Shrewclient to beta 2.0



  • I've a problem with PFsense Beta 2.0. I can establish a tunnel withj a mobile client but can't pass traffic. The client is using the latest shrewclient. It seems to me that the SA is establishing itself over and over. I checked my settings and things seem okay. Here is a bit of my IPSEC Log:

    racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=29374796(0x1c0394c)
    racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=667727174(0x27ccb546)
    racoon: [rascompanies]: INFO: initiate new phase 2 negotiation: 192.168.0.250[500]<=>192.168.0.102[500]
    racoon: [rascompanies]: WARNING: attribute has been modified.
    racoon: [rascompanies]: WARNING: trns_id mismatched: my:AES peer:3DES
    last message repeated 5 times
    racoon: [rascompanies]: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
    last message repeated 33 times
    racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=235416881(0xe082d31)
    racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=2380182038(0x8ddeb216)
    racoon: [rascompanies]: INFO: initiate new phase 2 negotiation: 192.168.0.250[500]<=>192.168.0.102[500]
    racoon: [rascompanies]: WARNING: attribute has been modified.
    racoon: [rascompanies]: WARNING: trns_id mismatched: my:AES peer:3DES
    last message repeated 5 times
    racoon: [rascompanies]: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
    last message repeated 33 times
    racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=122213027(0x748d2a3)
    racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=2821804405(0xa8315175)
    racoon: [rascompanies]: INFO: IPsec-SA expired: ESP/Tunnel 192.168.0.102[500]->192.168.0.250[500] spi=16439543(0xfad8f7)

    Looking at the log it would seem that phase 2 isn't right.  However, I reviewed my setting and they seem okay to me.
    Phase 1 PFsense -
    interface WAN
    mode - aggressive
    my id 'my ip address"
    enc algo 3des
    hash sha1
    lifetime 86400
    Auth method psk+xauth
    Client is the same.

    PFsense Phase 2
    Protocol ESP.
    Encryption Alg: 3des checked others unchecked.
    Hash:sha1 checked.
    PFS off
    lifetime:3600

    Client -
    Transform Algo: esp-3des
    hmac - sha1
    pfs - disabled
    compress - disabled
    lifetime - 3600

    Anybody have any ideas?  If there is more that I can provide please let me know.



  • @risk:

    I've a problem with PFsense Beta 2.0. I can establish a tunnel withj a mobile client but can't pass traffic. The client is using the latest shrewclient. It seems to me that the SA is establishing itself over and over. I checked my settings and things seem okay. Here is a bit of my IPSEC Log:

    racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=29374796(0x1c0394c)
    racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=667727174(0x27ccb546)
    racoon: [rascompanies]: INFO: initiate new phase 2 negotiation: 192.168.0.250[500]<=>192.168.0.102[500]
    racoon: [rascompanies]: WARNING: attribute has been modified.
    racoon: [rascompanies]: WARNING: trns_id mismatched: my:AES peer:3DES
    last message repeated 5 times
    racoon: [rascompanies]: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
    last message repeated 33 times
    racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=235416881(0xe082d31)
    racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=2380182038(0x8ddeb216)
    racoon: [rascompanies]: INFO: initiate new phase 2 negotiation: 192.168.0.250[500]<=>192.168.0.102[500]
    racoon: [rascompanies]: WARNING: attribute has been modified.
    racoon: [rascompanies]: WARNING: trns_id mismatched: my:AES peer:3DES
    last message repeated 5 times
    racoon: [rascompanies]: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
    last message repeated 33 times
    racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=122213027(0x748d2a3)
    racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=2821804405(0xa8315175)
    racoon: [rascompanies]: INFO: IPsec-SA expired: ESP/Tunnel 192.168.0.102[500]->192.168.0.250[500] spi=16439543(0xfad8f7)

    Looking at the log it would seem that phase 2 isn't right.  However, I reviewed my setting and they seem okay to me.
    Phase 1 PFsense -
    interface WAN
    mode - aggressive
    my id 'my ip address"
    enc algo 3des
    hash sha1
    lifetime 86400
    Auth method psk+xauth
    Client is the same.

    PFsense Phase 2
    Protocol ESP.
    Encryption Alg: 3des checked others unchecked.
    Hash:sha1 checked.
    PFS off
    lifetime:3600

    Client -
    Transform Algo: esp-3des
    hmac - sha1
    pfs - disabled
    compress - disabled
    lifetime - 3600

    Anybody have any ideas?  If there is more that I can provide please let me know.

    I find the same thing.
    I use shrewclient, I use PSK only, the tunnel seem establish, but can't pass traffic, when I connect to m0n0 1.3, everything is ok!


  • Rebel Alliance Developer Netgate

    This is one area that still needs a lot of attention. There is no way in the GUI right now to just do PSK for a mobile client tunnel, it requires xauth, using a username from the system's user manager. There is a ticket open to work on this.



  • @jimp:

    it requires xauth, using a username from the system's user manager.

    I try it use in Xauth+Mutul PSK mode, but the same!



  • Dear risk:
          your question now ok or not?


Log in to reply