Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] 2.3.1 IPSec Mobile Client Failure

    Scheduled Pinned Locked Moved IPsec
    10 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mannyjacobs73
      last edited by

      Hello,

      Having some trouble getting IPSec mobile client working.

      I don't mind trying to test this on 2.2.6 but I haven't been able to find an ISO yet - If someone could provide a link so that I may test this with an older version, I would appreciate it.

      I have followed the various documentation for configuration with ShrewSoft, and I am confident I have set settings on both sides correct.

      Essentially, this particular problem looks like Aggressive Mode is not being set correctly within the pfsense system, even though 'Aggressive Mode' is selected in the GUI….

      Jul 8 11:29:12 charon 10[ENC] <4> generating INFORMATIONAL_V1 request 19928xxxx12842 [ N(AUTH_FAILED) ]
      Jul 8 11:29:12 charon 10[IKE] <4> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
      Jul 8 11:29:12 charon 10[CFG] <4> looking for pre-shared key peer configs matching x.x.x.x…x.x.x.x[xyz@email.com]
      Jul 8 11:29:12 charon 10[IKE] <4> x.x.x.x is initiating a Aggressive Mode IKE_SA

      I have noticed that changing, and applying settings, between Main / Aggressive mode makes no difference to the file '/var/etc/ipsec/ipsec.conf'.  I have tried adding manually 'aggressive = yes', but this simply removed after applying any further changes in the ipsec gui.

      If, on the other hand, I try to keep all settings the same and simply select to use Main Mode on both ends, I am still unable to establish phase 1 and my logs look as follows….

      Jul 8 12:09:51 charon 06[ENC] <9> generating INFORMATIONAL_V1 request 143xxx3251738 [ N(INVAL_KE) ]
      Jul 8 12:09:51 charon 06[IKE] <9> no shared key found for x.x.x.x - x.x.x.x
      Jul 8 12:09:51 charon 06[IKE] <9> no shared key found for 'x.x.x.x'[x.x.x.x] - '(null)'[x.x.x.x]
      Jul 8 12:09:51 charon 06[IKE] <9> remote host is behind NAT
      Jul 8 12:09:51 charon 06[ENC] <9> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Jul 8 12:09:51 charon 06[NET] <9> received packet: from x.x.x.x[10] to x.x.x.x[500] (232 bytes)
      Jul 8 12:09:51 charon 08[NET] <9> sending packet: from x.x.x.x[500] to x.x.x.x[10] (156 bytes)
      Jul 8 12:09:51 charon 08[ENC] <9> generating ID_PROT response 0 [ SA V V V V ]
      Jul 8 12:09:51 charon 08[IKE] <9> x.x.x.x is initiating a Main Mode IKE_SA

      My ipsec.conf file looks like this..

      config setup
              uniqueids = yes

      conn con2
              fragmentation = yes
              keyexchange = ike
              reauth = yes
              forceencaps = yes
              mobike = no

      rekey = yes
              installpolicy = yes
              type = tunnel
              dpdaction = clear
              dpddelay = 30s
              dpdtimeout = 180s
              auto = add
              left = x.x.x.x
              right = %any
              leftid = x.x.x.x
              ikelifetime = 28800s
              lifetime = 3600s
              rightsourceip = 192.168.111.0/30
              ike = 3des-sha1-modp1024!
              esp = 3des-sha1-modp1024!
              leftauth = psk
              rightauth = psk
              leftsubnet = 192.168.166.0/24

      Any recommendations as to what I could try??

      Thanks!

      1 Reply Last reply Reply Quote 0
      • M
        mannyjacobs73
        last edited by

        So just to update you on this….

        I found and installed v2.2.6.

        The Mobile IPSec established a connection with Shrew Client first time.  However, this only worked for some reason if the pfSense was set to 'Aggressive Mode' and the client set to 'Main Mode'.

        • I would have expected this not to work?

        I then ran an automatic upgrade to 2.3.1-RELEASE...  The mobile IPSec failed to establish connection, regardless of the configuration I tried.

        Anyone else experienced / experiencing similar issues?

        Regards,

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          You probably want to enable the Unity plugin on 2.3.x for that usage, it's disabled by default on 2.3+ as it's undesirable in most use cases.

          1 Reply Last reply Reply Quote 0
          • M
            mannyjacobs73
            last edited by

            Thanks.  I enabled unity hat on 2.3.1 (VPN / IPSEC / Advanced with the same result - unable to establish a connection.  I'm very sure I have used the same settings in the two installs, so not really sure what to check next on 2.3.1.

