Shrew 2.15 ipsec client can connect to m0n0 but can't connect to pf20b



  • Deal all
    I want to use shrew 2.15 ipsec client connect to pf20b. before I  try it, I connect to m0n0 1.3, every thing is ok, my notebook use adsl to access internet and get ip dynamic, m0n0's lan ip 192.168.1.1, when I connect to m0n0, I can ping success 192.168.1.1. after this, I connect to pf20b (lan ip is 192.168.10.1), in system log, I find the tunnel is connect, but I can't ping success 192.168.10.1, what happen, please help!

    pfsense 2.0 log:
    Mar 3 07:52:43 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=96746669(0x5c43cad)
    Mar 3 07:52:43 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=3525136403(0xd21d5013)
    Mar 3 07:53:05 racoon: [vpn200]: INFO: initiate new phase 2 negotiation: 125.34.52.172[500]<=>123.114.38.157[500]
    Mar 3 07:53:05 racoon: [vpn200]: WARNING: attribute has been modified.
    Mar 3 07:53:05 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=128595496(0x7aa3628)
    Mar 3 07:53:05 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=3703800258(0xdcc381c2)
    Mar 3 07:53:27 racoon: [vpn200]: INFO: initiate new phase 2 negotiation: 125.34.52.172[500]<=>123.114.38.157[500]
    Mar 3 07:53:27 racoon: [vpn200]: WARNING: attribute has been modified.
    Mar 3 07:53:27 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=147725165(0x8ce1b6d)
    Mar 3 07:53:27 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=2496948049(0x94d46751)
    Mar 3 07:53:49 racoon: [vpn200]: INFO: initiate new phase 2 negotiation: 125.34.52.172[500]<=>123.114.38.157[500]
    Mar 3 07:53:49 racoon: [vpn200]: WARNING: attribute has been modified.
    Mar 3 07:53:49 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=41093443(0x2730943)
    Mar 3 07:53:49 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=1386134623(0x529ebc5f)
    Mar 3 07:54:11 racoon: [vpn200]: INFO: initiate new phase 2 negotiation: 125.34.52.172[500]<=>123.114.38.157[500]
    Mar 3 07:54:11 racoon: [vpn200]: WARNING: attribute has been modified.
    Mar 3 07:54:11 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=211311642(0xc985c1a)
    Mar 3 07:54:11 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=2021122505(0x7877e1c9)
    Mar 3 07:54:33 racoon: [vpn200]: INFO: initiate new phase 2 negotiation: 125.34.52.172[500]<=>123.114.38.157[500]
    Mar 3 07:54:33 racoon: [vpn200]: WARNING: attribute has been modified.
    Mar 3 07:54:33 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=33021763(0x1f7df43)
    Mar 3 07:54:33 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=546278378(0x208f8bea)
    Mar 3 07:54:55 racoon: [vpn200]: INFO: initiate new phase 2 negotiation: 125.34.52.172[500]<=>123.114.38.157[500]
    Mar 3 07:54:55 racoon: [vpn200]: WARNING: attribute has been modified.
    Mar 3 07:54:55 racoon: [vpn200]: INFO: IPsec-SA established: ESP 125.34.52.172[500]->123.114.38.157[500] spi=118623832(0x7120e58)

    m0n0 log

    Mar 3 16:07:39

    racoon: INFO: respond new phase 2 negotiation: 222.128.75.7[0]<=>123.114.38.157[0]

    Mar 3 16:07:39

    racoon: INFO: no policy found, try to generate the policy : 123.114.38.157/32[0] 0.0.0.0/0[0] proto=any dir=in

    Mar 3 16:07:39

    /kernel: arp: 192.168.3.221 is on fxp2 but got reply from 00:1d:92:d4:8c:0d on fxp0

    Mar 3 16:07:39

    racoon: INFO: IPsec-SA established: ESP/Tunnel 123.114.38.157[0]->222.128.75.7[0] spi=13164556(0xc8e00c)

    Mar 3 16:07:39

    racoon: INFO: IPsec-SA established: ESP/Tunnel 222.128.75.7[0]->123.114.38.157[0] spi=997443460(0x3b73c784)

    Mar 3 16:07:39

    racoon: ERROR: such policy does not already exist: "123.114.38.157/32[0] 0.0.0.0/0[0] proto=any dir=in"

    Mar 3 16:07:39

    racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 123.114.38.157/32[0] proto=any dir=out"

    pf2.0 config pic











  • no anybody have this question?


  • Rebel Alliance Developer Netgate

    There are tickets open already to work on IPsec mobile clients on 2.0.

    2.0 is still in early Beta, and this is one of the areas that needs a lot of work. Be patient, watch the commit logs, and keep trying.



  • @jimp:

    There are tickets open already to work on IPsec mobile clients on 2.0.

