Shrewsoft Client 2.2.2 and pfSense 2.2 (upgrade or new install)

pinoyboy

I actually did an upgrade from 2.1.5 to 2.2 but it did not work, so I did a clean install of 2.2.  All my settings have work from 2.1.5 and before.  My IPSEC client is latest 2.2.2 Shrewsoft.  My IPSEC client connects, but there is nothing else that happens.  I have also tried to check/uncheck the Cisco Unity option, restart, changed my Encryption to AES, restart, etc. - different settings and permutations.

LOGS UPON CONNECTING: (IP and connection strings anonymized)

Feb 2 20:06:47 charon: 16[CFG] received stroke: add connection 'con1'
Feb 2 20:06:47 charon: 16[CFG] added configuration 'con1'
Feb 3 09:11:07 charon: 16[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V ]
Feb 3 09:11:07 charon: 16[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Feb 3 09:11:07 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Feb 3 09:11:07 charon: 16[ENC] received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
Feb 3 09:11:07 charon: 16[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 3 09:11:07 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 3 09:11:07 charon: 16[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 3 09:11:07 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 3 09:11:07 charon: 16[IKE] <1> received NAT-T (RFC 3947) vendor ID
Feb 3 09:11:07 charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Feb 3 09:11:07 charon: 16[IKE] <1> received FRAGMENTATION vendor ID
Feb 3 09:11:07 charon: 16[IKE] received FRAGMENTATION vendor ID
Feb 3 09:11:07 charon: 16[IKE] <1> received DPD vendor ID
Feb 3 09:11:07 charon: 16[IKE] received DPD vendor ID
Feb 3 09:11:07 charon: 16[ENC] received unknown vendor ID: 3b:90:31:dc:e4:fc:f8:8b:48:9a:92:39:63:dd:0c:49
Feb 3 09:11:07 charon: 16[ENC] received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
Feb 3 09:11:07 charon: 16[ENC] received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
Feb 3 09:11:07 charon: 16[ENC] received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
Feb 3 09:11:07 charon: 16[IKE] <1> received Cisco Unity vendor ID
Feb 3 09:11:07 charon: 16[IKE] received Cisco Unity vendor ID
Feb 3 09:11:07 charon: 16[IKE] <1> 76.55.44.145 is initiating a Aggressive Mode IKE_SA
Feb 3 09:11:07 charon: 16[IKE] 76.55.44.145 is initiating a Aggressive Mode IKE_SA
Feb 3 09:11:07 charon: 16[CFG] looking for pre-shared key peer configs matching 23.66.74.241…76.55.44.145[JonathanP]
Feb 3 09:11:07 charon: 16[CFG] selected peer config "con1"
Feb 3 09:11:07 charon: 16[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V ]
Feb 3 09:11:08 charon: 16[NET] sending packet: from 23.66.74.241[500] to 76.55.44.145[500] (432 bytes)
Feb 3 09:11:08 charon: 16[NET] received packet: from 76.55.44.145[4500] to 23.66.74.241[4500] (108 bytes)
Feb 3 09:11:08 charon: 16[ENC] parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Feb 3 09:11:08 charon: 16[IKE] <con1|1>IKE_SA con1[1] established between 23.66.74.241[abcde.com]…76.55.44.145[JonathanP]
Feb 3 09:11:08 charon: 16[IKE] IKE_SA con1[1] established between 23.66.74.241[abcde.com]…76.55.44.145[JonathanP]
Feb 3 09:11:08 charon: 16[IKE] <con1|1>scheduling reauthentication in 27897s
Feb 3 09:11:08 charon: 16[IKE] scheduling reauthentication in 27897s
Feb 3 09:11:08 charon: 16[IKE] <con1|1>maximum IKE_SA lifetime 28437s
Feb 3 09:11:08 charon: 16[IKE] maximum IKE_SA lifetime 28437s
Feb 3 09:11:08 charon: 16[IKE] <con1|1>local host is behind NAT, sending keep alives
Feb 3 09:11:08 charon: 16[IKE] local host is behind NAT, sending keep alives
Feb 3 09:11:08 charon: 16[IKE] <con1|1>remote host is behind NAT
Feb 3 09:11:08 charon: 16[IKE] remote host is behind NAT
Feb 3 09:11:08 charon: 16[NET] received packet: from 76.55.44.145[4500] to 23.66.74.241[4500] (92 bytes)
Feb 3 09:11:08 charon: 16[ENC] parsed INFORMATIONAL_V1 request 2721180348 [ HASH N(INITIAL_CONTACT) ]
Feb 3 09:11:23 charon: 14[NET] received packet: from 76.55.44.145[4500] to 23.66.74.241[4500] (92 bytes)
Feb 3 09:11:23 charon: 14[ENC] parsed INFORMATIONAL_V1 request 557226608 [ HASH N(DPD) ]
Feb 3 09:11:23 charon: 14[ENC] generating INFORMATIONAL_V1 request 3743490270 [ HASH N(DPD_ACK) ]
Feb 3 09:11:23 charon: 14[NET] sending packet: from 23.66.74.241[4500] to 76.55.44.145[4500] (92 bytes)
Feb 3 09:11:38 charon: 14[NET] received packet: from 76.55.44.145[4500] to 23.66.74.241[4500] (92 bytes)
Feb 3 09:11:38 charon: 14[ENC] parsed INFORMATIONAL_V1 request 3919560204 [ HASH N(DPD) ]
Feb 3 09:11:38 charon: 14[ENC] generating INFORMATIONAL_V1 request 2609946309 [ HASH N(DPD_ACK) ]
Feb 3 09:11:38 charon: 14[NET] sending packet: from 23.66.74.241[4500] to 76.55.44.145[4500] (92 bytes)

