PfSense 2.2.4 IPSec RoadWarrior VPN Setup HELP!

blainer

Hello everyone!  I am excited to be a part of the community and look forward to contributing.  Right now I am in need of some help. I am trying to setup a Road Warrior IPSec VPN. No matter what setup I try I always come back to the same problem.  I connect and attempt to bring up a tunnel and get a invalid message error in Shrewsoft Client and then get disconnected.  I have tried internally and externally.  I have a Firewall rule for IPSec allowing any/any/any.

I have been banging my head against a wall trying to figure this out, reading forum posts here and at strongswan.  I just can't seem to find a solution.  Something that does strike me as interesting is that the PSK for the user I created is listed differently in the GUI vs the ipsec.secrets file.

Here is some logs and my config with IP's changed to protect the guilty.  Hopefully someone can help.

config loaded for site 'Test-VPN'
attached to key daemon …
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
invalid message from gateway
tunnel disabled
detached from key daemon

Sep 5 17:01:19 charon: 06[NET] <13> received packet: from 192.168.8.240[500] to My External IP[500] (442 bytes)
Sep 5 17:01:19 charon: 06[ENC] <13> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]
Sep 5 17:01:19 charon: 06[IKE] <13> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 5 17:01:19 charon: 06[IKE] <13> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 5 17:01:19 charon: 06[IKE] <13> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 5 17:01:19 charon: 06[IKE] <13> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 5 17:01:19 charon: 06[IKE] <13> received NAT-T (RFC 3947) vendor ID
Sep 5 17:01:19 charon: 06[IKE] <13> received NAT-T (RFC 3947) vendor ID
Sep 5 17:01:19 charon: 06[IKE] <13> received FRAGMENTATION vendor ID
Sep 5 17:01:19 charon: 06[IKE] <13> received FRAGMENTATION vendor ID
Sep 5 17:01:19 charon: 06[ENC] <13> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
Sep 5 17:01:19 charon: 06[ENC] <13> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
Sep 5 17:01:19 charon: 06[ENC] <13> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
Sep 5 17:01:19 charon: 06[IKE] <13> received Cisco Unity vendor ID
Sep 5 17:01:19 charon: 06[IKE] <13> received Cisco Unity vendor ID
Sep 5 17:01:19 charon: 06[IKE] <13> 10.254.8.240 is initiating a Aggressive Mode IKE_SA
Sep 5 17:01:19 charon: 06[IKE] <13> 10.254.8.240 is initiating a Aggressive Mode IKE_SA
Sep 5 17:01:19 charon: 06[CFG] <13> looking for pre-shared key peer configs matching My External IP…192.168.8.240[vpnuser@pfsense.local]
Sep 5 17:01:19 charon: 06[CFG] <13> selected peer config "con1"
Sep 5 17:01:19 charon: 06[ENC] <con1|13>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
Sep 5 17:01:19 charon: 06[NET] <con1|13>sending packet: from My External IP[500] to 192.168.8.240[500] (454 bytes)
Sep 5 17:01:23 charon: 06[IKE] <con1|13>sending retransmit 1 of response message ID 0, seq 1
Sep 5 17:01:23 charon: 06[IKE] <con1|13>sending retransmit 1 of response message ID 0, seq 1
Sep 5 17:01:23 charon: 06[NET] <con1|13>sending packet: from My External IP[500] to 192.168.8.240[500] (454 bytes)
Sep 5 17:01:30 charon: 06[IKE] <con1|13>sending retransmit 2 of response message ID 0, seq 1
Sep 5 17:01:30 charon: 06[IKE] <con1|13>sending retransmit 2 of response message ID 0, seq 1
Sep 5 17:01:30 charon: 06[NET] <con1|13>sending packet: from My External IP[500] to 192.168.8.240[500] (454 bytes)
Sep 5 17:01:43 charon: 09[IKE] <con1|13>sending retransmit 3 of response message ID 0, seq 1
Sep 5 17:01:43 charon: 09[IKE] <con1|13>sending retransmit 3 of response message ID 0, seq 1
Sep 5 17:01:43 charon: 09[NET] <con1|13>sending packet: from My External IP[500] to 192.168.8.240[500] (454 bytes)
Sep 5 17:01:49 charon: 11[JOB] <con1|13>deleting half open IKE_SA after timeout

This file is automatically generated. Do not edit

config setup
uniqueids = yes
charondebug="dmn 4,mgr 4,ike 4,chd 4,job 4,cfg 4,knl 4,net 4,asn 4,enc 4,imc 4,imv 4,pts 4,tls 4,esp 4,lib 4"

conn bypasslan
leftsubnet = 192.168.0.0/30
rightsubnet = 192.168.0.0/30
authby = never
type = passthrough
auto = route

conn con1
fragmentation = yes
keyexchange = ikev1
reauth = yes
forceencaps = yes
mobike = no
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = none
auto = add
left = My External IP
right = %any
leftid = userfqdn:vpnuser@pfsense.local
ikelifetime = 86400s
lifetime = 28800s
rightsourceip = 192.168.10.0/24
ike = aes256-sha1-modp1024!
esp = 3des-sha1-modp1024!
leftauth = psk
rightauth = psk
aggressive = yes
leftsubnet = 192.168.0.0/30</con1|13></con1|13></con1|13></con1|13></con1|13></con1|13></con1|13></con1|13></con1|13></con1|13></con1|13></con1|13>

blainer

Well either I have made a glaringly obvious error or everyone else is just as puzzled as me.  Either way a lil feedback would be at least encouraging.

Zakire

I had the exact same problem, and it turned out there was a problem with my automatic NAT rules. I use dual Wan and the traffic was routed out on wrong interface.

I also missed the firewall rules to allow NAT-T and ISAKMP.

Tangence

Try setting Negotiation mode to main, peer identifier to any and removing any 'identifier' fields from the shrewsoft client. Had an identical issue recently but with a different client.

ricardopeu

Are you use fixed ip? because I update to 2.2.4 and roadwarrior stops work.
I use dynamic dns and change name conf to ip address. ex: (my identifier): dynamic dns: myfirewall.anydns.org - change to: my identifier: ipaddress: (no need nothing here). In client put the dynamic dns..
Works for me!