Hi probie,

Can you post the specific modifications you made to Phase 2?  My boss wants to do something similar and haven't worked much with IPSec VPNs (although my OpenVPN mesh is working quite well).

Thanks,
JoelC

What do you have in mind?

Jul 8 14:02:22 racoon: [14.99.207.196] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Jul 8 14:02:25 racoon: [Unknown Gateway/Dynamic]: ERROR: Invalid exchange type 243 from 14.99.207.196[500]. Jul 11 21:04:21 racoon: [189.231.225.24] ERROR: unknown Informational exchange received.

Those kinds of errors are generally indicative of a mismatch in phase 1 settings, especially Main Mode/Aggressive Mode.

It could be someone probing for any IPsec systems out there, or just port scanning, or who knows. As long as you have lengthy PSKs (or certificates) and other such protections on IPsec, you should be fine.

How?

Thanks for the quick reply.

The users we are authenticating with are all in group "admins." Doesn't that provide blanket permissions? We added the specific "VPN IPSec XAuth" permission (seems like a good idea); but we still have a bad auth failure.

On a "why not?" whim we changed the client ID string used in Phase 1 to match the username provided for Xauth. That didn't help either. Still failing with bad auth.

Hello guys,
please a really need a help, even a RTFM (telling which manual) would be much appreciated.
Thanks for your time

Alberto

Same thing happened to me.  I originally set up IPSec via static IPs for Peer and Identifier.  Now I've been messing around with Dynamic DNS service and nothing has been changed in Phase One settings which worked fine before so I am wondering is IPSec not passing the Dynamic IP correctly to the remote site for authentication?

For now I revert back to static IPs until I figure this out.

Just for reference:

My Firewall:

2.0-RC3 (i386)
built on Fri Jul 15 19:39:23 EDT 2011

Remote Site:

WatchGuard XTM510 running 11.4.1 firmware.

Transport is the preferred method and it saves you 20 bytes but since the recommended MTU size is 1400 on both GRE + IPsec (Transport mode) = 1440 and GRE + IPsec (Tunnel mode) = 1420 there is no bigger difference between them.

Just don't forget to set MTU on GRE interface or you will lose data

// rancor

I have noticed that there are some big gaps in the documentation for the Road Warrior IPSec for v 1.2.3 when using it with v 2.0. Obviously I'm aware that this documentation was done specifically for 1.2 but does anyone have any notes on what you need to do different for version 2.0 to get this to work?

It would be a close call on a WRAP. At the very least you need the same tweak to get around the WRAP's ancient BIOS that was required for 1.2.3:

http://doc.pfsense.org/index.php/NanoBSD_on_WRAP