pfSense Support Subscription

Author Topic: Can't initiate VPN to pfsense, but pfsense can initiate VPN to our ASA  (Read 82 times)

0 Members and 1 Guest are viewing this topic.

Offline mcentirefj

  • Newbie
  • *
  • Posts: 16
  • Karma: +1/-0
    • View Profile
We've got a Site to Site VPN setup between a branch office and our HQ.

VPN establishes and everything works fine if we're initiating from the branch office with the pfsense firewall

VPN fails to initiate from the HQ going from the Cisco ASA to the pfsense

I see these logs saying there is no matching child SA:
Code: [Select]
Dec 6 23:39:46 charon: 11[CFG] <con1000|113> looking for a child config for 10.247.0.0/16|/0 === 10.241.0.0/16|/0
Dec 6 23:39:46 charon: 11[CFG] <con1000|113> looking for a child config for 10.247.0.0/16|/0 === 10.241.0.0/16|/0
Dec 6 23:39:46 charon: 11[IKE] <con1000|113> no matching CHILD_SA config found
Dec 6 23:39:46 charon: 11[IKE] <con1000|113> no matching CHILD_SA config found

But the matching configurations exist in the GUI:


PFSense version is currently 2.2.4.

I'm not sure where to go from here. It's telling me there's no match when I can see the match in the config. Any ideas?

Offline mcentirefj

  • Newbie
  • *
  • Posts: 16
  • Karma: +1/-0
    • View Profile
Re: Can't initiate VPN to pfsense, but pfsense can initiate VPN to our ASA
« Reply #1 on: December 07, 2017, 12:10:44 pm »
Further info:

I've added ping hosts to all the child SAs for now as a workaround. I don't like that my pfsense box can't respond to VPNs. Anyone have any suggestions?

Offline tengtengvn

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Can't initiate VPN to pfsense, but pfsense can initiate VPN to our ASA
« Reply #2 on: December 07, 2017, 05:44:51 pm »
I have many S2S between pfSense & ASA.

Posting your configuration for both will help.

To get the ipsec configuration from pfsense run:
cat /var/etc/ipsec/ipsec.conf

In the ASA, look for it in your running config.