IPSec Mobile clients wont establish - ALIX 2 units



  • Hi guys,

    First time poster and user of the pfsense system. I have been able to establish a static to static IPSec vpn and ping a device through the VPN but now when attempting to test Mobile client ipsec vpns I cannot get it to establish.

    I followed the guide from http://pfsense.mirror.range-id.it/tutorials/mobile_ipsec/ on how to get the mobile ipsec setup. On the static end I enabled IPSec vpn's. Then also setup preshared keys for User FQDN settings and the mobile client ipsec settings. On the remote client I set the identification to User FQDN and used the same preshared key that was defined on the static client. Both ends had the same lifetime settings and all the same encryption settings.

    Below is the line in the SAD IPSec status screen on the mobile pfsense box. On the Overview screen it displays a yellow X at the end to show it hasn't properly established.

    Source       Destination  Protocol  SPI          Enc. alg.  Auth. alg.
    172.16.1.1  172.16.1.2   ESP        0d59e1f4  replay=0  pid=33739.

    Any help would be greatly appreciated.

    [EDIT] Thought I would attempt to further clarify my setup and what I was doing. I have been trying to test these devices before they go in tomorrow  ::) . I have the mobile client management page set to 192.168.1.254 and its WAN IP set to 172.16.1.2. I have what will be the static client setup as 192.168.0.254 on its LAN port and 172.16.1.1 for its WAN port.

    On the static client I have setup an IPSEC rule to allow all traffic on any protocol and turned on the option for Allow mobile clients in the IPSec settings. I have also entered a id and passphrase for use by the mobile client in its IPSec settings.

    On the mobile client I specified that 172.16.1.1 is the remote end point with the IP subnet of 192.168.0.0/24 as its remote subnet. I set the same id as a USER FQDN in the identifier for the remote client and also the same passphrase. Using 3DES and SHA1 for both phases of the IPSec vpn's with Lifetime setting of 3600 seconds on both ends for each phase also. Also made sure there was a rule on the remote endpoint for IPSec traffic to allow.

    Now when attempting to ping the static gateway of 192.168.0.254 from a PC (192.168.1.1/24 w/ a gateway of 192.168.1.254) behind the remote endpoint this is where the the above line for SAD happens.


Log in to reply