PfSense 2.0-RC1: Road warrior with shrew client failing in phase 2

jimp

See my previous reply, right above yours.

covex

it didn't help, i've tried that before posting

jimp

Keep an eye on http://redmine.pfsense.org/issues/1351 then

eri--

Can you try with policy unique and proposal checking strict.
I was getting the same errors as you and that worked for me.

Also set NAT-T to force

covex

still no luck. shrew says "tunnel enabled". this is what i get on pfsense side now

Jun 30 15:07:41 	racoon: [Self]: INFO: respond new phase 1 negotiation: [pfsense ip here][500]<=>[shrew ip here][500]
Jun 30 15:07:41 	racoon: INFO: begin Aggressive mode.
Jun 30 15:07:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jun 30 15:07:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Jun 30 15:07:41 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jun 30 15:07:41 	racoon: INFO: received Vendor ID: DPD
Jun 30 15:07:41 	racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 30 15:07:41 	racoon: [[shrew ip here]] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-00
Jun 30 15:07:41 	racoon: INFO: Adding remote and local NAT-D payloads.
Jun 30 15:07:41 	racoon: [[shrew ip here]] INFO: Hashing [shrew ip here][500] with algo #2 (NAT-T forced)
Jun 30 15:07:41 	racoon: [Self]: [[pfsense ip here]] INFO: Hashing [pfsense ip here][500] with algo #2 (NAT-T forced)
Jun 30 15:07:41 	racoon: INFO: NAT-D payload #0 doesn't match
Jun 30 15:07:41 	racoon: INFO: NAT-D payload #1 doesn't match
Jun 30 15:07:41 	racoon: INFO: NAT detected: ME PEER
Jun 30 15:07:41 	racoon: [Self]: INFO: ISAKMP-SA established [pfsense ip here][500]-[shrew ip here][500] spi:3c01bb6f0f7dcb3d:6648f0a4cf7fc709
Jun 30 15:07:41 	racoon: [[shrew ip here]] INFO: received INITIAL-CONTACT
Jun 30 15:07:42 	racoon: [Self]: INFO: respond new phase 2 negotiation: [pfsense ip here][500]<=>[shrew ip here][500]
Jun 30 15:07:42 	racoon: INFO: no policy found, try to generate the policy : 192.168.16.0/32[0] 192.168.1.0/24[0] proto=any dir=in
Jun 30 15:07:42 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 30 15:07:42 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Jun 30 15:07:43 	racoon: [Self]: INFO: IPsec-SA established: ESP [pfsense ip here][500]->[shrew ip here][500] spi=203160921(0xc1bfd59)
Jun 30 15:07:43 	racoon: [Self]: INFO: IPsec-SA established: ESP [pfsense ip here][500]->[shrew ip here][500] spi=1243535497(0x4a1ed889)

ok, got it working! on the shrew side nat-t should be set to "force-rfc", "force-draft" doesn't work.

horsedragon

yes, the same error, I use a gateway who use dynamic IP in the another side, in gateway, the log show tunnel established, in pfsense rc2.0 the ipsec log show tunnel established too, but when I ping from pfsense or dynamic ip gateway, pfsense give me the log following:

Jul 1 14:18:50 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 1 14:18:50 racoon: ERROR: no configuration found for 125.34.55.47.
Jul 1 14:18:32 racoon: [Self]: INFO: IPsec-SA established: ESP 125.34.55.201[500]->125.34.55.47[500] spi=95581441(0x5b27501)
Jul 1 14:18:32 racoon: [Self]: INFO: IPsec-SA established: ESP 125.34.55.201[500]->125.34.55.47[500] spi=222874605(0xd48cbed)
Jul 1 14:18:32 racoon: INFO: no policy found, try to generate the policy : 192.168.2.0/24[0] 192.168.18.0/24[0] proto=any dir=in
Jul 1 14:18:32 racoon: [Self]: INFO: respond new phase 2 negotiation: 125.34.55.201[500]<=>125.34.55.47[500]
Jul 1 14:18:27 racoon: INFO: unsupported PF_KEY message REGISTER

and no traffic between gateway and pfsense!
I try policy "unique" proposal "obey", and policy "unique" and proposal "strict",  error is the same

dwood

We've been good with mobile access (on one WAN only though) using SHREW and windows vista/7 64 bit.  I posted the links/tweaks here: http://forums.smallnetbuilder.com/showpost.php?p=34663&postcount=7

I had the racoon configuration errors too, but changing policy gen to "unique" fixed the error.  I followed the guide posted pretty much to the letter otherwise.

Btw, SHREW may show tunnel established but if you see no security associations established (Network Tab in VPN Connect Window) when you attempt to access a VPN IP..then you're going nowhere.

Vorkbaard

I had this same problem. Here's how I solved it: https://sites.google.com/a/vorkbaard.nl/dekapitein/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors

Sorry for posting the link twice.

samoied

This site is down. Can you please post you solution here?

I'm havin teh same problem, using iOS devices to connect to pfSense.

Vorkbaard

That tutorial is now here: http://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth