PfSense 2.0-RC1: Road warrior with shrew client failing in phase 2

chroot

i have the same issue, you guys solve the problem ?

jimp

If you're on a current snapshot, try setting the Policy Generation to Unique, and Proposal Checking to Obey in the mobile phase 1 settings.

covex

hi there!
i upgraded from pfsense 1.2.3 to rc3 and now the mobile client config that used to work doesn't work anymore
this is what i get in the log

Jun 28 14:29:12 	racoon: INFO: unsupported PF_KEY message REGISTER
Jun 28 14:29:14 	racoon: [Self]: INFO: respond new phase 1 negotiation: [pfsense ip here][500]<=>[shrew ip here][500]
Jun 28 14:29:14 	racoon: INFO: begin Aggressive mode.
Jun 28 14:29:14 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jun 28 14:29:14 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Jun 28 14:29:14 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 28 14:29:14 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 28 14:29:14 	racoon: INFO: received Vendor ID: RFC 3947
Jun 28 14:29:14 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jun 28 14:29:14 	racoon: INFO: received Vendor ID: DPD
Jun 28 14:29:14 	racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 28 14:29:14 	racoon: [shrew ip here] INFO: Selected NAT-T version: RFC 3947
Jun 28 14:29:14 	racoon: INFO: Adding remote and local NAT-D payloads.
Jun 28 14:29:14 	racoon: [shrew ip here] INFO: Hashing [shrew ip here][500] with algo #2
Jun 28 14:29:14 	racoon: [Self]: [pfsense ip here] INFO: Hashing [pfsense ip here][500] with algo #2
Jun 28 14:29:15 	racoon: [Self]: [pfsense ip here] INFO: Hashing [pfsense ip here][500] with algo #2
Jun 28 14:29:15 	racoon: INFO: NAT-D payload #0 verified
Jun 28 14:29:15 	racoon: [shrew ip here] INFO: Hashing [shrew ip here][500] with algo #2
Jun 28 14:29:15 	racoon: INFO: NAT-D payload #1 verified
Jun 28 14:29:15 	racoon: INFO: NAT not detected
Jun 28 14:29:15 	racoon: [Self]: INFO: ISAKMP-SA established [pfsense ip here][500]-[shrew ip here][500] spi:483385b9e67cf8d8:525a565c46b563db
Jun 28 14:29:15 	racoon: [shrew ip here] INFO: received INITIAL-CONTACT
Jun 28 14:29:15 	racoon: [Self]: INFO: respond new phase 2 negotiation: [pfsense ip here][500]<=>[shrew ip here][500]
Jun 28 14:29:15 	racoon: INFO: no policy found, try to generate the policy : 192.168.16.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Jun 28 14:29:15 	racoon: [Self]: INFO: IPsec-SA established: ESP [pfsense ip here][500]->[shrew ip here][500] spi=136095396(0x81ca6a4)
Jun 28 14:29:15 	racoon: [Self]: INFO: IPsec-SA established: ESP [pfsense ip here][500]->[shrew ip here][500] spi=1619584014(0x6088e40e)
Jun 28 14:29:19 	racoon: ERROR: no configuration found for [shrew ip here].
Jun 28 14:29:19 	racoon: ERROR: failed to begin ipsec sa negotication.

i'm not sure why at the end of the log it says "no configuration found for…" and it shows shrew's ip even though it set everywhere to identify remote clients by key identifier
shrew says that "tunnel enabled" but nothing goes through

jimp

See my previous reply, right above yours.

covex

it didn't help, i've tried that before posting

jimp

Keep an eye on http://redmine.pfsense.org/issues/1351 then

eri--

Can you try with policy unique and proposal checking strict.
I was getting the same errors as you and that worked for me.

