Site-2-Site with Cisco RV120W Wireless-N VPN Firewall



  • Hi guys,

    Please help me to solve the following issue. I have a KVM based pfSense cluster on one side and Cisco RV120W on the other one. Last SOHO from Cisco I've touched was 800 Series and it was quite good, CLI, IOS, show, debug... you know. The las one (RV1200W) doesn't provide an interface except some weird GUI and very basic IPSec configuration. Three times I made symmetric IPSec configuration with different crypto/digest parameters obtaining the same result: IPSec phase 1 comes up but no traffic going in/from the tunnel. Here is a relevant part of /var/etc/ipsec/ipsec.conf file

    conn con2000
            fragmentation = yes
            keyexchange = ikev1
            reauth = yes
            forceencaps = no
            mobike = no
            
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = route
            left = <WAN_CARP VIP>
            right = <Cisco RV120 IP>
            leftid = <WAN_CARP VIP>
            ikelifetime = 28800s
            lifetime = 3600s
            ike = aes128-sha256-modp1024!
            esp = aes128-sha256-modp1024!
            leftauth = psk
            rightauth = psk
            rightid = <Cisco RV120 IP>
            aggressive = no
            rightsubnet = 192.168.1.0/24
            leftsubnet = 10.0.0.0/14
    

    On the Cisco RV120 I have:
    1.png 2.png 3.png



  • This post is deleted!


  • When I try to ping the destination behind the Cisco router I don't see child SA counters increase, sometimes there are 2 IPSec SA created at a time:
    Screen Shot 2019-06-23 at 8.12.27 PM.png

    In IPSec logs on pfSense I get:

    Jun 23 12:49:01	charon		11[IKE] <con2000|28> nothing to initiate
    Jun 23 12:49:02	charon		15[CFG] vici client 2141 connected
    Jun 23 12:49:02	charon		11[CFG] vici client 2141 registered for: list-sa
    Jun 23 12:49:02	charon		11[CFG] vici client 2141 requests: list-sas
    Jun 23 12:49:02	charon		11[CFG] vici client 2141 disconnected
    Jun 23 12:49:03	charon		15[NET] <con1000|26> received packet: from 38.142.65.154[500] to 154.61.34.210[500] (76 bytes)
    Jun 23 12:49:03	charon		15[ENC] <con1000|26> parsed INFORMATIONAL request 4746 [ ]
    Jun 23 12:49:03	charon		15[ENC] <con1000|26> generating INFORMATIONAL response 4746 [ ]
    Jun 23 12:49:03	charon		15[NET] <con1000|26> sending packet: from 154.61.34.210[500] to 38.142.65.154[500] (76 bytes)
    Jun 23 12:49:06	charon		15[NET] <con2000|28> received packet: from 195.177.74.126[500] to 154.61.34.210[500] (108 bytes)
    Jun 23 12:49:06	charon		15[ENC] <con2000|28> parsed INFORMATIONAL_V1 request 3823163103 [ HASH N(DPD) ]
    Jun 23 12:49:06	charon		15[IKE] <con2000|28> queueing ISAKMP_DPD task
    Jun 23 12:49:06	charon		15[IKE] <con2000|28> activating new tasks
    Jun 23 12:49:06	charon		15[IKE] <con2000|28> activating ISAKMP_DPD task
    Jun 23 12:49:06	charon		15[ENC] <con2000|28> generating INFORMATIONAL_V1 request 2486254723 [ HASH N(DPD_ACK) ]
    Jun 23 12:49:06	charon		15[NET] <con2000|28> sending packet: from 154.61.34.210[500] to 195.177.74.126[500] (108 bytes)
    Jun 23 12:49:06	charon		15[IKE] <con2000|28> activating new tasks
    Jun 23 12:49:06	charon		15[IKE] <con2000|28> nothing to initiate
    

    On Cisco's side I see the tunnel up and running, and when try to initiate ESP traffic from that side I see increasing Tx counters on Cisco's IPSec status.
    Shh.png

    On pfSense tcpdump I receive incoming ESP from Cisco, but I don't see any outgoing ESP packets toward Cisco.

    Here is ipsec statusall output from the pfSense:

    [$]/root: ipsec statusall
    Status of IKE charon daemon (strongSwan 5.7.1, FreeBSD 11.2-RELEASE-p10, amd64):
      uptime: 46 hours, since Jun 21 14:43:34 2019
      worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
      loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey ...
    Listening IP addresses:
    ....
    Connections:
       bypasslan:  %any...%any  IKEv1/2
       bypasslan:   local:  uses public key authentication
       bypasslan:   remote: uses public key authentication
       bypasslan:   child:  10.0.11.0/24|/0 === 10.0.11.0/24|/0 PASS
         con2000:  <WAN-CARP VIP>...<Cisco IP>  IKEv1, dpddelay=10s
         con2000:   local:  [<WAN-CARP VIP>] uses pre-shared key authentication
         con2000:   remote: [<Cisco IP>] uses pre-shared key authentication
         con2000:   child:  10.0.0.0/14|/0 === 192.168.1.0/24|/0 TUNNEL, dpdaction=restart
    Shunted Connections:
       bypasslan:  10.0.11.0/24|/0 === 10.0.11.0/24|/0 PASS
    Routed Connections:
         con2000{64}:  ROUTED, TUNNEL, reqid 4
         con2000{64}:   10.0.0.0/14|/0 === 192.168.1.0/24|/0
    Security Associations (2 up, 0 connecting):
         con2000[28]: ESTABLISHED 38 minutes ago, <WAN-CARP VIP>[<WAN-CARP VIP>]...<Cisco IP>[<Cisco IP>]
         con2000[28]: IKEv1 SPIs: 2316dd2784d9bdac_i* 261b4138e97f82d0_r, pre-shared key reauthentication in 7 hours
         con2000[28]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
         con2000{62}:  INSTALLED, TUNNEL, reqid 4, ESP SPIs: c0a9a6e0_i 0675a2f5_o
         con2000{62}:  AES_CBC_128/HMAC_SHA2_256_128/MODP_1024, 0 bytes_i (0 pkts, 2336s ago), 0 bytes_o, rekeying in 4 minutes
         con2000{62}:   10.0.0.0/14|/0 === 192.168.1.0/24|/0
    [$]/root: 
    

    What could it be, what do you suggest to test in addition?



  • @shshs

    Hey
    Check the firewall rules on the IPSEC interface (PFSense side)

    6019db6e-d842-4d2e-98d8-7c791a873a95-image.png

    For example

    de72e5d0-fa81-4234-892c-202cca27d511-image.png



  • @Konstanti
    I have such rule, it's not the cause of the problem.



  • @shshs
    try to start tcpdump on the enc0 interface
    for example
    tcpdump -netti enc0
    what it shows ?

    cc3952e7-389f-4cf8-8349-9b6caa714437-image.png



  • @Konstanti said in Site-2-Site with Cisco RV120W Wireless-N VPN Firewall:

    tcpdump -netti enc0

    While I'm pinging the destination behind the other site of the tunnel, I run tcpdump on enc0 and it doesn't show any relevant information, just traffic from the other IPSec VPNs.



  • Hi guys,

    Any ideas why it doesn't work? What's the reason of appearing such logs in pfSense:

    Jun 23 12:49:06	charon		15[NET] <con2000|28> sending packet: from 154.61.34.210[500] to 195.177.74.126[500] (108 bytes)
    Jun 23 12:49:06	charon		15[IKE] <con2000|28> activating new tasks
    Jun 23 12:49:06	charon		15[IKE] <con2000|28> nothing to initiate
    

    Why there are no outgoing ESP packets from pfSense and why IPSec SA counters doesn't increased?


Log in to reply