Almost got Cisco VPN client working, but…pfsense SA failure???
-
Looks like I spoke too soon. The key, it seems was rebooting pfsense– once the first Cisco VPN client has authed, it works. But after disconnecting from the VPN, no further connection attempts work. Im not sure if it only applies to the client that connected, or if all further connection attempts would fail.
Is there anyone who has access to the Cisco client who is up for some testing with me? Please let me know, thanks.
I'm game, as I'm facing the same issue now. This is going to be a big problem for most of our clients, as they all are using the CiscoVPN client.
-
Hi, did anyone figure out how to set up pfSense so that connecting with a Cisco VPN client works?
Thanks in advance.
-
this issue sounds similar to the problems i was seeing with the Shrew client where after resets to the pfsense ipsec process i could get the client to connect once and pass traffic, but subsequent connections would connect but fail to pass traffic
for me the fix for that was, on the pfsense side, try setting the P1 Policy Generation to "unique"
-
I used the "unique" change as well as forcing NAT traversal to overcome similar issues. On the policy tab on the Shrewsoft VPN client I also adjusted it to unique. After making these two changes, I can consistently connect from my laptop and iPhone. I don't know what the downside of forcing NAT traversal is other than ditching the delivery characteristics of TCP, however I think for high latency links, NAT-T might actually be necessary.
-
Hi,
I am getting the same issue with cisco client, I am able to authenticate the pfsense box but not able to access local lan. I am using client version 5.0.06… ,
Please any one can suggest to me.
Thanks,
vrayanchu -
Anybody figure this out? Running the latest pfSense 2.01 and I login with my Cisco VPN client, but get the "can't access or ping anything on the Local LAN" issue.
Was this patch rolled into 2.01 or something later?
http://redmine.pfsense.org/issues/1970 -
As suggested on http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 :
Policy Generation: Unique
Proposal Checking: Strict
NAT Traversal: Force -
I am still having the same problem with using the Cisco VPN client as outlined here:
http://blog.benca.net/2012/03/05/serving-ipsec-vpn-with-pfsense/ -
I can confirm that this issue occurs with the 2.1 nightly as of 4/23/2013 with the latest Cisco VPN Ipsec client, using Strict / Unique / Force and all options as specified in
http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0If proposal checking is set to "strict", I get
Apr 28 12:19:31 racoon: [Self]: INFO: respond new phase 1 negotiation: {Scrubbed}[500]<=>{Scrubbed}[50539] Apr 28 12:19:31 racoon: INFO: begin Aggressive mode. Apr 28 12:19:31 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Apr 28 12:19:31 racoon: INFO: received Vendor ID: DPD Apr 28 12:19:31 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Apr 28 12:19:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Apr 28 12:19:31 racoon: INFO: received Vendor ID: CISCO-UNITY Apr 28 12:19:31 racoon: [{Scrubbed}] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02 Apr 28 12:19:31 racoon: ERROR: no suitable proposal found. Apr 28 12:19:31 racoon: [{Scrubbed}] ERROR: failed to get valid proposal. Apr 28 12:19:31 racoon: [{Scrubbed}] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1). Apr 28 12:19:31 racoon: [{Scrubbed}] ERROR: phase1 negotiation failed.
If it is set to "obey", the issue described (one correct connection, followed by all others failing) recurs with the following log:
Apr 28 12:24:29 racoon: [Self]: INFO: ISAKMP-SA established {SERVER_IP}[4500]-{CLIENT_IP}[59241] spi:7db617222bab00f1:2ca5d8efdb8a9a4a Apr 28 12:24:29 racoon: INFO: Using port 0 Apr 28 12:24:29 racoon: user 'ipsectest' authenticated Apr 28 12:24:29 racoon: INFO: login succeeded for user "ipsectest" Apr 28 12:24:29 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Apr 28 12:24:29 racoon: ERROR: Cannot open "/etc/motd" Apr 28 12:24:29 racoon: WARNING: Ignored attribute 28683 Apr 28 12:24:29 racoon: WARNING: Ignored attribute 28684 Apr 28 12:24:29 racoon: [Self]: INFO: respond new phase 2 negotiation: {SERVER_IP}[4500]<=>{CLIENT_IP}[59241] Apr 28 12:24:29 racoon: INFO: Update the generated policy : 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in {REPEATS X4} Apr 28 12:24:29 racoon: ERROR: not matched {REPEATS X4} Apr 28 12:24:29 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Apr 28 12:24:29 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) Apr 28 12:24:29 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 Apr 28 12:24:29 racoon: ERROR: not matched Apr 28 12:24:29 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1) Apr 28 12:24:29 racoon: [Self]: INFO: IPsec-SA established: ESP {SERVER_IP}[500]->{CLIENT_IP}[500] spi=38303437(0x24876cd) Apr 28 12:24:29 racoon: [Self]: INFO: IPsec-SA established: ESP {SERVER_IP}[500]->{CLIENT_IP}[500] spi=3442386948(0xcd2ea804) Apr 28 12:24:30 racoon: ERROR: no configuration found for {CLIENT_IP}. Apr 28 12:24:30 racoon: ERROR: failed to begin ipsec sa negotication. Apr 28 12:24:41 racoon: ERROR: no configuration found for {CLIENT_IP}. Apr 28 12:24:41 racoon: ERROR: failed to begin ipsec sa negotication. Apr 28 12:24:42 racoon: ERROR: no configuration found for {CLIENT_IP}. {ad infinitum until disconnect} {Disconnecting here} Apr 28 12:29:30 racoon: [98.218.150.61] ERROR: delete payload with invalid doi:0. Apr 28 12:29:30 racoon: [Self]: INFO: ISAKMP-SA expired {SERVER_IP}[4500]-{CLIENT_IP}[59949] spi:38e4590885e9aa23:bcb3607bd17ead8e Apr 28 12:29:30 racoon: INFO: deleting a generated policy. Apr 28 12:29:30 racoon: [Self]: INFO: ISAKMP-SA deleted {SERVER_IP}[4500]-{CLIENT_IP}[59949] spi:38e4590885e9aa23:bcb3607bd17ead8e Apr 28 12:29:30 racoon: INFO: Released port 0
The "warning: authtype mismatched" can be eliminated by switching to MD5, but it doesnt make a difference. Generating traffic triggers two more "error: failed… error: no config..." lines in the ipsec log.
-
This appears to be a routing issue: I can do a packet capture on the IPSec interface of pfsense, and I can see incoming pings, and their destination:
12:52:18.793013 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP}: ICMP echo request, id 1, seq 1871, length 40 12:52:19.826520 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP}: ICMP echo request, id 1, seq 1872, length 40 12:52:21.329649 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP}: ICMP echo request, id 1, seq 1873, length 40 12:52:23.829947 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP2}: ICMP echo request, id 1, seq 1881, length 40 12:52:25.326576 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP2}: ICMP echo request, id 1, seq 1882, length 40
After I disconnect, and have cleared the ipsec log, this appears after a moment or two:
Apr 28 12:49:50 racoon: DEBUG: pk_recv: retry[0] recv() Apr 28 12:49:50 racoon: DEBUG: got pfkey ACQUIRE message Apr 28 12:49:50 racoon: DEBUG: suitable outbound SP found: 0.0.0.0/0[0] 10.1.53.1/32[0] proto=any dir=out. Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe728: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: {LAN_SUBNET}/24[0] {LAN_IP}/32[0] proto=any dir=in Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe728: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501648: {LAN_IP}/32[0] {LAN_SUBNET}/24[0] proto=any dir=out Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe728: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x285013c8: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in Apr 28 12:49:50 racoon: [Unknown Gateway/Dynamic]: DEBUG: suitable inbound SP found: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in.
Im not sure if that is relevant or not.