again…

Feb 3 09:11:07 charon: 16[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 3 09:11:07 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 3 09:11:07 charon: 16[IKE] <1> received NAT-T (RFC 3947) vendor ID
Feb 3 09:11:07 charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Feb 3 09:11:07 charon: 16[IKE] <1> received FRAGMENTATION vendor ID
Feb 3 09:11:07 charon: 16[IKE] received FRAGMENTATION vendor ID
Feb 3 09:11:07 charon: 16[IKE] <1> received DPD vendor ID
Feb 3 09:11:07 charon: 16[IKE] received DPD vendor ID
Feb 3 09:11:07 charon: 16[ENC] received unknown vendor ID: 3b:90:31:dc:e4:fc:f8:8b:48:9a:92:39:63:dd:0c:49
Feb 3 09:11:07 charon: 16[ENC] received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
Feb 3 09:11:07 charon: 16[ENC] received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
Feb 3 09:11:07 charon: 16[ENC] received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
Feb 3 09:11:07 charon: 16[IKE] <1> received Cisco Unity vendor ID
Feb 3 09:11:07 charon: 16[IKE] received Cisco Unity vendor ID
Feb 3 09:11:07 charon: 16[IKE] <1> 76.55.44.145 is initiating a Aggressive Mode IKE_SA
Feb 3 09:11:07 charon: 16[IKE] 76.55.44.145 is initiating a Aggressive Mode IKE_SA
Feb 3 09:11:07 charon: 16[CFG] looking for pre-shared key peer configs matching 23.66.74.241…76.55.44.145[JonathanP]
Feb 3 09:11:07 charon: 16[CFG] selected peer config "con1"
Feb 3 09:11:07 charon: 16[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V ]
Feb 3 09:11:08 charon: 16[NET] sending packet: from 23.66.74.241[500] to 76.55.44.145[500] (432 bytes)
Feb 3 09:11:08 charon: 16[NET] received packet: from 76.55.44.145[4500] to 23.66.74.241[4500] (108 bytes)
Feb 3 09:11:08 charon: 16[ENC] parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Feb 3 09:11:08 charon: 16[IKE] <con1|1>IKE_SA con1[1] established between 23.66.74.241[abcde.com]…76.55.44.145[JonathanP]
Feb 3 09:11:08 charon: 16[IKE] IKE_SA con1[1] established between 23.66.74.241[abcde.com]…76.55.44.145[JonathanP]
Feb 3 09:11:08 charon: 16[IKE] <con1|1>scheduling reauthentication in 27897s
Feb 3 09:11:08 charon: 16[IKE] scheduling reauthentication in 27897s
Feb 3 09:11:08 charon: 16[IKE] <con1|1>maximum IKE_SA lifetime 28437s
Feb 3 09:11:08 charon: 16[IKE] maximum IKE_SA lifetime 28437s
Feb 3 09:11:08 charon: 16[IKE] <con1|1>local host is behind NAT, sending keep alives
Feb 3 09:11:08 charon: 16[IKE] local host is behind NAT, sending keep alives
Feb 3 09:11:08 charon: 16[IKE] <con1|1>remote host is behind NAT
Feb 3 09:11:08 charon: 16[IKE] remote host is behind NAT
Feb 3 09:11:08 charon: 16[NET] received packet: from 76.55.44.145[4500] to 23.66.74.241[4500] (92 bytes)
Feb 3 09:11:08 charon: 16[ENC] parsed INFORMATIONAL_V1 request 2721180348 [ HASH N(INITIAL_CONTACT) ]
Feb 3 09:11:23 charon: 14[NET] received packet: from 76.55.44.145[4500] to 23.66.74.241[4500] (92 bytes)
Feb 3 09:11:23 charon: 14[ENC] parsed INFORMATIONAL_V1 request 557226608 [ HASH N(DPD) ]
Feb 3 09:11:23 charon: 14[ENC] generating INFORMATIONAL_V1 request 3743490270 [ HASH N(DPD_ACK) ]
Feb 3 09:11:23 charon: 14[NET] sending packet: from 23.66.74.241[4500] to 76.55.44.145[4500] (92 bytes)
Feb 3 09:11:38 charon: 14[NET] received packet: from 76.55.44.145[4500] to 23.66.74.241[4500] (92 bytes)
Feb 3 09:11:38 charon: 14[ENC] parsed INFORMATIONAL_V1 request 3919560204 [ HASH N(DPD) ]
Feb 3 09:11:38 charon: 14[ENC] generating INFORMATIONAL_V1 request 2609946309 [ HASH N(DPD_ACK) ]
Feb 3 09:11:38 charon: 14[NET] sending packet: from 23.66.74.241[4500] to 76.55.44.145[4500] (92 bytes)
Feb 3 09:11:53 charon: 14[NET] received packet: from 76.55.44.145[4500] to 23.66.74.241[4500] (92 bytes)
Feb 3 09:11:53 charon: 14[ENC] parsed INFORMATIONAL_V1 request 378247608 [ HASH N(DPD) ]
Feb 3 09:11:53 charon: 14[ENC] generating INFORMATIONAL_V1 request 3150187768 [ HASH N(DPD_ACK) ]
Feb 3 09:11:53 charon: 14[NET] sending packet: from 23.66.74.241[4500] to 76.55.44.145[4500] (92 bytes)
Feb 3 09:12:08 charon: 14[NET] received packet: from 76.55.44.145[4500] to 23.66.74.241[4500] (92 bytes)
Feb 3 09:12:08 charon: 14[ENC] parsed INFORMATIONAL_V1 request 3219462596 [ HASH N(DPD) ]
Feb 3 09:12:08 charon: 14[ENC] generating INFORMATIONAL_V1 request 1389579428 [ HASH N(DPD_ACK) ]
Feb 3 09:12:08 charon: 14[NET] sending packet: from 23.66.74.241[4500] to 76.55.44.145[4500] (92 bytes)

