IPSEC to Nokia Mobile Client (RoadWarrior VPN) pfSense 1.2.3



  • Hi Folks,

    I'm trying to get a Nokia E71 to connect (using the Nokia Mobile VPN Client) back to a pfSense 1.2.3 box - using the ipsec RoadWarrior Guide.
    The Nokia works by defining an access point using a combination of VPN policy and net connection (3g or WLAN). To invoke the vpn - associate the vpn access point with an application such as email and then it should establish the relationship. It starts the chat with the pfSense box, that's for sure - but it never passes any data. I imagine that I've misconfigured something. I've tried various combinations of (matching) encryption and authentication but the net result appears to be the same.

    pfSense shows entries under IPSEC status for SAD and SPD both ways so it appears that a relationship is established - however, there are some dubious entries in the pfSense IPSEC VPN log and I need some help understanding them to troubleshoot the problem. Here's a snippet of the logs for a session - newest at the top.

    
    Jul 30 14:56:16 	racoon: ERROR: the length in the isakmp header is too big.
    Jul 30 14:56:12 	racoon: [Unknown Gateway/Dynamic]: WARNING: remote address mismatched. db=<my mobile="" ip="" goes="" here!="">[53065], act=<my mobile="" ip="" goes="" here!="">[25026]
    Jul 30 14:55:28 	last message repeated 4 times
    Jul 30 14:54:43 	racoon: ERROR: the length in the isakmp header is too big.
    Jul 30 14:54:43 	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 10.178.25.96/32[0] proto=any dir=out"
    Jul 30 14:54:43 	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "10.178.25.96/32[0] 192.168.1.0/24[0] proto=any dir=in"
    Jul 30 14:54:42 	racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP <my pfsense="" ip="" goes="" here!="">[500]-><my mobile="" ip="" goes="" here!="">[53065] spi=1695500087(0x650f4737)
    Jul 30 14:54:42 	racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP <my mobile="" ip="" goes="" here!="">[0]-><my pfsense="" ip="" goes="" here!="">[0] spi=235380707(0xe079fe3)
    Jul 30 14:54:42 	racoon: WARNING: trns_id mismatched: my:CAST peer:AES
    Jul 30 14:54:42 	racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
    Jul 30 14:54:42 	racoon: WARNING: trns_id mismatched: my:3DES peer:AES
    Jul 30 14:54:42 	racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 10.178.25.96/32[0] 192.168.1.0/24[0] proto=any dir=in
    Jul 30 14:54:42 	racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: <my pfsense="" ip="" goes="" here!="">[500]<=><my mobile="" ip="" goes="" here!="">[53065]
    Jul 30 14:54:42 	racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established <my pfsense="" ip="" goes="" here!="">[500]-<my mobile="" ip="" goes="" here!="">[53065] spi:a66fc82eb6193a73:bd8dafb09f2e8f8a
    Jul 30 14:54:42 	racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    Jul 30 14:54:41 	racoon: INFO: received Vendor ID: DPD
    Jul 30 14:54:41 	racoon: INFO: begin Aggressive mode.</my></my></my></my></my></my></my></my></my></my>
    

    Anyone able to give any pointers here?

    ********* FOR INFO: I've given up with the ipsec approach as, quite frankly I don't have all the time in the world to make this work. I'm going PPTP with the Telexy Symbian client ***********



  • Hi,

    I'm trying to do the same with my Nokia E66-1,

    here's my log:

    Oct 27 08:16:30 [info] racoon: INFO: respond new phase 1 negotiation: pfSense.ext.ip[500]<=>E66-1.ext.ip[64276]
    Oct 27 08:16:30 [info] racoon: INFO: begin Aggressive mode.
    Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: RFC 3947
    Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: DPD
    Oct 27 08:16:30 [info] racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Oct 27 08:16:30 [info] racoon: INFO: received Vendor ID: CISCO-UNITY
    Oct 27 08:16:30 [info] racoon: INFO: Selected NAT-T version: RFC 3947
    Oct 27 08:16:30 [info] racoon: INFO: Adding remote and local NAT-D payloads.
    Oct 27 08:16:30 [info] racoon: INFO: Hashing E66-1.ext.ip[64276] with algo #2
    Oct 27 08:16:30 [info] racoon: INFO: Hashing pfSense.ext.ip[500] with algo #2
    Oct 27 08:16:31 [info] racoon: INFO: NAT-T: ports changed to: E66-1.ext.ip[64518]<->pfSense.ext.ip[4500]
    Oct 27 08:16:31 [info] racoon: INFO: Hashing pfSense.ext.ip[4500] with algo #2
    Oct 27 08:16:31 [info] racoon: INFO: NAT-D payload #0 verified
    Oct 27 08:16:31 [info] racoon: INFO: Hashing E66-1.ext.ip[64518] with algo #2
    Oct 27 08:16:31 [info] racoon: INFO: NAT-D payload #1 doesn't match
    Oct 27 08:16:31 [info] racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    Oct 27 08:16:31 [info] racoon: INFO: NAT detected: PEER
    Oct 27 08:16:31 [info] racoon: INFO: ISAKMP-SA established pfSense.ext.ip[4500]-E66-1.ext.ip[64518] spi:5a013d7dc112f723:fe936afd9e58da7e
    Oct 27 08:16:32 [info] racoon: INFO: respond new phase 2 negotiation: pfSense.ext.ip[4500]<=>E66-1.ext.ip[64518]
    Oct 27 08:16:32 [info] racoon: INFO: no policy found, try to generate the policy : E66-1.priv.ip/32[0] pfSense.priv.net/28[0] proto=any dir=in
    Oct 27 08:16:32 [info] racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Oct 27 08:16:32 [info] racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
    Oct 27 08:16:33 [info] racoon: INFO: IPsec-SA established: ESP E66-1.ext.ip[64518]->pfSense.ext.ip[4500] spi=35516524(0x21df06c)
    Oct 27 08:16:33 [info] racoon: INFO: IPsec-SA established: ESP pfSense.ext.ip[4500]->E66-1.ext.ip[64518] spi=323000828(0x134099fc)
    Oct 27 08:16:33 [info] racoon: ERROR: such policy does not already exist: "E66-1.priv.ip/32[0] pfSense.priv.net/28[0] proto=any dir=in"
    Oct 27 08:16:33 [info] racoon: ERROR: such policy does not already exist: "pfSense.priv.net/28[0] E66-1.priv.ip/32[0] proto=any dir=out"
    Oct 27 08:16:33 [info] racoon: ERROR: pfkey DELETE received: ESP pfSense.ext.ip[500]->E66-1.ext.ip[500] spi=157776447(0x9677a3f)

    Now,
    inside the VPN I wish to give my Nokia E66-1 a single (/32) specific private IP (E66-1.priv.ip) OUT_OF the range of internal private net (pfSense.priv.net/28), the same way I do with any other client (racoon on Mac OSX, {Free|Net}BSD and M0n0Wall, StrongSwan on Linux, ShrewSoft and GreenBow on Windoze).

    Reading the docs found @Nokia I didn't catch anything clear about this, so it seems to me that this type of configuration is unsupported and, eventually, not working.

    Have any clue about that?


Log in to reply