Mixed Main / Aggressive negotiation mode possible?
-
Hi All!
New to pfSense. Previous setup was all Cisco.
I've run into a problem setting up L2TP / IPSec VPN.
My Win native VPN client requires Main for negotiation mode, which breaks Android native VPN client:
04[IKE] <7> found 2 matching configs, but none allows pre-shared key authentication using Aggressive Mode
Android's native client requires Aggressive for negotiation mode, which breaks Windows native client:
06[IKE] <5> found 2 matching configs, but none allows pre-shared key authentication using Main Mode
Anyone know a possible work around? Both worked fine with Cisco 3845 router.
Any help is appreciated. Loving the router package otherwise. Running it on a HP T620+ with 4 port NIC.
-
My suggestion: Ditch L2TP/IPsec and go to IKEv2
-
@jimp Doesn't IKEv2 require certs and what not? The beauty of ipsec for me has always been just knowing my uid, pwd and secret - allowing me to log in from anywhere without having to load certs, etc.
-
And requiring only that is a gaping security hole.
There are far too many client quirks with L2TP/IPsec and strongSwan to make it viable on pfSense, especially when the clients are behind NAT. You can make some clients happy and work, but not all of them.
-
@jimp is it not possible to run main and aggressive authentication at the same time?
-
No, though I would expect Aggressive mode to allow main to work (since it's more secure), but clearly it isn't working there given that error.
You can't pick both main and aggressive in a single P1, and there isn't a way to define more than one mobile P1.