NOTE:  I have modofied PHASE 2 Tunnel to 0.0.0.0/0 - restarted services - still the same results.  I changed it back to match my previous settings since I was still not able to ping my router upon the IPSEC connection nor any other LAN hosts.</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1>

pinoyboy

I redid everything back to 2.1.5 and it works fine.  I will stay on 2.1.5 until the next 2 follow up release…

As far as IPEC and 2.2...I'd avoid this release.

charliem

@pinoyboy:

I actually did an upgrade from 2.1.5 to 2.2 but it did not work, so I did a clean install of 2.2.  All my settings have work from 2.1.5 and before.  My IPSEC client is latest 2.2.2 Shrewsoft.  My IPSEC client connects, but there is nothing else that happens

Do you have logs on the client side?  Check your logs on the shrewsoft client for something like this:

phase2 rejected, id value mismatch
- loc ANY:192.168.17.1:* -> ANY:192.168.0.0/24:*
- rmt ANY:0.0.0.0/0:* -> ANY:192.168.17.1:*
phase2 removal before expire time
hard halt signal received, shutting down

This was reported here: https://forum.pfsense.org/index.php?topic=84142.0 and I saw it as well.  Symptoms were the same as yours, client appears to connect and things look OK on the pfSense end, but nothing passes.  Only way to know was to look at the log on the client side.  Unfortunately shortly after that I had to go to openvpn to get something working, so I didn't track it down properly, but maybe there's some help in that thread.

