Connecting WinXP Cisco VPN client to PFSense IPSEC
-
Can anyone confirm whether what i am trying to accomplish is possible / not possible / not supported?
I am trying to connect to PFSense IPSEC VPN (directly on the internet) from Windows XP (behind a NAT router) with Cisco VPN client. I'm using Preshared Key.
It fails to connect, giving these logs.
At the Cisco client:
–--------------------------------------------------------------------------------
Cisco Systems VPN Client Version 4.6.02.0011
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2304 CM/0x63100002 Begin connection process
305 CVPND/0xE3400001 Microsoft IPSec Policy Agent service stopped successfully
306 CM/0x63100004 Establish secure connection using Ethernet
307 CM/0x63100024 Attempt connection with server "ss.ss.ss.ss"
308 IKE/0x6300003B Attempting to establish a connection with ss.ss.ss.ss.
309 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to ss.ss.ss.ss
310 IPSEC/0x63700008 IPSec driver successfully started
311 IPSEC/0x63700014 Deleted all keys
312 IKE/0x6300002F Received ISAKMP packet: peer = ss.ss.ss.ss
313 IKE/0x63000014 RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(dpd)) from ss.ss.ss.ss
314 IKE/0x63000001 Peer supports DPD
315 IKE/0x63000001 IOS Vendor ID Contruction successful
316 IKE/0x63000013 SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to ss.ss.ss.ss
317 IKE/0x63000083 IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4
318 CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
319 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=CA23216D1A1008F8 R_Cookie=E2B66E44790E28B4) reason = DEL_REASON_NON_UNITY_PEER
320 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to ss.ss.ss.ss
321 IKE/0x6300004B Discarding IKE SA negotiation (I_Cookie=CA23216D1A1008F8 R_Cookie=E2B66E44790E28B4) reason = DEL_REASON_NON_UNITY_PEER
322 CM/0x63100014 Unable to establish Phase 1 SA with server "ss.ss.ss.ss" because of "DEL_REASON_NON_UNITY_PEER"
323 CM/0x63100025 Initializing CVPNDrv
324 IKE/0x63000001 IKE received signal to terminate VPN connection
325 IKE/0x63000086 Microsoft IPSec Policy Agent service started successfully
326 IPSEC/0x63700014 Deleted all keys
327 IPSEC/0x63700014 Deleted all keys
328 IPSEC/0x63700014 Deleted all keys
329 IPSEC/0x6370000A IPSec driver successfully stoppedand at the IPSEC log in PFSense
racoon: INFO: respond new phase 1 negotiation: ss.ss.ss.ss[500]<=>cc.cc.cc.cc[56512]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
racoon: INFO: received Vendor ID: DPD
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO: received broken Microsoft ID: FRAGMENTATION
racoon: INFO: received Vendor ID: CISCO-UNITY
racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
racoon: INFO: received Vendor ID: CISCO-UNITY
racoon: INFO: ISAKMP-SA established ss.ss.ss.ss[500]-cc.cc.cc.cc[56512] spi:ca23216d1a1008f8:e2b66e44790e28b4
racoon: ERROR: delete payload with invalid doi:0.
–--------------------------------------------------------------------------------Again, anyone can help me by telling if what i'm trying to do is possible or not?
Thanks.
-
Has someone got any experience trying to hook up Cisco VPN client to PFSense?
Just asking again, since I'm kindda stuck on the issue :)
I did see lots of entries about site to site VPN with Cisco devices, but couldn't find info regarding the Cisco VPN client for making VPN connection for individual machines..
-
I'm also very interested in this. Wondering if there would be enough interest to post a bounty?
-
Cisco supports IPSEC, but I believe it uses some proprietary techniques such as "Group authentication" which may not be compatible. It also needs a user authentication mechanism. I've never been successful (or wanted to) in getting the Cisco VPN client to connect to anything other than a Cisco device. That would be an IOS router, 3000 concentrator, PIX or ASA.
Robert
-
Thanks for your thoughts on this, valnar.
Would you recommend the OpenVPN client, then? Perhaps I need try to it out again…
-
Have a look at the free IPSEC clients mentioned here: http://forum.pfsense.org/index.php/topic,2009.msg11516.html#msg11516
For OpenVPN have a look at these GUI clients:
http://openvpn.se/
http://openvpn.net/gui.html