[SOLVED] 2.3.1 IPSec Mobile Client Failure

  • Hello,

    Having some trouble getting IPSec mobile client working.

    I don't mind trying to test this on 2.2.6 but I haven't been able to find an ISO yet - If someone could provide a link so that I may test this with an older version, I would appreciate it.

    I have followed the various documentation for configuration with ShrewSoft, and I am confident I have set settings on both sides correct.

    Essentially, this particular problem looks like Aggressive Mode is not being set correctly within the pfsense system, even though 'Aggressive Mode' is selected in the GUI….

    Jul 8 11:29:12 charon 10[ENC] <4> generating INFORMATIONAL_V1 request 19928xxxx12842 [ N(AUTH_FAILED) ]
    Jul 8 11:29:12 charon 10[IKE] <4> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
    Jul 8 11:29:12 charon 10[CFG] <4> looking for pre-shared key peer configs matching x.x.x.x…x.x.x.x[xyz@email.com]
    Jul 8 11:29:12 charon 10[IKE] <4> x.x.x.x is initiating a Aggressive Mode IKE_SA

    I have noticed that changing, and applying settings, between Main / Aggressive mode makes no difference to the file '/var/etc/ipsec/ipsec.conf'.  I have tried adding manually 'aggressive = yes', but this simply removed after applying any further changes in the ipsec gui.

    If, on the other hand, I try to keep all settings the same and simply select to use Main Mode on both ends, I am still unable to establish phase 1 and my logs look as follows….

    Jul 8 12:09:51 charon 06[ENC] <9> generating INFORMATIONAL_V1 request 143xxx3251738 [ N(INVAL_KE) ]
    Jul 8 12:09:51 charon 06[IKE] <9> no shared key found for x.x.x.x - x.x.x.x
    Jul 8 12:09:51 charon 06[IKE] <9> no shared key found for 'x.x.x.x'[x.x.x.x] - '(null)'[x.x.x.x]
    Jul 8 12:09:51 charon 06[IKE] <9> remote host is behind NAT
    Jul 8 12:09:51 charon 06[ENC] <9> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jul 8 12:09:51 charon 06[NET] <9> received packet: from x.x.x.x[10] to x.x.x.x[500] (232 bytes)
    Jul 8 12:09:51 charon 08[NET] <9> sending packet: from x.x.x.x[500] to x.x.x.x[10] (156 bytes)
    Jul 8 12:09:51 charon 08[ENC] <9> generating ID_PROT response 0 [ SA V V V V ]
    Jul 8 12:09:51 charon 08[IKE] <9> x.x.x.x is initiating a Main Mode IKE_SA

    My ipsec.conf file looks like this..

    config setup
            uniqueids = yes

    conn con2
            fragmentation = yes
            keyexchange = ike
            reauth = yes
            forceencaps = yes
            mobike = no

    rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = clear
            dpddelay = 30s
            dpdtimeout = 180s
            auto = add
            left = x.x.x.x
            right = %any
            leftid = x.x.x.x
            ikelifetime = 28800s
            lifetime = 3600s
            rightsourceip =
            ike = 3des-sha1-modp1024!
            esp = 3des-sha1-modp1024!
            leftauth = psk
            rightauth = psk
            leftsubnet =

    Any recommendations as to what I could try??


  • So just to update you on this….

    I found and installed v2.2.6.

    The Mobile IPSec established a connection with Shrew Client first time.  However, this only worked for some reason if the pfSense was set to 'Aggressive Mode' and the client set to 'Main Mode'.

    • I would have expected this not to work?

    I then ran an automatic upgrade to 2.3.1-RELEASE...  The mobile IPSec failed to establish connection, regardless of the configuration I tried.

    Anyone else experienced / experiencing similar issues?


  • You probably want to enable the Unity plugin on 2.3.x for that usage, it's disabled by default on 2.3+ as it's undesirable in most use cases.

