Mixed Main / Aggressive negotiation mode possible?



  • Hi All!

    New to pfSense. Previous setup was all Cisco.

    I've run into a problem setting up L2TP / IPSec VPN.

    My Win native VPN client requires Main for negotiation mode, which breaks Android native VPN client:

    04[IKE] <7> found 2 matching configs, but none allows pre-shared key authentication using Aggressive Mode

    Android's native client requires Aggressive for negotiation mode, which breaks Windows native client:

    06[IKE] <5> found 2 matching configs, but none allows pre-shared key authentication using Main Mode

    Anyone know a possible work around? Both worked fine with Cisco 3845 router.

    Any help is appreciated. Loving the router package otherwise. Running it on a HP T620+ with 4 port NIC.


  • Rebel Alliance Developer Netgate

    My suggestion: Ditch L2TP/IPsec and go to IKEv2



  • @jimp Doesn't IKEv2 require certs and what not? The beauty of ipsec for me has always been just knowing my uid, pwd and secret - allowing me to log in from anywhere without having to load certs, etc.


  • Rebel Alliance Developer Netgate

    And requiring only that is a gaping security hole.

    There are far too many client quirks with L2TP/IPsec and strongSwan to make it viable on pfSense, especially when the clients are behind NAT. You can make some clients happy and work, but not all of them.



  • @jimp is it not possible to run main and aggressive authentication at the same time?


  • Rebel Alliance Developer Netgate

    No, though I would expect Aggressive mode to allow main to work (since it's more secure), but clearly it isn't working there given that error.

    You can't pick both main and aggressive in a single P1, and there isn't a way to define more than one mobile P1.