Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mixed Main / Aggressive negotiation mode possible?

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      str8shot
      last edited by

      Hi All!

      New to pfSense. Previous setup was all Cisco.

      I've run into a problem setting up L2TP / IPSec VPN.

      My Win native VPN client requires Main for negotiation mode, which breaks Android native VPN client:

      04[IKE] <7> found 2 matching configs, but none allows pre-shared key authentication using Aggressive Mode

      Android's native client requires Aggressive for negotiation mode, which breaks Windows native client:

      06[IKE] <5> found 2 matching configs, but none allows pre-shared key authentication using Main Mode

      Anyone know a possible work around? Both worked fine with Cisco 3845 router.

      Any help is appreciated. Loving the router package otherwise. Running it on a HP T620+ with 4 port NIC.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        My suggestion: Ditch L2TP/IPsec and go to IKEv2

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        S 1 Reply Last reply Reply Quote 0
        • S
          str8shot @jimp
          last edited by str8shot

          @jimp Doesn't IKEv2 require certs and what not? The beauty of ipsec for me has always been just knowing my uid, pwd and secret - allowing me to log in from anywhere without having to load certs, etc.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            And requiring only that is a gaping security hole.

            There are far too many client quirks with L2TP/IPsec and strongSwan to make it viable on pfSense, especially when the clients are behind NAT. You can make some clients happy and work, but not all of them.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            S 1 Reply Last reply Reply Quote 0
            • S
              str8shot @jimp
              last edited by

              @jimp is it not possible to run main and aggressive authentication at the same time?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                No, though I would expect Aggressive mode to allow main to work (since it's more secure), but clearly it isn't working there given that error.

                You can't pick both main and aggressive in a single P1, and there isn't a way to define more than one mobile P1.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.