    2.0 is still in early Beta, and this is one of the areas that needs a lot of work. Be patient, watch the commit logs, and keep trying.

    thank you very much!
    I this mode in my dynamic VPN Gateway, (which can work with 1.23 ok), find the same question, can I modify something manual and let it normal? is the route's error or other, because in my gateway, it report every thing is ok, the following is the log:

    2010/03/05 11:04:32 Info. ike Phase2 Initiator(Quick) : established
    [Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
    2010/03/05 11:04:32 Info. ike Phase2 Initiator(Quick) : 1st
    [Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
    2010/03/05 11:04:32 Info. ike Start phase2 negotiation
    [Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
    2010/03/05 11:04:31 Info. ike ISAKMP SA established
    [Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
    2010/03/05 11:04:31 Info. ike Phase1 Initiator(Aggressive) : 2nd
    [Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
    2010/03/05 11:04:30 Info. ike Phase1 Initiator(Aggressive) : 1st
    [Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
    2010/03/05 11:04:30 Info. ike Start with Aggressive mode
    [Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]
    2010/03/05 11:04:30 Info. ike Start phase1 negotiation
    [Remote(123.112.85.205:500), Local(123.114.40.81:500 Wan1)]

    the pf2.0's log

    Last 50 IPsec日志项
    Mar 5 11:04:27 racoon: [shrewclient]: INFO: ISAKMP-SA expired 123.112.85.205[500]-123.114.40.81[500] spi:8838c62299a1952a:7fbcadc3e61e2691
    Mar 5 11:04:28 racoon: [shrewclient]: INFO: ISAKMP-SA deleted 123.112.85.205[500]-123.114.40.81[500] spi:8838c62299a1952a:7fbcadc3e61e2691
    Mar 5 11:04:32 racoon:  INFO: respond new phase 1 negotiation: 123.112.85.205[500]<=>123.114.40.81[500]
    Mar 5 11:04:32 racoon:  INFO: begin Aggressive mode.
    Mar 5 11:04:32 racoon:  INFO: ISAKMP-SA established 123.112.85.205[500]-123.114.40.81[500] spi:4862a7f3a5e4b870:541f1ef027e4d866
    Mar 5 11:04:33 racoon:  INFO: respond new phase 2 negotiation: 123.112.85.205[500]<=>123.114.40.81[500]
    Mar 5 11:04:33 racoon:  INFO: Update the generated policy : 192.168.1.0/24[0] 192.168.10.0/24[0] proto=any dir=in
    Mar 5 11:04:33 racoon:  INFO: IPsec-SA established: ESP 123.112.85.205[500]->123.114.40.81[500] spi=2330989(0x23916d)
    Mar 5 11:04:33 racoon:  INFO: IPsec-SA established: ESP 123.112.85.205[500]->123.114.40.81[500] spi=2069988256(0x7b6183a0)
    Mar 5 11:04:33 racoon:  ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.10.0/24[0] proto=any dir=in"
    Mar 5 11:04:33 racoon:  ERROR: such policy does not already exist: "192.168.10.0/24[0] 192.168.1.0/24[0] proto=any dir=out"

    I hope this log is helpful to you and you team!
    thank you again



  • It seems I must back to 1.2.3 or M0n0,  :'(



  • There's a reason its still beta software.



  • Dear all
          I compare the file "filter.inc" between the 2.0 and 1.23, I find, in 2.0 the vpn rule is

    pass out on $WAN  route-to ( pppoe0 125.34.48.1 )  proto udp from any to  any  p
    ort = 500 keep state label "IPsec: dynaVPNGateway - outbound isakmp"
    pass in on $WAN  reply-to ( pppoe0 125.34.48.1 )  proto udp from  any  to any po
    rt = 500 keep state label "IPsec: dynaVPNGateway - inbound isakmp"
    pass out on $WAN  route-to ( pppoe0 125.34.48.1 )  proto esp from any to  any  k
    eep state label "IPsec: dynaVPNGateway - outbound esp proto"
    pass in on $WAN  reply-to ( pppoe0 125.34.48.1 )  proto esp from  any  to any ke
    ep state label "IPsec: dynaVPNGateway - inbound esp proto\

    in 1.23 is

    pass in quick on ${$iface} proto udp from any to any port = 500 keep state label "IPSEC: Mobile - inbound isakmp
    pass in quick on ${$iface} proto esp from any to any keep state label "IPSEC: Mobile - inbound esp proto
    pass in quick on ${$iface} proto ah from any to any  keep state label "IPSEC: Mobile - inbound ah proto;

    in 1.23, there have the keyword "quick" and not "route-to" and "reply-to".
    this can  lead to this question?



  • every all can work fine ?



  • do IPsec-tools 0.8's bug solved?


  • Rebel Alliance Developer Netgate

    I don't think we have gotten a code update from them in a few months, so the situation is unlikely to have changed.


Log in to reply