Pfsense 2.2.2 -> cisco rv042
-
Hey guys, looking to get some help setting up an IPSEC tunnel from a pfSense firewall to a Cisco RV042 Small Business Router. I was able to find a very old thread (2008) but the imageshack images the responder had posted of his configuration had expired, so maybe you guys can help!
Here are the relevant configurations from our pfSense box:
Phase 1:
Phase 2 :
And from the Cisco box:
And the logs from the IPSEC service on pfSense:
May 18 18:37:08 charon: 09[ENC] <con1000|4>generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
May 18 18:37:08 charon: 09[NET] <con1000|4>sending packet: from {{LOCAL IP}}[500] to {{CISCO IP}}[500] (380 bytes)
May 18 18:37:12 charon: 09[IKE] <con1000|4>sending retransmit 1 of request message ID 0, seq 1
May 18 18:37:12 charon: 09[IKE] <con1000|4>sending retransmit 1 of request message ID 0, seq 1
May 18 18:37:12 charon: 09[NET] <con1000|4>sending packet: from {{LOCAL IP}}[500] to {{CISCO IP}}[500] (380 bytes)
May 18 18:37:20 charon: 11[IKE] <con1000|4>sending retransmit 2 of request message ID 0, seq 1
May 18 18:37:20 charon: 11[IKE] <con1000|4>sending retransmit 2 of request message ID 0, seq 1
May 18 18:37:20 charon: 11[NET] <con1000|4>sending packet: from {{LOCAL IP}}[500] to {{CISCO IP}}[500] (380 bytes)
May 18 18:37:26 charon: 11[KNL] creating acquire job for policy {{LOCAL IP}}/32|/0 === {{CISCO IP}}/32|/0 with reqid {2}
May 18 18:37:26 charon: 06[CFG] ignoring acquire, connection attempt pending
May 18 18:37:33 charon: 06[IKE] <con1000|4>sending retransmit 3 of request message ID 0, seq 1
May 18 18:37:33 charon: 06[IKE] <con1000|4>sending retransmit 3 of request message ID 0, seq 1
May 18 18:37:33 charon: 06[NET] <con1000|4>sending packet: from {{LOCAL IP}}[500] to {{CISCO IP}}[500] (380 bytes)Please note: I changed the IP addresses to {{LOCAL IP}} and {{CISCO IP}} for obvious reasons.</con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4>
-
What do the logs show on the Cisco side? That log snippet just shows it isn't replying, with no means of telling why.
-
You are correct. The cisco side was behaving very strangely(thought it was online but it didn't respond to pings etc), rebooting it seemed to fix everything and the tunnel came right up. Feel free to use this config if anyone needs it. Im going to monitor it today and see if it rekeys and all that but it looks stable for now.
Thanks guys!
-
Spoke too soon! Looks like I can get from the pfsense side to the cisco side just fine, but coming back the other way does not work. Below are the logs from both devices, you guys got any ideas?
