Racoon IPSEC Roadwarrior with shrewsoft and cisco VPN Client problems
-
Hi jimp,
i tested with 2.0-BETA4ย (i386) built on Thu Oct 14 01:16:12 EDT 2010 FreeBSD 8.1-RELEASE-p1 (You are on the latest version.)
There is no newer snapshot available.
cya
-
There is a snapshot building now that will have the fixes, it isn't ready yet.
-
HI jimp,
updated to 2.0-BETA4ย (i386) built on Mon Oct 18 15:51:06 EDT 2010 FreeBSD 8.1-RELEASE-p1
But problem isnt solved. Phase 2 still not working.
cya
-
Can't believe I overlooked this before, but did you actually set that up directly on the Tunnel tab, or the Mobile tab?
To connect in with the Shrew Soft client you should be configuring things from the Mobile tab, which will make a special mobile client phase 1 entry.
-
Hi jimp,
i configured on tunnel and mobile tab as u can see in screenshots on earlier posts. Im sure this setup was working with screwsoft one month before.
My racoon config seems normal. I try with shrewsoft auto settings and with explicit p1 and p2 settings but nothing work.
Do u need more screenshots?
Cya
-
Ah, yeah I see it now, the Xauth part had me mixed up, since the PSK shows up on the phase 1 config then.
-
I hope this means u found the issue. :)
Little question btw ย ;D
1. Is it possible to use radius for Xauth? Radius auth test on Diagnostics -> Authentication works fine. I changed primary auth to radius on Users tab but it dont work for mobile ipsec.
Is there a workarround?2. Status of mobile ipsec connections is always down even when mobile clients are connected. Is that a bug of the gui?
Cya
-
No, still haven't found the issue, I just thought I was reading something wrong in what you had there.
Radius for IPsec should have worked, though at one time the ipsec port was missing the radius bits. I haven't checked lately.
-
Hi jimp,
-> http://forum.pfsense.org/index.php/topic,30188.msg156312.html#msg156312
Shrewsoft Client: Policy Generation Level -> unique solves connection problems.
But Cisco VPN Client work only with vpn.inc modification.
racoon.conf for cisco vpn client (windows clients): change: sainfo subnet <lansubnet>/24 any anonymous to sainfo anonymous</lansubnet>Cya
-
We do print just "sainfo anonymous" in some cases, like pure-psk remote tunnels.
If it turns out that is really needed for xauth tunnels as well, I can amend the code to take that into account.
-
I just committed a change that should print just "sainfo anonymous" also for xauth-psk setups.
