Ipsec mobile clients in 2.0 not working?
-
Try changing the proposal checking to "obey"
Are the clients other routers, or software clients?
2.0 Mobile IPsec works for me, but I've only been using it with Android and iOS clients lately.
-
Try changing the proposal checking to "obey"
Are the clients other routers, or software clients?
2.0 Mobile IPsec works for me, but I've only been using it with Android and iOS clients lately.try - not working
other clients - routers -
Probably you're hitting this then:
http://redmine.pfsense.org/issues/1351
You can convert your "mobile" clients to real tunnels using dyndns hostnames as their peer addresses, rather than relying on mobile tunnels.
It works fine that way.
-
clients no have real ipโฆand i have more than 400 clients
-
Not sure what to tell you then - that isn't a standard type of deployment, and anyone else hitting it moved on to real tunnels or OpenVPN. It's on the list to be fixed, but as far as I'm aware there aren't any real leads on a fix yet.
-
no any ideas?
my configuration working 1.2.3 and the client
-
client dlink 804
-
We have an idea - it's a known issue - but no leads on a fix.
We have all the info we need already from others, but the info we really need (if you want to provide more) is the contents of:
/var/etc/racoon.conf
/var/etc/spd.confAnd the output of:
setkey -D
setkey -DPAnd the IPs involved at the connection at the time, plus the ipsec log details (it's probably just saying it can't locate an SA, even though it looks like one exists)
-
from 1.2.3 or 2.0 ?
-
2.0
-
in files:
ipsec log in debug mode & /var/etc/racoon.conf & /var/etc/spd.conf & setkey -D & setkey -DP
files: 1.2.3 - worked
pfsense - only updated
pfsense updated + disable nat-tin all variants - client settings not changed
[1.2.3 -worked.txt](/public/imported_attachments/1/1.2.3 -worked.txt)
[pfsense - updated.txt](/public/imported_attachments/1/pfsense - updated.txt)
[disable nat-t on pfsense.txt](/public/imported_attachments/1/disable nat-t on pfsense.txt) -
jimp, I can send you the username \ password in PM for the client and pfsense
-
up
-
It's already a known issue and the solution will not be fast. Just keep an eye on the ticket for any updates.
-
Just keep an eye on the ticket for any updates.
tell me where to watch for updates? or them will be seen in the pfsese?
-
On the ticket. If any progress is made, someone will update that ticket.
-
jimp, can you clarify whether this is likely to be the same issue as this:
http://forum.pfsense.org/index.php/topic,41631.0.htmland if so, would the same information you asked for here be relevant?ย I would really like to help however possible to see this resolved.
Thanks.
-
in 2.0.1 not working & nat-t not workingโฆ
-
i was having problems with 2.0 and 2.1 for shrew ipsec clients where the initial connection would work fine, later subsequent connections would seem to connect but would fail to pass data
i tried disabling NAT-T and DPD as suggested elsewhere in this forum, but the ultimate fix was to setup the pfsense and shrew client per typical "road warrior" configs
e.g. http://dekapitein.vorkbaard.nl/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors
with the EXCEPTION of setting the P1 Proposal Generation to "Unique" instead of "Default"
[that setting change is noted in the redmine link mentioned in this thread, but its in a slightly different context of multiple clients coming from the same nat network]
anyway, since making that change, i havent seen the problem where later reconnects fail, and no need to disable NAT-T and DPD
maybe that setting will work for you
