Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Shrewclient to beta 2.0

    2.0-RC Snapshot Feedback and Problems - RETIRED
    3
    5
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      risk
      last edited by

      I've a problem with PFsense Beta 2.0. I can establish a tunnel withj a mobile client but can't pass traffic. The client is using the latest shrewclient. It seems to me that the SA is establishing itself over and over. I checked my settings and things seem okay. Here is a bit of my IPSEC Log:

      racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=29374796(0x1c0394c)
      racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=667727174(0x27ccb546)
      racoon: [rascompanies]: INFO: initiate new phase 2 negotiation: 192.168.0.250[500]<=>192.168.0.102[500]
      racoon: [rascompanies]: WARNING: attribute has been modified.
      racoon: [rascompanies]: WARNING: trns_id mismatched: my:AES peer:3DES
      last message repeated 5 times
      racoon: [rascompanies]: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
      last message repeated 33 times
      racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=235416881(0xe082d31)
      racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=2380182038(0x8ddeb216)
      racoon: [rascompanies]: INFO: initiate new phase 2 negotiation: 192.168.0.250[500]<=>192.168.0.102[500]
      racoon: [rascompanies]: WARNING: attribute has been modified.
      racoon: [rascompanies]: WARNING: trns_id mismatched: my:AES peer:3DES
      last message repeated 5 times
      racoon: [rascompanies]: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
      last message repeated 33 times
      racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=122213027(0x748d2a3)
      racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=2821804405(0xa8315175)
      racoon: [rascompanies]: INFO: IPsec-SA expired: ESP/Tunnel 192.168.0.102[500]->192.168.0.250[500] spi=16439543(0xfad8f7)

      Looking at the log it would seem that phase 2 isn't right.  However, I reviewed my setting and they seem okay to me.
      Phase 1 PFsense -
      interface WAN
      mode - aggressive
      my id 'my ip address"
      enc algo 3des
      hash sha1
      lifetime 86400
      Auth method psk+xauth
      Client is the same.

      PFsense Phase 2
      Protocol ESP.
      Encryption Alg: 3des checked others unchecked.
      Hash:sha1 checked.
      PFS off
      lifetime:3600

      Client -
      Transform Algo: esp-3des
      hmac - sha1
      pfs - disabled
      compress - disabled
      lifetime - 3600

      Anybody have any ideas?  If there is more that I can provide please let me know.

      1 Reply Last reply Reply Quote 0
      • H
        horsedragon
        last edited by

        @risk:

        I've a problem with PFsense Beta 2.0. I can establish a tunnel withj a mobile client but can't pass traffic. The client is using the latest shrewclient. It seems to me that the SA is establishing itself over and over. I checked my settings and things seem okay. Here is a bit of my IPSEC Log:

        racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=29374796(0x1c0394c)
        racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=667727174(0x27ccb546)
        racoon: [rascompanies]: INFO: initiate new phase 2 negotiation: 192.168.0.250[500]<=>192.168.0.102[500]
        racoon: [rascompanies]: WARNING: attribute has been modified.
        racoon: [rascompanies]: WARNING: trns_id mismatched: my:AES peer:3DES
        last message repeated 5 times
        racoon: [rascompanies]: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
        last message repeated 33 times
        racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=235416881(0xe082d31)
        racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=2380182038(0x8ddeb216)
        racoon: [rascompanies]: INFO: initiate new phase 2 negotiation: 192.168.0.250[500]<=>192.168.0.102[500]
        racoon: [rascompanies]: WARNING: attribute has been modified.
        racoon: [rascompanies]: WARNING: trns_id mismatched: my:AES peer:3DES
        last message repeated 5 times
        racoon: [rascompanies]: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
        last message repeated 33 times
        racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=122213027(0x748d2a3)
        racoon: [rascompanies]: INFO: IPsec-SA established: ESP 192.168.0.250[500]->192.168.0.102[500] spi=2821804405(0xa8315175)
        racoon: [rascompanies]: INFO: IPsec-SA expired: ESP/Tunnel 192.168.0.102[500]->192.168.0.250[500] spi=16439543(0xfad8f7)

        Looking at the log it would seem that phase 2 isn't right.  However, I reviewed my setting and they seem okay to me.
        Phase 1 PFsense -
        interface WAN
        mode - aggressive
        my id 'my ip address"
        enc algo 3des
        hash sha1
        lifetime 86400
        Auth method psk+xauth
        Client is the same.

        PFsense Phase 2
        Protocol ESP.
        Encryption Alg: 3des checked others unchecked.
        Hash:sha1 checked.
        PFS off
        lifetime:3600

        Client -
        Transform Algo: esp-3des
        hmac - sha1
        pfs - disabled
        compress - disabled
        lifetime - 3600

        Anybody have any ideas?  If there is more that I can provide please let me know.

        I find the same thing.
        I use shrewclient, I use PSK only, the tunnel seem establish, but can't pass traffic, when I connect to m0n0 1.3, everything is ok!

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          This is one area that still needs a lot of attention. There is no way in the GUI right now to just do PSK for a mobile client tunnel, it requires xauth, using a username from the system's user manager. There is a ticket open to work on this.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • H
            horsedragon
            last edited by

            @jimp:

            it requires xauth, using a username from the system's user manager.

            I try it use in Xauth+Mutul PSK mode, but the same!

            1 Reply Last reply Reply Quote 0
            • H
              horsedragon
              last edited by

              Dear risk:
                    your question now ok or not?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.