I do recall a bug where cisco unity was not truly disabled unless you started charon without the unity plugin.  Turning it off via the config file was not enough, it would cause problems even if the plugin was loaded but not used.
Edit: Found it: https://redmine.pfsense.org/issues/4178 and https://forum.pfsense.org/index.php?topic=87333.msg480981#msg480981

pinoyboy

Thanks, I made those changes already and rebooting the firewall many times as I stated above.  The fact that I have different network not related using IPSEC since pre-2.1.5 days and all are working without problems convinces me there are still bugs that developers need help in getting QA work for.  I will repeat it again for everyone else, 2.2 is not prime for release due to numerous issues related to IPSEC implementation.  I will wait for 2.2.x…at least two iterations.

dwood

For what it's worth, I had the same challenges with Shrewsoft, so tried out OpenVPN as it seems to have better support.  I needed iOS, PC and MAC support.  It's working great with 2.2.

cybercare

I've got no issues with a new shrew install and pfsense 2.2 upgraded from 2.1.5

You'll need to share a lot more of your settings.

In pfsense make sure it's set to IKEv1

make sure for phase two you set only what you want to use.

I am only using AES 256 and SHA1
ESP
Network 0.0.0.0/0 (I want to route all)

In shew you have to manually make phase 1 and 2 match the settings. Don't use auto for anything.

also make sure to use aggressive or main to match pfsense. In 2.1.5 I could only get aggressive to work right. Now main works too.

Make sure groups, hash etc. all manually match pfsense and shrew and should be good.

pinoyboy

As you can see in the VERY first post, it shows connected.  The problem is not whether it connects or not, it is that there's no routing.  Obviously based on the IPSEC on mobile or other, a lot more than myself has issue.

Whether I change Local Area Network to 0.0.0.0/0 or to my actual one, it still doesn't route.  I also changed Shrewsoft REMOTE NETWORK Resource for Route…no dice.  Keep in mind, these same exact settings work in 2.1.5 and BEFORE.

Look at my first post and add this…

I don't have problem connecting.

My Shrewsoft Phase 1 and 2 are matching or I would not be connecting…

cybercare

Phase 2 sometimes lets you connect and will fail to pass traffic depending on the setting, just because it connects though doesn't mean it's good.

I do see one issue right off the bat in your screen caps.
Phase 2
You have it set to Network
0.0.0.0/24

Make it
0.0.0.0/0

For NAT Traversal mine is on Auto and works (might not matter but just try to match mine that ARE working for moment to troubleshoot)
DPD I have off, it's a mobile client, not a site to site but this wont matter.

On the advanced I unity unchecked and only Enable IPCompression checked.

Need to see mobile client tab also to check?

Also in Shrew, where is general and client tab shots?

For phase 2 I have compression on "deflate" since I have enabled above.
On Policy I have generation on "auto".

For rules in pfsense I have the source set to the private subnet i assign VPN devices under mobile, but if you're not doing that might not matter but my mobile get different subnet.

pinoyboy

Thanks for the attempt in helping.  I did have 0.0.0.0/0 - in the screenshot I just accidently changed it.  I tried your other settings with Cisco Unity and IP Compression, etc. 

All these settings works just fine in about 8 other locations that are independent of each other…version 1.2.3, 2.1.x.

At this point, nothing significant in the settings you suggested from what I have for 2.2.  2.2 is just IPSEC nightmare.  My QA for this version is at the end.

tom-28

Just wanted to add my 2 cents as a new user to pfSense coming from m0n0wall for 12 years.

I'm so infuriated with this setup I can't see straight.  I've followed every guide, found every thread on this subject and I cannot, for the life of me, make this thing work.

m0n0wall was stupid super simple and it worked.  I've triple checked my settings (and they match OP's - minus the 0.0.0.0 bit.  I'm just wanting my local LAN subnet to get routed, not everything.).

Some how, I managed to get the connection to pass packets to my local network.  But when I shut down my laptop and fired it up at work, the connection would never reconnect.  I tether over a Verizon based Galaxy Note 4.  NAT-T is forced.

Well - it connects fine.  However, no traffic will pass over the VPN connection.

Using pfSense 2.2, Shrewsoft client 2.2.2 on Windows 8.1.

Same config as discussed in this thread.

Checked to make sure the pfSense box's upstream gateway was correct and still no dice.

Has anyone figured out the magic sauce to make this pass packets?

Clouseau

I have similar issues - so far been total catatrophe when changed to StongSwan! I have anything good to say about this change. Racoon worked fine but it has it's known limitations.

We have now also problems with pure site-to-site vpn too where packets just stops flow ( that will be covered othe thread)