This is what im looking at, some of the SAD entries are not found apparently?:
May 19 14:07:30 charon: 16[KNL] <con1000|127>unable to query SAD entry with SPI 8647058e: No such file or directory (2)pfsense:
May 19 14:05:38 charon: 09[NET] <con1000|127> sending packet: from {{PFSENSE IP}}[500] to {{CISCO IP}}[500] (76 bytes) May 19 14:05:38 charon: 15[NET] <con1000|127> received packet: from {{CISCO IP}}[500] to {{PFSENSE IP}}[500] (156 bytes) May 19 14:05:38 charon: 15[ENC] <con1000|127> parsed QUICK_MODE request 2617592248 [ HASH SA No ID ID ] May 19 14:05:38 charon: 15[ENC] <con1000|127> generating QUICK_MODE response 2617592248 [ HASH SA No ID ID ] May 19 14:05:38 charon: 15[NET] <con1000|127> sending packet: from {{PFSENSE IP}}[500] to {{CISCO IP}}[500] (188 bytes) May 19 14:05:38 charon: 15[KNL] creating acquire job for policy {{PFSENSE IP}}/32|/0 === {{CISCO IP}}/32|/0 with reqid {1} May 19 14:05:38 charon: 09[ENC] <con1000|127> generating QUICK_MODE request 2499144683 [ HASH SA No ID ID ] May 19 14:05:38 charon: 09[NET] <con1000|127> sending packet: from {{PFSENSE IP}}[500] to {{CISCO IP}}[500] (188 bytes) May 19 14:05:39 charon: 09[NET] <con1000|127> received packet: from {{CISCO IP}}[500] to {{PFSENSE IP}}[500] (60 bytes) May 19 14:05:39 charon: 09[ENC] <con1000|127> parsed QUICK_MODE request 2617592248 [ HASH ] May 19 14:05:39 charon: 09[IKE] <con1000|127> CHILD_SA con1000{2} established with SPIs c7bc44b7_i 8647058e_o and TS 192.168.0.0/24|/0 === 192.168.10.0/24|/0 May 19 14:05:39 charon: 09[IKE] <con1000|127> CHILD_SA con1000{2} established with SPIs c7bc44b7_i 8647058e_o and TS 192.168.0.0/24|/0 === 192.168.10.0/24|/0 May 19 14:05:39 charon: 15[NET] <con1000|127> received packet: from {{CISCO IP}}[500] to {{PFSENSE IP}}[500] (156 bytes) May 19 14:05:39 charon: 15[ENC] <con1000|127> parsed QUICK_MODE response 2499144683 [ HASH SA No ID ID ] May 19 14:05:39 charon: 15[IKE] <con1000|127> CHILD_SA con1000{3} established with SPIs cd66e8c3_i 6e2a6744_o and TS 192.168.0.0/24|/0 === 192.168.10.0/24|/0 May 19 14:05:39 charon: 15[IKE] <con1000|127> CHILD_SA con1000{3} established with SPIs cd66e8c3_i 6e2a6744_o and TS 192.168.0.0/24|/0 === 192.168.10.0/24|/0 May 19 14:05:39 charon: 15[ENC] <con1000|127> generating QUICK_MODE request 2499144683 [ HASH ] May 19 14:05:39 charon: 15[NET] <con1000|127> sending packet: from {{PFSENSE IP}}[500] to {{CISCO IP}}[500] (60 bytes) May 19 14:07:30 charon: 16[KNL] <con1000|127> unable to query SAD entry with SPI 8647058e: No such file or directory (2) May 19 14:10:24 charon: 16[KNL] <con1000|127> unable to query SAD entry with SPI 8647058e: No such file or directory (2) May 19 14:16:27 charon: 16[KNL] <con1000|127> unable to query SAD entry with SPI 8647058e: No such file or directory (2)</con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127></con1000|127> ```</con1000|127>
-
Cisco:
Jan 1 00:00:12 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet Jan 1 00:00:12 2010 VPN Log (g2gips0) #1: ignoring Vendor ID payload [XAUTH] Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: ignoring Vendor ID payload [XAUTH] Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: received Vendor ID payload [Dead Peer Detection] Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: received Vendor ID payload [Dead Peer Detection] Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: ignoring Vendor ID payload [Cisco-Unity] Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: ignoring Vendor ID payload [Cisco-Unity] Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: Peer ID is ID_IPV4_ADDR: '{{PFSENSE IP}}' Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: ISAKMP SA established Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL {using isakmp#1} Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: esp_ealg_id=12-12,esp_ealg_keylen=256, key_len=256,esp_aalg_id=2-2. Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: esp_ealg_id=12-12,esp_ealg_keylen=256, key_len=256,esp_aalg_id=2-2. Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: [Tunnel Negotiation Info] Inbound SPI value = 8647058e Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: [Tunnel Negotiation Info] Inbound SPI value = 8647058e Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: [Tunnel Negotiation Info] Outbound SPI value = c7bc44b7 Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: [Tunnel Negotiation Info] Outbound SPI value = c7bc44b7 Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: up-client output: iptables: No chain/target/match by that name Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: up-client output: iptables: No chain/target/match by that name Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected Jan 1 00:00:14 2010 VPN Log (g2gips0) #2: sent QI2, IPsec SA established {ESP=>0xc7bc44b7 <0x8647058e Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #1: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #3: esp_ealg_id=12-12,esp_ealg_keylen=256, key_len=256,esp_aalg_id=2-2. Jan 1 00:00:14 2010 VPN Log (g2gips0) #3: esp_ealg_id=12-12,esp_ealg_keylen=256, key_len=256,esp_aalg_id=2-2. Jan 1 00:00:14 2010 VPN Log (g2gips0) #3: responding to Quick Mode Jan 1 00:00:14 2010 VPN Log (g2gips0) #3: [Tunnel Negotiation Info] Inbound SPI value = 6e2a6744 Jan 1 00:00:14 2010 VPN Log (g2gips0) #3: [Tunnel Negotiation Info] Inbound SPI value = 6e2a6744 Jan 1 00:00:14 2010 VPN Log (g2gips0) #3: [Tunnel Negotiation Info] Outbound SPI value = cd66e8c3 Jan 1 00:00:14 2010 VPN Log (g2gips0) #3: [Tunnel Negotiation Info] Outbound SPI value = cd66e8c3 Jan 1 00:00:14 2010 VPN Log (g2gips0) #3: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet Jan 1 00:00:14 2010 VPN Log (g2gips0) #3: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet Jan 1 00:00:15 2010 VPN Log (g2gips0) #3: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet Jan 1 00:00:15 2010 VPN Log (g2gips0) #3: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet Jan 1 00:00:15 2010 VPN Log (g2gips0) #3: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected Jan 1 00:00:15 2010 VPN Log (g2gips0) #3: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected Jan 1 00:00:15 2010 VPN Log (g2gips0) #3: IPsec SA established {ESP=>0xcd66e8c3 <0x6e2a6744
-
Here are trace routes from each side; just in case:
Cisco to Pfsense:Tracing route to 192.168.0.1 over a maximum of 30 hops 1 1 ms 1 ms 1 ms 192.168.10.1 2 <1 ms <1 ms <1 ms 192.168.10.3 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * * * Request timed out. 8 * * * Request timed out. 9 * * * Request timed out. 10 * *
Pfsense to Cisco:
Tracing route to 192.168.10.1 over a maximum of 30 hops 1 1 ms 1 ms 1 ms 192.168.0.1 2 <1 ms <1 ms <1 ms 192.168.0.3 3 57 ms 49 ms 49 ms 192.168.10.1 Trace complete.
Ill be tinkering with it today, let me know if you guys have any ideas, here is my current list of possible problems:
1. ACLs on the Cisco side maybe?
2. the SAD entry not found errorThanks again!
3. The time not being set on the cisco side (dont know if this matters but I feel like it should as it usually does with encryption/authentication) -
Update:
Got everything working by adding Pass rules to the LAN table on pfSense. Previously, we had 2 pfSense boxes doing this tunnel and we had our ACLs for the vpn exclusively in the IPSEC tab of the firewall rules, moving these rules to the LAN tab seemed to fix the issue.
As it stands I have these rules
LAN - VPN_Addresses -> * PASS
* -> VPN_Addresses PASS
Same on IPSEC tabNo changes were made to the Cisco side. The configuration above is the one that works.
-
Hi,
Can you please help me to configure IPSec between pfsense 2.2.2 to CISCO rv042.
I break my head from one week to figure out but no luck :'(.
PFsene is on Xen VM in data center. WAN network is a VLAN(73.241.202.232/29) and LAN is also a VLAN (172.51.130.160/27).WAN IP : 73.241.202.238
Gateway(default) : 73.241.202.233
LAN IP : 172.51.130.190 (Lan Only)
LANGW : 172.51.130.190 ( I made it I don't know where it is correct way or not) I am using same LANGW for all LAN.CISCO RV 042
WAN : 35.31.39.153/29
GW : 35.31.39.158
LAN : 192.168.10.0/27
GW : 192.168.10.1I Enabled and Created IPSec in pfSense with the settings as you mentioned in your picture except Negotiation Mode "MAIN" . Connection is established but no to traffic is going. From pfSense I am able to ping only RV042(no computers). From CISCO Destination host not reachable.
I thought it might be the issue with Gateways or Firewall rules I am not getting anything or is it because of two different VLANS . Can you please help me to fix this. Thanking you in advance.
Thank You,
Harry.