Also set NAT-T to force

covex

still no luck. shrew says "tunnel enabled". this is what i get on pfsense side now

Jun 30 15:07:41 	racoon: [Self]: INFO: respond new phase 1 negotiation: [pfsense ip here][500]<=>[shrew ip here][500]
Jun 30 15:07:41 	racoon: INFO: begin Aggressive mode.
Jun 30 15:07:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jun 30 15:07:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Jun 30 15:07:41 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jun 30 15:07:41 	racoon: INFO: received Vendor ID: DPD
Jun 30 15:07:41 	racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 30 15:07:41 	racoon: [[shrew ip here]] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-00
Jun 30 15:07:41 	racoon: INFO: Adding remote and local NAT-D payloads.
Jun 30 15:07:41 	racoon: [[shrew ip here]] INFO: Hashing [shrew ip here][500] with algo #2 (NAT-T forced)
Jun 30 15:07:41 	racoon: [Self]: [[pfsense ip here]] INFO: Hashing [pfsense ip here][500] with algo #2 (NAT-T forced)
Jun 30 15:07:41 	racoon: INFO: NAT-D payload #0 doesn't match
Jun 30 15:07:41 	racoon: INFO: NAT-D payload #1 doesn't match
Jun 30 15:07:41 	racoon: INFO: NAT detected: ME PEER
Jun 30 15:07:41 	racoon: [Self]: INFO: ISAKMP-SA established [pfsense ip here][500]-[shrew ip here][500] spi:3c01bb6f0f7dcb3d:6648f0a4cf7fc709
Jun 30 15:07:41 	racoon: [[shrew ip here]] INFO: received INITIAL-CONTACT
Jun 30 15:07:42 	racoon: [Self]: INFO: respond new phase 2 negotiation: [pfsense ip here][500]<=>[shrew ip here][500]
Jun 30 15:07:42 	racoon: INFO: no policy found, try to generate the policy : 192.168.16.0/32[0] 192.168.1.0/24[0] proto=any dir=in
Jun 30 15:07:42 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 30 15:07:42 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Jun 30 15:07:43 	racoon: [Self]: INFO: IPsec-SA established: ESP [pfsense ip here][500]->[shrew ip here][500] spi=203160921(0xc1bfd59)
Jun 30 15:07:43 	racoon: [Self]: INFO: IPsec-SA established: ESP [pfsense ip here][500]->[shrew ip here][500] spi=1243535497(0x4a1ed889)

ok, got it working! on the shrew side nat-t should be set to "force-rfc", "force-draft" doesn't work.

horsedragon

yes, the same error, I use a gateway who use dynamic IP in the another side, in gateway, the log show tunnel established, in pfsense rc2.0 the ipsec log show tunnel established too, but when I ping from pfsense or dynamic ip gateway, pfsense give me the log following:

Jul 1 14:18:50 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 1 14:18:50 racoon: ERROR: no configuration found for 125.34.55.47.
Jul 1 14:18:32 racoon: [Self]: INFO: IPsec-SA established: ESP 125.34.55.201[500]->125.34.55.47[500] spi=95581441(0x5b27501)
Jul 1 14:18:32 racoon: [Self]: INFO: IPsec-SA established: ESP 125.34.55.201[500]->125.34.55.47[500] spi=222874605(0xd48cbed)
Jul 1 14:18:32 racoon: INFO: no policy found, try to generate the policy : 192.168.2.0/24[0] 192.168.18.0/24[0] proto=any dir=in
Jul 1 14:18:32 racoon: [Self]: INFO: respond new phase 2 negotiation: 125.34.55.201[500]<=>125.34.55.47[500]
Jul 1 14:18:27 racoon: INFO: unsupported PF_KEY message REGISTER

and no traffic between gateway and pfsense!
I try policy "unique" proposal "obey", and policy "unique" and proposal "strict",  error is the same

dwood

We've been good with mobile access (on one WAN only though) using SHREW and windows vista/7 64 bit.  I posted the links/tweaks here: http://forums.smallnetbuilder.com/showpost.php?p=34663&postcount=7

I had the racoon configuration errors too, but changing policy gen to "unique" fixed the error.  I followed the guide posted pretty much to the letter otherwise.

Btw, SHREW may show tunnel established but if you see no security associations established (Network Tab in VPN Connect Window) when you attempt to access a VPN IP..then you're going nowhere.

Vorkbaard

I had this same problem. Here's how I solved it: https://sites.google.com/a/vorkbaard.nl/dekapitein/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors

Sorry for posting the link twice.

samoied

This site is down. Can you please post you solution here?

I'm havin teh same problem, using iOS devices to connect to pfSense.

Vorkbaard

That tutorial is now here: http://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth