Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Different 3G APN: one works, other doesn't

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bruno
      last edited by

      Hello,

      I'm having issues with an ipsec VPN over 3G with TIM Italy mobile carrier.

      Log when using working APN wap.tim.it

      
Oct 5 17:22:43 	racoon: [Self]: INFO: respond new phase 1 negotiation: 78.x.x.x[500]<=>217.200.185.88[500]
Oct 5 17:22:43 	racoon: INFO: begin Aggressive mode.
Oct 5 17:22:43 	racoon: INFO: received Vendor ID: RFC 3947
Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Oct 5 17:22:43 	racoon: INFO: received Vendor ID: CISCO-UNITY
Oct 5 17:22:43 	racoon: INFO: received Vendor ID: DPD
Oct 5 17:22:43 	racoon: [217.200.185.88] INFO: Selected NAT-T version: RFC 3947
Oct 5 17:22:43 	racoon: INFO: Adding remote and local NAT-D payloads.
Oct 5 17:22:43 	racoon: [217.200.185.88] INFO: Hashing 217.200.185.88[500] with algo #2
Oct 5 17:22:43 	racoon: [Self]: [78.x.x.x] INFO: Hashing 78.x.x.x[500] with algo #2
Oct 5 17:22:43 	racoon: INFO: Adding xauth VID payload.
Oct 5 17:22:44 	racoon: [Self]: INFO: NAT-T: ports changed to: 217.200.185.88[4500]<->78.x.x.x[4500]
Oct 5 17:22:44 	racoon: [Self]: [78.x.x.x] INFO: Hashing 78.x.x.x[4500] with algo #2
Oct 5 17:22:44 	racoon: INFO: NAT-D payload #0 verified
Oct 5 17:22:44 	racoon: [217.200.185.88] INFO: Hashing 217.200.185.88[4500] with algo #2
Oct 5 17:22:44 	racoon: INFO: NAT-D payload #1 doesn't match
Oct 5 17:22:44 	racoon: [217.200.185.88] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Oct 5 17:22:44 	racoon: INFO: NAT detected: PEER
Oct 5 17:22:44 	racoon: INFO: Sending Xauth request
Oct 5 17:22:44 	racoon: [Self]: INFO: ISAKMP-SA established 78.x.x.x[4500]-217.200.185.88[4500] spi:dbc7d12874709ade:220e093d69d2ec6a
Oct 5 17:22:44 	racoon: INFO: Using port 0
Oct 5 17:22:44 	racoon: INFO: login succeeded for user "bruno"
Oct 5 17:22:45 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Oct 5 17:22:45 	racoon: ERROR: Cannot open "/etc/motd"
Oct 5 17:22:45 	racoon: WARNING: Ignored attribute 28683
Oct 5 17:22:45 	racoon: [Self]: INFO: respond new phase 2 negotiation: 78.x.x.x[4500]<=>217.200.185.88[4500]
Oct 5 17:22:45 	racoon: INFO: no policy found, try to generate the policy : 192.168.4.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Oct 5 17:22:45 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Oct 5 17:22:45 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Oct 5 17:22:46 	racoon: [Self]: INFO: IPsec-SA established: ESP 78.x.x.x[500]->217.200.185.88[500] spi=86628296(0x529d7c8)
Oct 5 17:22:46 	racoon: [Self]: INFO: IPsec-SA established: ESP 78.x.x.x[500]->217.200.185.88[500] spi=40106304(0x263f940)

      Log when using NON working APN ibox.tim.it

      
Oct 5 17:26:18 	racoon: [Self]: INFO: respond new phase 1 negotiation: 78.x.x.x[500]<=>2.193.139.251[500]
Oct 5 17:26:18 	racoon: INFO: begin Aggressive mode.
Oct 5 17:26:18 	racoon: INFO: received Vendor ID: RFC 3947
Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Oct 5 17:26:18 	racoon: INFO: received Vendor ID: CISCO-UNITY
Oct 5 17:26:18 	racoon: INFO: received Vendor ID: DPD
Oct 5 17:26:18 	racoon: [2.193.139.251] INFO: Selected NAT-T version: RFC 3947
Oct 5 17:26:18 	racoon: INFO: Adding remote and local NAT-D payloads.
Oct 5 17:26:18 	racoon: [2.193.139.251] INFO: Hashing 2.193.139.251[500] with algo #2
Oct 5 17:26:18 	racoon: [Self]: [78.x.x.x] INFO: Hashing 78.x.x.x[500] with algo #2
Oct 5 17:26:18 	racoon: INFO: Adding xauth VID payload.
Oct 5 17:26:18 	racoon: [Self]: [78.x.x.x] INFO: Hashing 78.x.x.x[500] with algo #2
Oct 5 17:26:18 	racoon: INFO: NAT-D payload #0 verified
Oct 5 17:26:18 	racoon: [2.193.139.251] INFO: Hashing 2.193.139.251[500] with algo #2
Oct 5 17:26:18 	racoon: INFO: NAT-D payload #1 verified
Oct 5 17:26:18 	racoon: [2.193.139.251] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Oct 5 17:26:18 	racoon: INFO: NAT not detected
Oct 5 17:26:18 	racoon: INFO: Sending Xauth request
Oct 5 17:26:18 	racoon: [Self]: INFO: ISAKMP-SA established 78.x.x.x[500]-2.193.139.251[500] spi:737f70dbffde31f9:5175dd43cc5ce5d4
Oct 5 17:26:18 	racoon: INFO: Using port 0
Oct 5 17:26:18 	racoon: INFO: login succeeded for user "bruno"
Oct 5 17:26:18 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Oct 5 17:26:18 	racoon: ERROR: Cannot open "/etc/motd"
Oct 5 17:26:18 	racoon: WARNING: Ignored attribute 28683
Oct 5 17:26:18 	racoon: [Self]: INFO: respond new phase 2 negotiation: 78.x.x.x[500]<=>2.193.139.251[500]
Oct 5 17:26:18 	racoon: INFO: no policy found, try to generate the policy : 192.168.4.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Oct 5 17:26:19 	racoon: [Self]: INFO: IPsec-SA established: ESP 78.x.x.x[500]->2.193.139.251[500] spi=236400927(0xe17311f)
Oct 5 17:26:19 	racoon: [Self]: INFO: IPsec-SA established: ESP 78.x.x.x[500]->2.193.139.251[500] spi=21759015(0x14c0427)
Oct 5 17:26:19 	racoon: ERROR: no configuration found for 2.193.139.251.
Oct 5 17:26:19 	racoon: ERROR: failed to begin ipsec sa negotication.
Oct 5 17:26:27 	racoon: ERROR: no configuration found for 2.193.139.251.
Oct 5 17:26:27 	racoon: ERROR: failed to begin ipsec sa negotication.
Oct 5 17:26:39 	racoon: ERROR: no configuration found for 2.193.139.251.
Oct 5 17:26:39 	racoon: ERROR: failed to begin ipsec sa negotication.
Oct 5 17:26:40 	racoon: ERROR: no configuration found for 2.193.139.251.
Oct 5 17:26:40 	racoon: ERROR: failed to begin ipsec sa negotication.

      the only difference I notice is about NAT, "Oct 5 17:22:44 racoon: INFO: NAT detected: PEER" vs "Oct 5 17:26:18 racoon: INFO: NAT not detected", and IP ranges being completely different.

      Could it be something wrong on the pfsense box? I can't find on google anything related to the carrier and ipsec limitations on that APN. All devices tested were apple BTW (ipad3 iOS6, iphone4s iOS 5.1.1).

      thanks
      B

      1 Reply Last reply Reply Quote 0
      • B
        bruno
        last edited by

        Setting NAT Traversal to Force in Phase 1 seems to have fixed the issue for now.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.