Racoon IPSEC Roadwarrior with shrewsoft and cisco VPN Client problems



  • Hi,

    i got some new errors on Snapshot 2.0-BETA4  (i386) built on Wed Oct 13 00:04:49 EDT 2010 and Shrewsoft 2.1.6 win

    I followed wiki and pfsense book -> Ipsec roadwarrior standard configuration with split network. Client connects to pfsense..Phase 1 ok but phase 2 cant established.

    vpnclient –--------> public IP WAN  pfsense ---  LAN 10.0.0.0/24

    VPN pool 192.168.100.0/24

    # This file is automatically generated. Do not edit
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    listen
    {
        adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
        isakmp x.x.x.x [500];
        isakmp_natt x.x.x.x [4500];
    }
    
    mode_cfg
    {
        auth_source system;
        group_source system;
        pool_size 253;
        network4 192.168.100.1;
        netmask4 255.255.255.0;
        split_network include 10.0.0.0/24;
    }
    
    remote anonymous
    {
        ph1id 1;
        exchange_mode aggressive;
        my_identifier address x.x.x.x;
        peers_identifier fqdn "testvpn";
        ike_frag on;
        generate_policy = unique;
        initial_contact = off;
        nat_traversal = on;
    
        dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check claim;
    
        proposal
        {
            authentication_method xauth_psk_server;
            encryption_algorithm 3des;
            hash_algorithm sha1;
            dh_group 2;
            lifetime time 28800 secs;
        }
    }
    
    sainfo subnet 10.0.0.0/24 any anonymous
    {
        remoteid 1;
        encryption_algorithm aes 128;
        authentication_algorithm hmac_sha1;
    
        lifetime time 3600 secs;
        compression_algorithm deflate;
    }
    
    

    ping from vpnclient to pfsense lan ip (ipsec rules: all allowed)

    log (reverse):

    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: IV freed
    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: ERROR: failed to pre-process packet.
    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: ERROR: failed to get sainfo.
    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: ERROR: failed to get sainfo.
    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: cmpid source: '10.128.0.0/24'
    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: cmpid target: '0.0.0.0/0'
    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: evaluating sainfo: loc='10.128.0.0/24', rmt='ANONYMOUS', peer='ANY', id=1
    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: getsainfo pass #2
    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: evaluating sainfo: loc='10.128.0.0/24', rmt='ANONYMOUS', peer='ANY', id=1
    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: getsainfo pass #1
    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: getsainfo params: loc='0.0.0.0/0', rmt='192.168.100.1', peer='', id=1
    Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: anonymous configuration selected for xxx.xxx.xxx.xxx.

    so i changed racoon config line:

    sainfo subnet 10.0.0.0/24 any anonymous

    to

    sainfo anonymous

    Then connection with VPN Clients works correctly!

    Hope this will help.

    cya spiritbreaker

    ![Bild 1.png](/public/imported_attachments/1/Bild 1.png)
    ![Bild 1.png_thumb](/public/imported_attachments/1/Bild 1.png_thumb)
    ![Bild 2.png](/public/imported_attachments/1/Bild 2.png)
    ![Bild 2.png_thumb](/public/imported_attachments/1/Bild 2.png_thumb)
    ![Bild 3.png](/public/imported_attachments/1/Bild 3.png)
    ![Bild 3.png_thumb](/public/imported_attachments/1/Bild 3.png_thumb)


  • Rebel Alliance Developer Netgate

    Try the different values of the "proposal check" option in the GUI, see if that makes a difference.



  • Hi jimp,

    i tested all proposal checking options but phase 2 still dont work. shrewsoft proposal settings are "auto".

    Also try to change some IP Security Options like "Prefer older IPsec SAs" and "Enable MSS clamping on VPN traffic" but no success.

    obey:

