PfSense 2.0-RC1: Road warrior with shrew client failing in phase 2
-
See my previous reply, right above yours.
-
it didn't help, i've tried that before posting
-
Keep an eye on http://redmine.pfsense.org/issues/1351 then
-
Can you try with policy unique and proposal checking strict.
I was getting the same errors as you and that worked for me.Also set NAT-T to force
-
still no luck. shrew says "tunnel enabled". this is what i get on pfsense side now
Jun 30 15:07:41 racoon: [Self]: INFO: respond new phase 1 negotiation: [pfsense ip here][500]<=>[shrew ip here][500] Jun 30 15:07:41 racoon: INFO: begin Aggressive mode. Jun 30 15:07:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 Jun 30 15:07:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01 Jun 30 15:07:41 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Jun 30 15:07:41 racoon: INFO: received Vendor ID: DPD Jun 30 15:07:41 racoon: INFO: received Vendor ID: CISCO-UNITY Jun 30 15:07:41 racoon: [[shrew ip here]] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-00 Jun 30 15:07:41 racoon: INFO: Adding remote and local NAT-D payloads. Jun 30 15:07:41 racoon: [[shrew ip here]] INFO: Hashing [shrew ip here][500] with algo #2 (NAT-T forced) Jun 30 15:07:41 racoon: [Self]: [[pfsense ip here]] INFO: Hashing [pfsense ip here][500] with algo #2 (NAT-T forced) Jun 30 15:07:41 racoon: INFO: NAT-D payload #0 doesn't match Jun 30 15:07:41 racoon: INFO: NAT-D payload #1 doesn't match Jun 30 15:07:41 racoon: INFO: NAT detected: ME PEER Jun 30 15:07:41 racoon: [Self]: INFO: ISAKMP-SA established [pfsense ip here][500]-[shrew ip here][500] spi:3c01bb6f0f7dcb3d:6648f0a4cf7fc709 Jun 30 15:07:41 racoon: [[shrew ip here]] INFO: received INITIAL-CONTACT Jun 30 15:07:42 racoon: [Self]: INFO: respond new phase 2 negotiation: [pfsense ip here][500]<=>[shrew ip here][500] Jun 30 15:07:42 racoon: INFO: no policy found, try to generate the policy : 192.168.16.0/32[0] 192.168.1.0/24[0] proto=any dir=in Jun 30 15:07:42 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Jun 30 15:07:42 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) Jun 30 15:07:43 racoon: [Self]: INFO: IPsec-SA established: ESP [pfsense ip here][500]->[shrew ip here][500] spi=203160921(0xc1bfd59) Jun 30 15:07:43 racoon: [Self]: INFO: IPsec-SA established: ESP [pfsense ip here][500]->[shrew ip here][500] spi=1243535497(0x4a1ed889)
ok, got it working! on the shrew side nat-t should be set to "force-rfc", "force-draft" doesn't work.
-
yes, the same error, I use a gateway who use dynamic IP in the another side, in gateway, the log show tunnel established, in pfsense rc2.0 the ipsec log show tunnel established too, but when I ping from pfsense or dynamic ip gateway, pfsense give me the log following:
Jul 1 14:18:50 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 1 14:18:50 racoon: ERROR: no configuration found for 125.34.55.47.
Jul 1 14:18:32 racoon: [Self]: INFO: IPsec-SA established: ESP 125.34.55.201[500]->125.34.55.47[500] spi=95581441(0x5b27501)
Jul 1 14:18:32 racoon: [Self]: INFO: IPsec-SA established: ESP 125.34.55.201[500]->125.34.55.47[500] spi=222874605(0xd48cbed)
Jul 1 14:18:32 racoon: INFO: no policy found, try to generate the policy : 192.168.2.0/24[0] 192.168.18.0/24[0] proto=any dir=in
Jul 1 14:18:32 racoon: [Self]: INFO: respond new phase 2 negotiation: 125.34.55.201[500]<=>125.34.55.47[500]
Jul 1 14:18:27 racoon: INFO: unsupported PF_KEY message REGISTERand no traffic between gateway and pfsense!
I try policy "unique" proposal "obey", and policy "unique" and proposal "strict", error is the same -
We've been good with mobile access (on one WAN only though) using SHREW and windows vista/7 64 bit. I posted the links/tweaks here: http://forums.smallnetbuilder.com/showpost.php?p=34663&postcount=7
I had the racoon configuration errors too, but changing policy gen to "unique" fixed the error. I followed the guide posted pretty much to the letter otherwise.
Btw, SHREW may show tunnel established but if you see no security associations established (Network Tab in VPN Connect Window) when you attempt to access a VPN IP..then you're going nowhere.
-
I had this same problem. Here's how I solved it: https://sites.google.com/a/vorkbaard.nl/dekapitein/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors
Sorry for posting the link twice.
-
This site is down. Can you please post you solution here?
I'm havin teh same problem, using iOS devices to connect to pfSense.
-
That tutorial is now here: http://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth