PfSense -> Cisco WRVS4400N



  • Having trouble setting up IPsec VPN between a pfSense box, and a Cisco WRVS4400N wireless router.  I've searched through the forums and online and haven't been able to find much.

    Can I set up a normal tunnel, as I would when setting IPsec up between 2 pfSense boxes?  Or do I have to use the mobile client sections?  I've only been able to get a tunnel established by setting it up through mobile clients.  Even with tunnel established I never was able to get any traffic through.



  • Regarding the traffic not passing through, do you by any chance see 'ERROR: failed to begin ipsec sa negotication.' in your logs? If so check these two bug reports:

    http://redmine.pfsense.org/issues/1351
    http://redmine.pfsense.org/issues/1970

    there seems to be a bug in racoon that prevents traffic from being routed properly. I encountered this issue in one of my setups. VPN traffic was entering pfSense, but no traffic was being sent back to the client.



  • I do get that error.  I've ran racoon in diagnostic mode, and here is what it shows -

    I've changed the local site public IP to 1.1.1.1 and the remote site to 2.2.2.2.

    Mar 13 10:55:41 racoon: ERROR: failed to begin ipsec sa negotication.
    Mar 13 10:55:41 racoon: ERROR: no configuration found for 2.2.2.2.
    Mar 13 10:55:41 racoon: [RemoteSite]: [2.2.2.2] DEBUG: no remote configuration found.
    Mar 13 10:55:41 racoon: DEBUG: in post_acquire
    Mar 13 10:55:41 racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha)
    Mar 13 10:55:41 racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=1:1)
    Mar 13 10:55:41 racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=5
    Mar 13 10:55:41 racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
    Mar 13 10:55:41 racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
    Mar 13 10:55:41 racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=5
    Mar 13 10:55:41 racoon: DEBUG: remoteid mismatch: 3 != 5
    Mar 13 10:55:41 racoon: DEBUG: evaluating sainfo: loc='192.168.1.0/24', rmt='192.168.3.0/24', peer='ANY', id=3
    Mar 13 10:55:41 racoon: DEBUG: remoteid mismatch: 2 != 5
    Mar 13 10:55:41 racoon: DEBUG: evaluating sainfo: loc='192.168.1.0/24', rmt='192.168.2.0/24', peer='ANY', id=2
    Mar 13 10:55:41 racoon: DEBUG: remoteid mismatch: 1 != 5
    Mar 13 10:55:41 racoon: DEBUG: evaluating sainfo: loc='192.168.1.0/24', rmt='192.168.109.0/24', peer='ANY', id=1
    Mar 13 10:55:41 racoon: DEBUG: getsainfo params: loc='192.168.1.0/24' rmt='192.168.30.0/24' peer='NULL' client='NULL' id=5
    Mar 13 10:55:41 racoon: [RemoteSite]: [2.2.2.2] DEBUG: configuration "anonymous" selected.
    Mar 13 10:55:41 racoon: DEBUG: new acquire 192.168.1.0/24[0] 192.168.30.0/24[0] proto=any dir=out
    Mar 13 10:55:41 racoon: DEBUG: suitable inbound SP found: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in.
    Mar 13 10:55:41 racoon: DEBUG: db :0x28549408: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: db :0x28549048: 192.168.1.0/24[0] 192.168.3.0/24[0] proto=any dir=out
    Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: db :0x28548dc8: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
    Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: db :0x28548b48: 192.168.1.0/24[0] 192.168.109.0/24[0] proto=any dir=out
    Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: db :0x28548a08: 192.168.1.254/32[0] 192.168.1.0/24[0] proto=any dir=out
    Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: db :0x28548788: 192.168.3.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: db :0x28548508: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: db :0x28548288: 192.168.109.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: db :0x28548148: 192.168.1.0/24[0] 192.168.1.254/32[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: sub:0xbfbfe5d8: 192.168.30.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 13 10:55:41 racoon: DEBUG: suitable outbound SP found: 192.168.1.0/24[0] 192.168.30.0/24[0] proto=any dir=out.

    I copied the few lines that stood out to me below.

    Mar 13 10:55:41 racoon: ERROR: failed to begin ipsec sa negotication.
    Mar 13 10:55:41 racoon: ERROR: no configuration found for 2.2.2.2.
    Mar 13 10:55:41 racoon: [RemoteSite]: [2.2.2.2] DEBUG: no remote configuration found.
    Mar 13 10:55:41 racoon: DEBUG: remoteid mismatch: 3 != 5
    Mar 13 10:55:41 racoon: DEBUG: remoteid mismatch: 2 != 5
    Mar 13 10:55:41 racoon: DEBUG: remoteid mismatch: 1 != 5
    Mar 13 10:55:41 racoon: DEBUG: db :0x28548a08: 192.168.1.254/32[0] 192.168.1.0/24[0] proto=any dir=out
    Mar 13 10:55:41 racoon: DEBUG: db :0x28548148: 192.168.1.0/24[0] 192.168.1.254/32[0] proto=any dir=in

    When I tell the client to connect, everything looks fine.  Soon as I try and ping a device in the remote site.  The entries listed above show up in the log files.



  • I've checked out the bug reports and haven't found any information that helped.  I've also been through the recommendations listed on http://forum.pfsense.org/index.php?topic=46917.0.  Still haven't found anything that works.  While digging around and trying out different setting I have noticed a couple of other things though.

    When I tell Cisco wireless router to connect it shows a status of up. I can see the connection initialized in the IPsec logs on my pfSense box. But if I look in my state table I don't see the client listed as I do with my other VPN tunnels that are working. Also when looking under the system logs I see the following error "php: /vpn_ipsec.php: Could not determine VPN endpoint for 'Mobile Client Access'".


Log in to reply