Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec for Mobile Clients not working 2.3_1

    Scheduled Pinned Locked Moved IPsec
    22 Posts 7 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      hodgiers
      last edited by

      I can confirm I'm experiencing the same issue using my Macbook Pro's native VPN client. After an upgrade the connection is broken.

      I've also noticed that for some reason the VPN won't allow me to use aggressive mode for phase 1. Even if I select it and save/apply the config, it reverts to main mode which I believe could be the cause as the Macbook's client can only use aggressive if I recall correctly.

      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        @hodgiers:

        I can confirm I'm experiencing the same issue using my Macbook Pro's native VPN client. After an upgrade the connection is broken.

        I've also noticed that for some reason the VPN won't allow me to use aggressive mode for phase 1. Even if I select it and save/apply the config, it reverts to main mode which I believe could be the cause as the Macbook's client can only use aggressive if I recall correctly.

        Not the same issue. Sounds like you have IKE version auto, should be IKEv1 for that purpose. There is an issue there with the mode with IKE auto, I'll fix that, but that's not the source of your issue.

        The reason in your case is probably having the Unity plugin disabled by default. VPN>IPsec, Advanced, enable Unity there.

        stiadmin: you might want to try enabling Unity as well, though I'm guessing in your case it won't matter either way.

        1 Reply Last reply Reply Quote 0
        • S Offline
          stiadmin
          last edited by

          PM Sent!

          1 Reply Last reply Reply Quote 0
          • W Offline
            wikidd
            last edited by

            We just migrated our router to 2.3.1 and using the same configs on both the pre 2.3.x and the 2.3.1 we cannot get Mobile VPN to work but the IPSEC peer to peer tunnels are fine. We have rebuilt the configs multiple times with the same error coming back.

            08[IKE] <con6|1>message parsing failed
            08[ENC] <con6|1>could not decrypt payloads
            08[ENC] <con6|1>invalid HASH_V1 payload length, decryption failed?

            Everything is correct and we can still connect with the pre 2.3.x box. We will be moving to OpenVPN for the time being for mobile users but there is definately something up with MobileVPN.</con6|1></con6|1></con6|1>

            1 Reply Last reply Reply Quote 0
            • E Offline
              emkowale
              last edited by

              I can confirm this problem as well.

              1 Reply Last reply Reply Quote 0
              • W Offline
                wikidd
                last edited by

                I can confirm that with last nights upgrade to 2.3.1 Mobile VPN is working again.

                1 Reply Last reply Reply Quote 0
                • S Offline
                  stiadmin
                  last edited by

                  I will run the update tonight and see if it resolved the issue for us as well.

                  1 Reply Last reply Reply Quote 0
                  • F Offline
                    flame
                    last edited by

                    We had the same problem.
                    It seems there is a problem with the static entry of the local ip adress at the client vpn settings.

                    Try to change from static to IKE-config pull.
                    Under VPN-> IPSec-> Mobile Clients aktivate "Virtual Address Pool - Provide a virtual IP address to clients" if not done yet.

                    After changing from static ip-setting to ike-config pull our mobile clients work as a charm.

                    Ann.:
                    Identifier was not changed.

                    regards

                    –--------
                    Thanks to Stefan S. for this workaround ;)

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      stiadmin
                      last edited by

                      After running the update to 2.3.1 it does not appear that our issue has been resolved. We already have the Virtual IP pool setup (it was already previously setup that way). We will test the Mac clients today to see if the issue has been resolved, but the Windows Machines running ShrewSoft still cannot connect unless the WAN IP is stored in PfSense as the Key Identifier.

                      1 Reply Last reply Reply Quote 0
                      • K Offline
                        kapara
                        last edited by

                        are you able to get shrewsoft client to work with latests pfsense version?

                        Skype ID:  Marinhd

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          stiadmin
                          last edited by

                          I will upgrade to the latest version tonight or tomorrow to see if it resolves the issue.

                          1 Reply Last reply Reply Quote 0
                          • K Offline
                            kapara
                            last edited by

                            ok thanks.  I am struggling to find a clear tutorial for this on 2.3.

                            Skype ID:  Marinhd

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.