Shrew 2.15 ipsec client can connect to m0n0 but can't connect to pf20b

horsedragon · Mar 3, 2010, 8:45 AM

Deal all
I want to use shrew 2.15 ipsec client connect to pf20b. before I try it, I connect to m0n0 1.3, every thing is ok, my notebook use adsl to access internet and get ip dynamic, m0n0's lan ip 192.168.1.1, when I connect to m0n0, I can ping success 192.168.1.1. after this, I connect to pf20b (lan ip is 192.168.10.1), in system log, I find the tunnel is connect, but I can't ping success 192.168.10.1, what happen, please help!

pfsense 2.0 log:
Mar 3 07:52:43 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=96746669(0x5c43cad)
Mar 3 07:52:43 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=3525136403(0xd21d5013)
Mar 3 07:53:05 racoon: [vpn200]: INFO: initiate new phase 2 negotiation: 125.34.52.172[500]<=>123.114.38.157[500]
Mar 3 07:53:05 racoon: [vpn200]: WARNING: attribute has been modified.
Mar 3 07:53:05 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=128595496(0x7aa3628)
Mar 3 07:53:05 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=3703800258(0xdcc381c2)
Mar 3 07:53:27 racoon: [vpn200]: INFO: initiate new phase 2 negotiation: 125.34.52.172[500]<=>123.114.38.157[500]
Mar 3 07:53:27 racoon: [vpn200]: WARNING: attribute has been modified.
Mar 3 07:53:27 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=147725165(0x8ce1b6d)
Mar 3 07:53:27 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=2496948049(0x94d46751)
Mar 3 07:53:49 racoon: [vpn200]: INFO: initiate new phase 2 negotiation: 125.34.52.172[500]<=>123.114.38.157[500]
Mar 3 07:53:49 racoon: [vpn200]: WARNING: attribute has been modified.
Mar 3 07:53:49 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=41093443(0x2730943)
Mar 3 07:53:49 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=1386134623(0x529ebc5f)
Mar 3 07:54:11 racoon: [vpn200]: INFO: initiate new phase 2 negotiation: 125.34.52.172[500]<=>123.114.38.157[500]
Mar 3 07:54:11 racoon: [vpn200]: WARNING: attribute has been modified.
Mar 3 07:54:11 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=211311642(0xc985c1a)
Mar 3 07:54:11 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=2021122505(0x7877e1c9)
Mar 3 07:54:33 racoon: [vpn200]: INFO: initiate new phase 2 negotiation: 125.34.52.172[500]<=>123.114.38.157[500]
Mar 3 07:54:33 racoon: [vpn200]: WARNING: attribute has been modified.
Mar 3 07:54:33 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=33021763(0x1f7df43)
Mar 3 07:54:33 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=546278378(0x208f8bea)
Mar 3 07:54:55 racoon: [vpn200]: INFO: initiate new phase 2 negotiation: 125.34.52.172[500]<=>123.114.38.157[500]
Mar 3 07:54:55 racoon: [vpn200]: WARNING: attribute has been modified.
Mar 3 07:54:55 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=118623832(0x7120e58)

m0n0 log

Mar 3 16:07:39

racoon: INFO: respond new phase 2 negotiation: 222.128.75.7[0]<=>123.114.38.157[0]

Mar 3 16:07:39

racoon: INFO: no policy found, try to generate the policy : 123.114.38.157/32[0] 0.0.0.0/0[0] proto=any dir=in

Mar 3 16:07:39

/kernel: arp: 192.168.3.221 is on fxp2 but got reply from 00:1d:92:d4:8c:0d on fxp0

Mar 3 16:07:39

racoon: INFO: IPsec-SA established: ESP/Tunnel 123.114.38.157[0]->222.128.75.7[0] spi=13164556(0xc8e00c)

Mar 3 16:07:39

racoon: INFO: IPsec-SA established: ESP/Tunnel 222.128.75.7[0]->123.114.38.157[0] spi=997443460(0x3b73c784)

Mar 3 16:07:39

racoon: ERROR: such policy does not already exist: "123.114.38.157/32[0] 0.0.0.0/0[0] proto=any dir=in"

Mar 3 16:07:39

racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 123.114.38.157/32[0] proto=any dir=out"

pf2.0 config pic

horsedragon · Mar 4, 2010, 8:55 AM

no anybody have this question?

jimp · Mar 4, 2010, 8:49 PM

There are tickets open already to work on IPsec mobile clients on 2.0.

2.0 is still in early Beta, and this is one of the areas that needs a lot of work. Be patient, watch the commit logs, and keep trying.

horsedragon · Mar 5, 2010, 3:24 AM

@jimp:

There are tickets open already to work on IPsec mobile clients on 2.0.

