IPSec Mobile Client
-
Hi Guys,
I had a pfSense box, version 2.0.2, and upgraded all the way to 2.3.5.
Thereafter, none of my mobile clients connected.
I kept receiving a "no matching child_sa config found", which I read was a network mismatch.
However, there is no option to specify a remote network or subnet under phase 2, also, this would be different each time with each new connection.
I did notice though that the remote subnet was blank when viewing the IPSec tunnels, not sure if this is normal or the cause of my issue. See below:
Any thoughts?
-
Upgrade to 2.4.5-p1 before attempting to diagnose anything. 2.3.5 is still very outdated.
-
Hi, thanks, I've done so thereafter, same issue, then I just changed the from aggressive to main and a few of the encryption protocols, that error is gone now.
Now I'm getting a "no shared key found for" message.
-
So the initial issue is definitely the problem. The pfSense has no explicit remote network, so it just assumes to use the public IP of the other side of the tunnel, which of course results in a network mismatch.
Any workarounds to this?
-
Not enough info to say. Need a lot more details about your setup.
It's perfectly normal for mobile IPsec not to have a remote network setup (in P1 or P2) since the P1 peer could be anyone, it determines keys by identifier and so on. And P2 remote is setup dynamically using the setting from the mobile clients tab.
Check your setup against the documentation and look for what you have wrong. Coming from a version as old as you had, it switched from racoon to strongSwan so odds are high that whatever you had setup before probably wasn't 100% right.
If your clients support it, you should move up to an IKEv2 setup.