• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Invalid Exchange type?

Scheduled Pinned Locked Moved IPsec
3 Posts 2 Posters 11.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ?
    Guest
    last edited by Feb 2, 2007, 12:50 AM

    I am working on trying to get mobile clients to work with my IPsec vpn so I can get access to some network resources.  Here's what I'm getting:

    racoon: ERROR: Invalid exchange type 6 from (my IP)[500]. 
INFO: ISAKMP-SA established (pfsense IP - external)[500]-(my IP)[500] spi:(long key) 
INFO: received Vendor ID: RFC 3947 
INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
INFO: received Vendor ID: CISCO-UNITY 
INFO: begin Aggressive mode. 
INFO: respond new phase 1 negotiation: (pfsense IP - external)[500]<=>(my IP)[500]

    Anyone have any suggestions as to what I cna do to get the correct exchange type?  I am using Shrew Soft VPN on windows xp sp2 (behind a NAT) and connecting to an IPsec VPN on a 1.0.1 pfsense box.

    1 Reply Last reply Reply Quote 0
    • R
      razor2000
      last edited by Feb 18, 2007, 6:59 PM

      I just installed the Shrew Soft VPN client and get the same error as you when trying to connect to a pfsense IPSEC endpoint.  I did some searching and saw this posted on the Shrew.net lists:

      _Exchange type 6 is ISAKMP Transactional Config ( or modecfg ). It
      appears that pfsense either doesn't have an interface for isakmp modecfg
      setup or the version you are using has it disabled. Modecfg is what
      allows for all the dynamic configuration of the client. Support for this
      feature can be enabled by compiling ipsec-tools with the hybrid option.

      But please note, not all versions of ipsec-tools support all the
      options that the client does. The ipsec-tools project is about to branch
      0.7 which will support all the features the client does in a stable
      release branch ( see the notes in the client documentation features list ).

      You should still be able to use the client with pfsense but you will
      need to make sure that …

      1. the pfsense ipsec-tools version supports the generate policy option
      2. you disable all the dynamic client configuration feature
      3. it uses the hook scripts to punch holes in pf for vpn client traffic

      Hope this helps,

      -Matthew_

      This was posted on 9-26-2006 at: http://lists.shrew.net/pipermail/vpn-help/2006-September/000568.html

      This VPN client does look neat though…

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by Feb 19, 2007, 11:28 PM

        Thank you!

        Wonder if there is an option for the generate policy deep inside pfsense =0

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received