2.0 is still in early Beta, and this is one of the areas that needs a lot of work. Be patient, watch the commit logs, and keep trying.

thank you very much!
I this mode in my dynamic VPN Gateway, (which can work with 1.23 ok), find the same question, can I modify something manual and let it normal? is the route's error or other, because in my gateway, it report every thing is ok, the following is the log:

2010/03/05 11:04:32 Info. ike Phase2 Initiator(Quick) : established
[Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
2010/03/05 11:04:32 Info. ike Phase2 Initiator(Quick) : 1st
[Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
2010/03/05 11:04:32 Info. ike Start phase2 negotiation
[Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
2010/03/05 11:04:31 Info. ike ISAKMP SA established
[Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
2010/03/05 11:04:31 Info. ike Phase1 Initiator(Aggressive) : 2nd
[Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
2010/03/05 11:04:30 Info. ike Phase1 Initiator(Aggressive) : 1st
[Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
2010/03/05 11:04:30 Info. ike Start with Aggressive mode
[Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
2010/03/05 11:04:30 Info. ike Start phase1 negotiation
[Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]

the pf2.0's log

Last 50 IPsec日志项
Mar 5 11:04:27 racoon: [shrewclient]: INFO: ISAKMP-SA expired 123.112.85.205[500]-123.114.40.81[500] spi:8838c62299a1952a:7fbcadc3e61e2691
Mar 5 11:04:28 racoon: [shrewclient]: INFO: ISAKMP-SA deleted 123.112.85.205[500]-123.114.40.81[500] spi:8838c62299a1952a:7fbcadc3e61e2691
Mar 5 11:04:32 racoon: INFO: respond new phase 1 negotiation: 123.112.85.205[500]<=>123.114.40.81[500]
Mar 5 11:04:32 racoon: INFO: begin Aggressive mode.
Mar 5 11:04:32 racoon: INFO: ISAKMP-SA established 123.112.85.205[500]-123.114.40.81[500] spi:4862a7f3a5e4b870:541f1ef027e4d866
Mar 5 11:04:33 racoon: INFO: respond new phase 2 negotiation: 123.112.85.205[500]<=>123.114.40.81[500]
Mar 5 11:04:33 racoon: INFO: Update the generated policy : 192.168.1.0/24[0] 192.168.10.0/24[0] proto=any dir=in
Mar 5 11:04:33 racoon: INFO: IPsec-SA established: ESP 123.112.85.205[500]->123.114.40.81[500] spi=2330989(0x23916d)
Mar 5 11:04:33 racoon: INFO: IPsec-SA established: ESP 123.112.85.205[500]->123.114.40.81[500] spi=2069988256(0x7b6183a0)
Mar 5 11:04:33 racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.10.0/24[0] proto=any dir=in"
Mar 5 11:04:33 racoon: ERROR: such policy does not already exist: "192.168.10.0/24[0] 192.168.1.0/24[0] proto=any dir=out"

I hope this log is helpful to you and you team!
thank you again

horsedragon · Mar 10, 2010, 4:00 AM

It seems I must back to 1.2.3 or M0n0, :'(

Guest · Mar 10, 2010, 5:26 AM

There's a reason its still beta software.

horsedragon · Mar 11, 2010, 6:15 AM

Dear all
I compare the file "filter.inc" between the 2.0 and 1.23, I find, in 2.0 the vpn rule is

pass out on $WAN route-to ( pppoe0 125.34.48.1 ) proto udp from any to any p
ort = 500 keep state label "IPsec: dynaVPNGateway - outbound isakmp"
pass in on $WAN reply-to ( pppoe0 125.34.48.1 ) proto udp from any to any po
rt = 500 keep state label "IPsec: dynaVPNGateway - inbound isakmp"
pass out on $WAN route-to ( pppoe0 125.34.48.1 ) proto esp from any to any k
eep state label "IPsec: dynaVPNGateway - outbound esp proto"
pass in on $WAN reply-to ( pppoe0 125.34.48.1 ) proto esp from any to any ke
ep state label "IPsec: dynaVPNGateway - inbound esp proto\

in 1.23 is

pass in quick on ${$iface} proto udp from any to any port = 500 keep state label "IPSEC: Mobile - inbound isakmp
pass in quick on ${$iface} proto esp from any to any keep state label "IPSEC: Mobile - inbound esp proto
pass in quick on ${$iface} proto ah from any to any keep state label "IPSEC: Mobile - inbound ah proto;

in 1.23, there have the keyword "quick" and not "route-to" and "reply-to".
this can lead to this question?

horsedragon · Mar 23, 2010, 7:47 AM

every all can work fine ?

horsedragon · Apr 15, 2010, 4:47 AM

do IPsec-tools 0.8's bug solved?

jimp · Apr 15, 2010, 4:51 AM

I don't think we have gotten a code update from them in a few months, so the situation is unlikely to have changed.