    
    Oct 16 17:12:04 	racoon: []: ERROR: failed to pre-process packet.
    Oct 16 17:12:04 	racoon: []: ERROR: failed to get sainfo.
    Oct 16 17:12:04 	racoon: []: ERROR: failed to get sainfo.
    Oct 16 17:12:04 	racoon: []: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[4500]<=> xxx.xxx.xxx.xxx[52005]
    Oct 16 17:11:59 	racoon: []: ERROR: failed to pre-process packet.
    Oct 16 17:11:59 	racoon: []: ERROR: failed to get sainfo.
    Oct 16 17:11:59 	racoon: []: ERROR: failed to get sainfo.
    Oct 16 17:11:59 	racoon: []: INFO: respond new phase 2 negotiation:  xxx.xxx.xxx.xxx[4500]<=> xxx.xxx.xxx.xxx[52005]
    Oct 16 17:11:52 	racoon: []: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Oct 16 17:11:52 	racoon: []: INFO: login succeeded for user "vpn"
    Oct 16 17:11:52 	racoon: []: INFO: Using port 0
    Oct 16 17:11:52 	racoon: []: INFO: ISAKMP-SA established  xxx.xxx.xxx.xxx[4500]- xxx.xxx.xxx.xxx[52005] spi:9483a6a3f6d54d54:ecdfc1da4b53ab37
    Oct 16 17:11:52 	racoon: []: INFO: Sending Xauth request
    Oct 16 17:11:52 	racoon: []: INFO: NAT detected: ME PEER
    Oct 16 17:11:52 	racoon: []: INFO: NAT-D payload #1 doesn't match
    Oct 16 17:11:52 	racoon: []: INFO: Hashing  xxx.xxx.xxx.xxx[52005] with algo #2
    Oct 16 17:11:52 	racoon: []: INFO: NAT-D payload #0 doesn't match
    Oct 16 17:11:52 	racoon: []: INFO: Hashing  xxx.xxx.xxx.xxx1[4500] with algo #2
    Oct 16 17:11:52 	racoon: []: INFO: NAT-T: ports changed to:  xxx.xxx.xxx.xxx[52005]<-> xxx.xxx.xxx.xxx[4500]
    Oct 16 17:11:52 	racoon: []: INFO: Adding xauth VID payload.
    Oct 16 17:11:52 	racoon: []: INFO: Hashing  xxx.xxx.xxx.xxx[500] with algo #2
    Oct 16 17:11:52 	racoon: []: INFO: Hashing  xxx.xxx.xxx.xxx[500] with algo #2
    Oct 16 17:11:52 	racoon: []: INFO: Adding remote and local NAT-D payloads.
    Oct 16 17:11:52 	racoon: []: INFO: Selected NAT-T version: RFC 3947
    Oct 16 17:11:52 	racoon: []: WARNING: No ID match.
    Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: CISCO-UNITY
    Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: DPD
    Oct 16 17:11:52 	racoon: []: INFO: received broken Microsoft ID: FRAGMENTATION
    Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: RFC 3947
    Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Oct 16 17:11:52 	racoon: []: INFO: begin Aggressive mode.
    Oct 16 17:11:52 	racoon: []: INFO: respond new phase 1 negotiation:  xxx.xxx.xxx.xxx[500]<=> xxx.xxx.xxx.xxx[500]
    
    

    strict:

    Oct 16 17:16:10     racoon: []: ERROR: phase1 negotiation failed.
    Oct 16 17:16:10     racoon: []: ERROR: failed to pre-process packet.
    Oct 16 17:16:10     racoon: []: ERROR: failed to get valid proposal.
    Oct 16 17:16:10     racoon: []: ERROR: no suitable proposal found.
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#18) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#18) = 3DES-CBC:DES-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#17) = SHA:MD5
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#17) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#17) = 3DES-CBC:DES-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#16) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#16) = 3DES-CBC:CAST-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#15) = SHA:MD5
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#15) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#15) = 3DES-CBC:CAST-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#14) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#13) = SHA:MD5
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#13) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#12) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#12) = 3DES-CBC:Blowfish-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#11) = SHA:MD5
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#11) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#11) = 3DES-CBC:Blowfish-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#10) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#10) = 3DES-CBC:Blowfish-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#9) = SHA:MD5
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#9) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#9) = 3DES-CBC:Blowfish-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#8) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = 3DES-CBC:Blowfish-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = SHA:MD5
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#7) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = 3DES-CBC:Blowfish-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#6) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = 3DES-CBC:AES-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = SHA:MD5
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#5) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 3DES-CBC:AES-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#4) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 3DES-CBC:AES-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = SHA:MD5
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#3) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 3DES-CBC:AES-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#2) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 3DES-CBC:AES-CBC
    Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5
    Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = XAuth pskey server:XAuth pskey client
    Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 3DES-CBC:AES-CBC
    Oct 16 17:16:10     racoon: []: INFO: Selected NAT-T version: RFC 3947
    Oct 16 17:16:10     racoon: []: WARNING: No ID match.
    Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: CISCO-UNITY
    Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: DPD
    Oct 16 17:16:10     racoon: []: INFO: received broken Microsoft ID: FRAGMENTATION
    Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: RFC 3947
    Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Oct 16 17:16:10     racoon: []: INFO: begin Aggressive mode.
    Oct 16 17:16:10     racoon: []: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500]
    

    claim:

    Oct 16 17:20:27     racoon: []: ERROR: failed to pre-process packet.
    Oct 16 17:20:27     racoon: []: ERROR: failed to get sainfo.
    Oct 16 17:20:27     racoon: []: ERROR: failed to get sainfo.
    Oct 16 17:20:27     racoon: []: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[4500]<=>xxx.xxx.xxx.xxx[26145]
    Oct 16 17:20:22     racoon: []: ERROR: failed to pre-process packet.
    Oct 16 17:20:22     racoon: []: ERROR: failed to get sainfo.
    Oct 16 17:20:22     racoon: []: ERROR: failed to get sainfo.
    Oct 16 17:20:22     racoon: []: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[4500]<=>xxx.xxx.xxx.xxx[26145]
    Oct 16 17:19:33     racoon: []: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Oct 16 17:19:33     racoon: []: INFO: login succeeded for user "vpn"
    Oct 16 17:19:33     racoon: []: INFO: Using port 0
    Oct 16 17:19:33     racoon: []: INFO: ISAKMP-SA established xxx.xxx.xxx.xxx[4500]-xxx.xxx.xxx.xxx[26145] spi:5dd79ef30dc1fd5f:f59a4e58a3730483
    Oct 16 17:19:33     racoon: []: INFO: Sending Xauth request
    Oct 16 17:19:33     racoon: []: INFO: NAT detected: ME PEER
    Oct 16 17:19:33     racoon: []: INFO: NAT-D payload #1 doesn't match
    Oct 16 17:19:33     racoon: []: INFO: Hashing xxx.xxx.xxx.xxx[26145] with algo #2
    Oct 16 17:19:33     racoon: []: INFO: NAT-D payload #0 doesn't match
    Oct 16 17:19:33     racoon: []: INFO: Hashing xxx.xxx.xxx.xxx[4500] with algo #2
    Oct 16 17:19:33     racoon: []: INFO: NAT-T: ports changed to: xxx.xxx.xxx.xxx[26145]<->xxx.xxx.xxx.xxx[4500]
    Oct 16 17:19:33     racoon: []: INFO: Adding xauth VID payload.
    Oct 16 17:19:33     racoon: []: INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #2
    Oct 16 17:19:33     racoon: []: INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #2
    Oct 16 17:19:33     racoon: []: INFO: Adding remote and local NAT-D payloads.
    Oct 16 17:19:33     racoon: []: INFO: Selected NAT-T version: RFC 3947
    Oct 16 17:19:33     racoon: []: WARNING: No ID match.
    Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: CISCO-UNITY
    Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: DPD
    Oct 16 17:19:33     racoon: []: INFO: received broken Microsoft ID: FRAGMENTATION
    Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: RFC 3947
    Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Oct 16 17:19:33     racoon: []: INFO: begin Aggressive mode.
    Oct 16 17:19:33     racoon: []: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500]
    

    Exact:

    Oct 16 17:22:55     racoon: []: ERROR: phase1 negotiation failed.
    Oct 16 17:22:55     racoon: []: ERROR: failed to pre-process packet.
    Oct 16 17:22:55     racoon: []: ERROR: failed to get valid proposal.
    Oct 16 17:22:55     racoon: []: ERROR: no suitable proposal found.
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#18) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#18) = 3DES-CBC:DES-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#17) = SHA:MD5
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#17) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#17) = 3DES-CBC:DES-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#16) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#16) = 3DES-CBC:CAST-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#15) = SHA:MD5
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#15) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#15) = 3DES-CBC:CAST-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#14) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#13) = SHA:MD5
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#13) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#12) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#12) = 3DES-CBC:Blowfish-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#11) = SHA:MD5
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#11) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#11) = 3DES-CBC:Blowfish-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#10) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#10) = 3DES-CBC:Blowfish-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#9) = SHA:MD5
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#9) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#9) = 3DES-CBC:Blowfish-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#8) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = 3DES-CBC:Blowfish-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = SHA:MD5
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#7) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = 3DES-CBC:Blowfish-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#6) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = 3DES-CBC:AES-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = SHA:MD5
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#5) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 3DES-CBC:AES-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#4) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 3DES-CBC:AES-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = SHA:MD5
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#3) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 3DES-CBC:AES-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#2) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 3DES-CBC:AES-CBC
    Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5
    Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = XAuth pskey server:XAuth pskey client
    Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 3DES-CBC:AES-CBC
    Oct 16 17:22:55     racoon: []: INFO: Selected NAT-T version: RFC 3947
    Oct 16 17:22:55     racoon: []: WARNING: No ID match.
    Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: CISCO-UNITY
    Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: DPD
    Oct 16 17:22:55     racoon: []: INFO: received broken Microsoft ID: FRAGMENTATION
    Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: RFC 3947
    Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Oct 16 17:22:55     racoon: []: INFO: begin Aggressive mode.
    Oct 16 17:22:55     racoon: []: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500]
    

    plz help me :)

    cya spiritbreaker





  • Rebel Alliance Developer Netgate

    Can you update to the latest snapshot and try again?

    There were a couple commits on the IPsec GUI code, it may make a difference in what you are seeing.



  • Hi jimp,

    i tested with 2.0-BETA4  (i386) built on Thu Oct 14 01:16:12 EDT 2010 FreeBSD 8.1-RELEASE-p1 (You are on the latest version.)

    There is no newer snapshot available.

    cya


  • Rebel Alliance Developer Netgate

    There is a snapshot building now that will have the fixes, it isn't ready yet.



  • HI jimp,

    updated to 2.0-BETA4  (i386) built on Mon Oct 18 15:51:06 EDT 2010 FreeBSD 8.1-RELEASE-p1

    But problem isnt solved. Phase 2 still not working.

    cya


  • Rebel Alliance Developer Netgate

    Can't believe I overlooked this before, but did you actually set that up directly on the Tunnel tab, or the Mobile tab?

    To connect in with the Shrew Soft client you should be configuring things from the Mobile tab, which will make a special mobile client phase 1 entry.



  • Hi jimp,

    i configured on tunnel and mobile tab as u can see in screenshots on earlier posts. Im sure this setup was working with screwsoft one month before.

    My racoon config seems normal. I try with shrewsoft auto settings and with explicit p1 and p2 settings but nothing work.

    Do u need more screenshots?

    Cya


  • Rebel Alliance Developer Netgate

    Ah, yeah I see it now, the Xauth part had me mixed up, since the PSK shows up on the phase 1 config then.



  • I hope this means u found the issue. :)

    Little question btw  ;D

    1. Is it possible to use radius for Xauth? Radius auth test on Diagnostics -> Authentication works fine. I changed primary auth to radius on Users tab but it dont work for mobile ipsec.
    Is there a workarround?

    2. Status of mobile ipsec connections is always down even when mobile clients are connected. Is that a bug of the gui?

    Cya


  • Rebel Alliance Developer Netgate

    No, still haven't found the issue, I just thought I was reading something wrong in what you had there.

    Radius for IPsec should have worked, though at one time the ipsec port was missing the radius bits. I haven't checked lately.



  • Hi jimp,

    -> http://forum.pfsense.org/index.php/topic,30188.msg156312.html#msg156312

    Shrewsoft Client: Policy Generation Level -> unique solves connection problems.

    But Cisco VPN Client work only with vpn.inc modification.

    racoon.conf for cisco vpn client (windows clients):
    
    change:
    
    sainfo subnet <lansubnet>/24 any anonymous
    
    to
    
    sainfo anonymous</lansubnet>
    

    Cya


  • Rebel Alliance Developer Netgate

    We do print just "sainfo anonymous" in some cases, like pure-psk remote tunnels.

    If it turns out that is really needed for xauth tunnels as well, I can amend the code to take that into account.


  • Rebel Alliance Developer Netgate

    I just committed a change that should print just "sainfo anonymous" also for xauth-psk setups.


Log in to reply