  • Thanks.  I enabled unity hat on 2.3.1 (VPN / IPSEC / Advanced with the same result - unable to establish a connection.  I'm very sure I have used the same settings in the two installs, so not really sure what to check next on 2.3.1.

    I am ok to use 2.2.6 though.  At least the dialin establishes.  For the moment, I am unable to ping or access local resources through this connection, but this is probably fw rules I need to look at.

    Also, still not sure why 2.2.6 connects only with the fw at Aggressive mode and the Shrew client using Main mode.

    I am happy to try and test anything on 2.3.1 though -  I assume others have got this working without issues.

    My test environment isn't particularly difficult…. Just a WAN and local LAN Net, no additional routing.

  • I will come back to this with an update once I can spend more time on this.

    In the meantime, I have a higher priority to get a site-to-site ipsec working first - I'll open a separate ticket for this (the site-to-site is working, with a minor caveat)

  • As mentioned above, I then setup a site-to-site ipsec with v2.2.6.

    Once that was working, I attempted to get the ipsec mobile client working - This would only establish a connection in if I disabled the site-to-site connections (possibly this is one of the limitations of using ipsec, I'm not sure).

    Anyway, even when the site-to-sites were disabled and I could established a connection with a remote client, I couldn't ping or access systems across the tunnel (I had one test rule under the fw ipsec to allow all/all to any/any).

    I decided to setup an OpenVPN server to accommodate remote client logins.  This works perfectly as expected, even with site-to-sites enabled.

    For additional info, I then ran the auto-update feature (no additional changes to my config) to v2.3.1 and then once again to v2.3.1_p5.  In both cases, the site-to-site and OpenVPN continued to work correctly without any noticeable issues.

    I saw that my ipsec.conf, which has been 'upgraded' across the versions, does actually contain a line for "aggressive = yes/no" - This wasn't the case with the initial 'clean install' of v2.3.1.
    -- If it is of interest to anyone, I could do a new clean install and double check this.


  • Had very similar issues. Working for public sector and we use IPsec for the remote connectivity for only IT Team. We have introduced pfSense as an alternative to Cisco ASA that is no longer covered by the Cisco support contract. Using Shrewsoft as a dial-in client.

    We tried to move the IPsec to pfSense and save some reconfiguration/deployment issues. In theory it should just work. Did not. We had similar problems to what you have experienced. Moving everything to OpenVPN woa perfect choice. Everything just works. At this stage IPsec was abandoned. We never made additional attempts to re-test IPsec. The only thing that was new is the fact that OpenVPN client must be run with admin privileges as normal user does not have rights to update the routing table in Windows…

  • @mannyjacobs73:

    I saw that my ipsec.conf, which has been 'upgraded' across the versions, does actually contain a line for "aggressive = yes/no" - This wasn't the case with the initial 'clean install' of v2.3.1.

    Your config was different in that case. Using either IKEv2, or IKE "auto", where it doesn't have the aggressive line in ipsec.conf.

  • @nsi-fusion, yes same kind of scenario here - however fighting to replace CISCO's with something more robust and generally easier to work with for all in the IT team.

    I am really impressed with the way the GUI for the admin pages to pfsense are laid out.  Easy to use and no or minimal FreeBSD / Linux-command line experience needed unless you want or need to delve deeper - This helps to sell it when there is only myself with these types of skills available here.

    My plan is to test and learn the system as much as possible, making sure it works in our environment and then eventually sign up for a subscription.  One step at a time though..

    @cmb, I will do another clean install of 2.3.1 and will re-check this.  I'm sure the config was the same, however I probably wasn't paying attention to the link between IKEv2 or IKE auto and main/aggressive.

    I'll confirm here once done.


  • A clean install with 2.3.1 and a quick setup of the ipsec site-to-site, came up straight away.

    I played with the IKE settings between Auto, v2 and v1 - As cmb said,  my config must have been different when I was comparing.


Log in to reply