PFSense 2.3 & Greenbow IPSec Client



  • Hello together after my site to site problem is solved I got a new one. I need some mobile access.

    IKE Extensions: Enabled
    User Authentication: Local Database
    Virtual Address Pool: Enabled
    Network List: Enabled

    Phase1 Auth
    Key Exchange version: V2
    Internet Protocol: IPv4
    Interface: WAN
    My identifier: My IP Address
    Peer identifier: Peer IP address
    Pre-Shared Key: xxx

    Phase1 Alg.
    encryption Algorithm: AES 256
    Hash: SHA256
    DH group: 14
    Lifetime: 28800

    Phase 2
    Mode: Tunnel
    Local Network: LAN subnet
    Protocol: ESP
    Enrcyption: AES256
    Hash: SHA256
    PFS group: 14
    Lifetime 3600

    if I try to connect with my greenbow client I got an auth. error. At the pfsense I got

    Aug 24 11:14:08 charon 09[NET] <9> received packet: from 213.188.234.181[500] to 212.147.xxx.xxx[500] (432 bytes)
    Aug 24 11:14:08 charon 09[ENC] <9> parsed IKE_SA_INIT request 0 [ SA No N(NATD_S_IP) N(NATD_D_IP) KE ]
    Aug 24 11:14:08 charon 09[IKE] <9> 213.188.234.181 is initiating an IKE_SA
    Aug 24 11:14:08 charon 09[IKE] <9> remote host is behind NAT
    Aug 24 11:14:08 charon 09[ENC] <9> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
    Aug 24 11:14:08 charon 09[NET] <9> sending packet: from 212.147.xxx.xxx[500] to 213.188.234.181[500] (440 bytes)
    Aug 24 11:14:08 charon 09[NET] <9> received packet: from 213.188.234.181[52799] to 212.147.xxx.xxx[4500] (256 bytes)
    Aug 24 11:14:08 charon 09[ENC] <9> parsed IKE_AUTH request 1 [ IDi AUTH CPRQ(ADDR) SA TSi TSr N(INIT_CONTACT) N(ESP_TFC_PAD_N) ]
    Aug 24 11:14:08 charon 09[CFG] <9> looking for peer configs matching 212.147.xxx.xxx[%any]…213.188.234.181[192.168.1.127]
    Aug 24 11:14:08 charon 09[CFG] <con1|9>selected peer config 'con1'
    Aug 24 11:14:08 charon 09[IKE] <con1|9>no shared key found for '%any' - '192.168.1.127'
    Aug 24 11:14:08 charon 09[IKE] <con1|9>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Aug 24 11:14:08 charon 09[ENC] <con1|9>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Aug 24 11:14:08 charon 09[NET] <con1|9>sending packet: from 212.147.xxx.xxx[4500] to 213.188.234.181[52799] (80 bytes)

    sorry for the stupid questions but monowall was easier for me :)</con1|9></con1|9></con1|9></con1|9></con1|9>


  • LAYER 8 Netgate

    Why greenbow? Why not native IKEv2?

    What clients are you trying to support? (OS/version?)



  • Could be another client. Windows 7 / 10


  • LAYER 8 Netgate


Log in to reply