition?

          K 1 Reply Last reply Reply Quote 0
          • K
            Konstanti @shshs
            last edited by Konstanti

            @shshs

            Hey
            Check the firewall rules on the IPSEC interface (PFSense side)

            6019db6e-d842-4d2e-98d8-7c791a873a95-image.png

            For example

            de72e5d0-fa81-4234-892c-202cca27d511-image.png

            1 Reply Last reply Reply Quote 0
            • S
              shshs
              last edited by

              @Konstanti
              I have such rule, it's not the cause of the problem.

              K 1 Reply Last reply Reply Quote 0
              • K
                Konstanti @shshs
                last edited by Konstanti

                @shshs
                try to start tcpdump on the enc0 interface
                for example
                tcpdump -netti enc0
                what it shows ?

                cc3952e7-389f-4cf8-8349-9b6caa714437-image.png

                1 Reply Last reply Reply Quote 0
                • S
                  shshs
                  last edited by

                  @Konstanti said in Site-2-Site with Cisco RV120W Wireless-N VPN Firewall:

                  tcpdump -netti enc0

                  While I'm pinging the destination behind the other site of the tunnel, I run tcpdump on enc0 and it doesn't show any relevant information, just traffic from the other IPSec VPNs.

                  1 Reply Last reply Reply Quote 0
                  • S
                    shshs
                    last edited by shshs

                    Hi guys,

                    Any ideas why it doesn't work? What's the reason of appearing such logs in pfSense:

                    Jun 23 12:49:06	charon		15[NET] <con2000|28> sending packet: from 154.61.34.210[500] to 195.177.74.126[500] (108 bytes)
                    Jun 23 12:49:06	charon		15[IKE] <con2000|28> activating new tasks
                    Jun 23 12:49:06	charon		15[IKE] <con2000|28> nothing to initiate
                    

                    Why there are no outgoing ESP packets from pfSense and why IPSec SA counters doesn't increased?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.