Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec connection with Shrew 2.1.7 - found and fixed config issue

    2.0-RC Snapshot Feedback and Problems - RETIRED
    1
    1
    6.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dszp
      last edited by

      I just upgraded my ShrewSoft IPsec VPN client to 2.1.7, and also upgraded to the latest current pfSense 2 beta snapshot. At that time my IPsec VPN would connect but failed to pass any traffic; it was working before (Mutual PSK + Xauth, Mobile Clients option). Using the Trace utility in Shrew I was able to see that Phase 2 would retry 3 times then fail, then try again, etc. but never fully establish. Some Googling led me to http://blog.gmane.org/gmane.network.vpn.shrew.user and in specific I noticed http://permalink.gmane.org/gmane.network.vpn.shrew.user/1370 which says, "Try changing the policy generation level to unique instead of auto." It's an option in the Policy tab of the Shrew client, called Policy Generation Level, and when it's set to default, I had the issue I described, but when I changed it manually to "unique" it connects and passes traffic again!

      On Auto, the logging I get in the IKE log in the Shrew Trace client with logging level set to Debug includes these lines, variously picked because they appear relevant and may help someone find this post if they have the same problem:

      10/11/18 01:46:21 DB : phase2 resend event scheduled ( ref count = 2 )
      10/11/18 01:46:25 ii : resend limit exceeded for phase2 exchange
      10/11/18 01:46:25 ii : phase2 removal before expire time
      10/11/18 01:46:25 DB : phase2 deleted ( obj count = 1 )
      10/11/18 01:46:26 -> : resend 1 phase2 packet(s) 10.177.4.4:500 -> 30.67.32.11:500

      Also:

      0/11/18 01:45:49 DB : phase2 resend event scheduled ( ref count = 2 )
      10/11/18 01:45:49 ii : resend limit exceeded for phase2 exchange
      10/11/18 01:45:49 ii : phase2 removal before expire time
      10/11/18 01:45:49 DB : phase2 deleted ( obj count = 2 )
      10/11/18 01:45:52 ii : resend limit exceeded for phase2 exchange
      10/11/18 01:45:52 ii : phase2 removal before expire time
      10/11/18 01:45:52 DB : phase2 deleted ( obj count = 1 )

      Additionally, the pfSense IPsec logs were looping these messages over and over:

      Nov 18 01:46:00 racoon: [Mobile IPsec]: INFO: respond new phase 2 negotiation: 30.67.32.11[500]<=>44.57.58.23[500]
      Nov 18 01:45:55 racoon: [Mobile IPsec]: ERROR: failed to pre-process packet.
      Nov 18 01:45:55 racoon: [Mobile IPsec]: ERROR: failed to get sainfo.
      Nov 18 01:45:55 racoon: [Mobile IPsec]: ERROR: failed to get sainfo.

      I'm obtaining the topology automatically, getting an IP via DHCP, using split DNS, etc. among other settings, though I don't think most of them are relevant to this issue. Additionally, it cost me at least an hour of sleep, probably closer to two. You're welcome :-) Hope it helps someone else get some additional sleep…

      David Szpunar

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.