            I am ok to use 2.2.6 though.  At least the dialin establishes.  For the moment, I am unable to ping or access local resources through this connection, but this is probably fw rules I need to look at.

            Also, still not sure why 2.2.6 connects only with the fw at Aggressive mode and the Shrew client using Main mode.

            I am happy to try and test anything on 2.3.1 though -  I assume others have got this working without issues.

            My test environment isn't particularly difficult…. Just a WAN and local LAN Net, no additional routing.

            1 Reply Last reply Reply Quote 0
            • M
              mannyjacobs73
              last edited by

              I will come back to this with an update once I can spend more time on this.

              In the meantime, I have a higher priority to get a site-to-site ipsec working first - I'll open a separate ticket for this (the site-to-site is working, with a minor caveat)

              1 Reply Last reply Reply Quote 0
              • M
                mannyjacobs73
                last edited by

                As mentioned above, I then setup a site-to-site ipsec with v2.2.6.

                Once that was working, I attempted to get the ipsec mobile client working - This would only establish a connection in if I disabled the site-to-site connections (possibly this is one of the limitations of using ipsec, I'm not sure).

                Anyway, even when the site-to-sites were disabled and I could established a connection with a remote client, I couldn't ping or access systems across the tunnel (I had one test rule under the fw ipsec to allow all/all to any/any).

                I decided to setup an OpenVPN server to accommodate remote client logins.  This works perfectly as expected, even with site-to-sites enabled.

                –----------------------------------------------------
                For additional info, I then ran the auto-update feature (no additional changes to my config) to v2.3.1 and then once again to v2.3.1_p5.  In both cases, the site-to-site and OpenVPN continued to work correctly without any noticeable issues.

                I saw that my ipsec.conf, which has been 'upgraded' across the versions, does actually contain a line for "aggressive = yes/no" - This wasn't the case with the initial 'clean install' of v2.3.1.
                -- If it is of interest to anyone, I could do a new clean install and double check this.

                Rgds,

                1 Reply Last reply Reply Quote 0
                • nsi-fusionN
                  nsi-fusion
                  last edited by

                  Had very similar issues. Working for public sector and we use IPsec for the remote connectivity for only IT Team. We have introduced pfSense as an alternative to Cisco ASA that is no longer covered by the Cisco support contract. Using Shrewsoft as a dial-in client.

                  We tried to move the IPsec to pfSense and save some reconfiguration/deployment issues. In theory it should just work. Did not. We had similar problems to what you have experienced. Moving everything to OpenVPN woa perfect choice. Everything just works. At this stage IPsec was abandoned. We never made additional attempts to re-test IPsec. The only thing that was new is the fact that OpenVPN client must be run with admin privileges as normal user does not have rights to update the routing table in Windows…

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    @mannyjacobs73:

                    I saw that my ipsec.conf, which has been 'upgraded' across the versions, does actually contain a line for "aggressive = yes/no" - This wasn't the case with the initial 'clean install' of v2.3.1.

                    Your config was different in that case. Using either IKEv2, or IKE "auto", where it doesn't have the aggressive line in ipsec.conf.

                    1 Reply Last reply Reply Quote 0
                    • M
                      mannyjacobs73
                      last edited by

                      @nsi-fusion, yes same kind of scenario here - however fighting to replace CISCO's with something more robust and generally easier to work with for all in the IT team.

                      I am really impressed with the way the GUI for the admin pages to pfsense are laid out.  Easy to use and no or minimal FreeBSD / Linux-command line experience needed unless you want or need to delve deeper - This helps to sell it when there is only myself with these types of skills available here.

                      My plan is to test and learn the system as much as possible, making sure it works in our environment and then eventually sign up for a subscription.  One step at a time though..

                      @cmb, I will do another clean install of 2.3.1 and will re-check this.  I'm sure the config was the same, however I probably wasn't paying attention to the link between IKEv2 or IKE auto and main/aggressive.

                      I'll confirm here once done.

                      Thanks,

                      1 Reply Last reply Reply Quote 0
                      • M
                        mannyjacobs73
                        last edited by

                        A clean install with 2.3.1 and a quick setup of the ipsec site-to-site, came up straight away.

                        I played with the IKE settings between Auto, v2 and v1 - As cmb said,  my config must have been different when I was comparing.

                        Thanks…

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.