PFsense 2.2.6 - Mobile IPSEC VPN No longer works
-
I have just upgraded my PFsense box to Version 2.2.6 from Version 2.1 and the mobile VPN's to my regular VPN clients no longer work
Site to Site VPN's still continue to work OK
I have researched the problem and it seems a number of other users are having similar problems, however I have yet to come across a soloution which works for me
I would be intrested in hearing from users who have 2.2.6 installed and have succesfully managed to get a Mobile VPN working
I have however installed a trial version of Shewsoft, and by chance, been able to get this to connect, however, only with settings which seem incorrect, maybe this will help in tracing a possible pfsense problem in this release ??
PFsense Config as follows
–--------------------------------------------------------------------------
Phase 1
General information
Key Exchange – V1
Internet Protocol – Ipv4
Interface – WAN
Description –
Phase 1 proposal (Authentication)
Authentication method – Mutual PSK
Negotiation mode – Aggressive
My Identifier – My IP address [Here is the possible problem]
Phase 1 proposal (Algorithms)
Encryption algorithm – 3DES
Has algorithm – SHA1
DH Key group – 2 (1024)
Lifetime – 86400
Advanced Options
–--------------------------------------------------------------------------
Phase 2
Mode – Tunnel IPv4
Local Network - LAN Subnet
Phase 2 proposal (SA/Key Exchange)
Protocol – ESP
Encryption algorithm – 3DES (only)
Hash algorithms – SHA1 (only)
PFS key group – 2 (1024)
Lifetime – 3600Mobile clients
Extended Authentication (Xauth)
User Authentication - Local Database
Group Authentication – system
Client Configuration (mode-cfg)
Virtual Address Pool – 192.168.200.0/24Pre-Shared Keys
Identifier – example@gmail.com
Type – PSK
Pre-Shared Key - 9YzKmjXDKcnBnVKvWR2mShewsoft - Exported VPN as follows
n:version:4
n:network-ike-port:500
n:network-mtu-size:1500
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:0
n:client-wins-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
s:network-host:[Public IP Address of Host]
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk
s:ident-client-type:ufqdn
s:ident-server-type:address
s:ident-client-data:example@outlook.com
s:ident-server-data:172.16.0.10 [Here is the possible problem]
b:auth-mutual-psk:[Encrypted PSK from above]
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-level:auto–----------------------
The VPN only works if s:ident-server-data: is set to the INTERNAL IP Address, rather than the "Public IP Address of Host" which is what I belive PFSense returns with the above configIn Summary
PFsense is set to [My Identifier – My IP address] - Ie Return its PUBLIC IP Address as the remote identifier
Shewsoft will only work if the remote identifier is set to the Hosts internal IP Address.Comments / Suggestions please
Thank you
-
I deleted my 'Mobile Client' under Tunnels, then went to 'Mobile Clients' tab and saw that "Create Phase 1" option was available.
I re-created Phase and Phase 2 and the vpn worked again.Cheers
VPN: IPsec: Edit Phase 1: Mobile Client
Key Exchange version V1
Internet Protocol Ipv4
Interface WAN
Description Mobile ClientAuthentication method Mutual PSK
Negotiation mode Aggressive
My identifier My IP AddressEncryption algorithm AES 256
Hash algorithm SHA1
DH key group 2
Lifetime 28800NAT Traversal Force
Dead Peer Detection Enable / 10 / 5VPN: IPsec: Edit Phase 2: Mobile Client
Local Network DMZ (mine is DMZ but yours might be LAN)
Protocol ESPEncryption algorithms AES 256 (only)
Hash algorithms SHA1
PFS key group 2
Lifetime 3600