Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Racoon IPSEC Roadwarrior with shrewsoft and cisco VPN Client problems

    2.0-RC Snapshot Feedback and Problems - RETIRED
    2
    15
    5.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spiritbreaker
      last edited by

      Hi,

      i got some new errors on Snapshot 2.0-BETA4  (i386) built on Wed Oct 13 00:04:49 EDT 2010 and Shrewsoft 2.1.6 win

      I followed wiki and pfsense book -> Ipsec roadwarrior standard configuration with split network. Client connects to pfsense..Phase 1 ok but phase 2 cant established.

      vpnclient –--------> public IP WAN  pfsense ---  LAN 10.0.0.0/24

      VPN pool 192.168.100.0/24

      # This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
    adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    isakmp x.x.x.x [500];
    isakmp_natt x.x.x.x [4500];
}

mode_cfg
{
    auth_source system;
    group_source system;
    pool_size 253;
    network4 192.168.100.1;
    netmask4 255.255.255.0;
    split_network include 10.0.0.0/24;
}

remote anonymous
{
    ph1id 1;
    exchange_mode aggressive;
    my_identifier address x.x.x.x;
    peers_identifier fqdn "testvpn";
    ike_frag on;
    generate_policy = unique;
    initial_contact = off;
    nat_traversal = on;

    dpd_delay = 10;
    dpd_maxfail = 5;
    support_proxy on;
    proposal_check claim;

    proposal
    {
        authentication_method xauth_psk_server;
        encryption_algorithm 3des;
        hash_algorithm sha1;
        dh_group 2;
        lifetime time 28800 secs;
    }
}

sainfo subnet 10.0.0.0/24 any anonymous
{
    remoteid 1;
    encryption_algorithm aes 128;
    authentication_algorithm hmac_sha1;

    lifetime time 3600 secs;
    compression_algorithm deflate;
}

      ping from vpnclient to pfsense lan ip (ipsec rules: all allowed)

      log (reverse):

      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: IV freed
      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: ERROR: failed to pre-process packet.
      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: ERROR: failed to get sainfo.
      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: ERROR: failed to get sainfo.
      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: cmpid source: '10.128.0.0/24'
      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: cmpid target: '0.0.0.0/0'
      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: evaluating sainfo: loc='10.128.0.0/24', rmt='ANONYMOUS', peer='ANY', id=1
      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: getsainfo pass #2
      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: evaluating sainfo: loc='10.128.0.0/24', rmt='ANONYMOUS', peer='ANY', id=1
      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: getsainfo pass #1
      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: getsainfo params: loc='0.0.0.0/0', rmt='192.168.100.1', peer='', id=1
      Oct 14 22:56:54 racoon: 2010-10-14 22:56:54: DEBUG: anonymous configuration selected for xxx.xxx.xxx.xxx.

      so i changed racoon config line:

      sainfo subnet 10.0.0.0/24 any anonymous

      to

      sainfo anonymous

      Then connection with VPN Clients works correctly!

      Hope this will help.

      cya spiritbreaker

      ![Bild 1.png](/public/imported_attachments/1/Bild 1.png)
      ![Bild 1.png_thumb](/public/imported_attachments/1/Bild 1.png_thumb)
      ![Bild 2.png](/public/imported_attachments/1/Bild 2.png)
      ![Bild 2.png_thumb](/public/imported_attachments/1/Bild 2.png_thumb)
      ![Bild 3.png](/public/imported_attachments/1/Bild 3.png)
      ![Bild 3.png_thumb](/public/imported_attachments/1/Bild 3.png_thumb)

      Pfsense running at 11 Locations
      -mobile OPENVPN and IPSEC
      -multiwan failover
      -filtering proxy(squidguard) in bridgemode with ntop monitoring

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Try the different values of the "proposal check" option in the GUI, see if that makes a difference.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          spiritbreaker
          last edited by

          Hi jimp,

          i tested all proposal checking options but phase 2 still dont work. shrewsoft proposal settings are "auto".

          Also try to change some IP Security Options like "Prefer older IPsec SAs" and "Enable MSS clamping on VPN traffic" but no success.

          obey:

          
Oct 16 17:12:04 	racoon: []: ERROR: failed to pre-process packet.
Oct 16 17:12:04 	racoon: []: ERROR: failed to get sainfo.
Oct 16 17:12:04 	racoon: []: ERROR: failed to get sainfo.
Oct 16 17:12:04 	racoon: []: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[4500]<=> xxx.xxx.xxx.xxx[52005]
Oct 16 17:11:59 	racoon: []: ERROR: failed to pre-process packet.
Oct 16 17:11:59 	racoon: []: ERROR: failed to get sainfo.
Oct 16 17:11:59 	racoon: []: ERROR: failed to get sainfo.
Oct 16 17:11:59 	racoon: []: INFO: respond new phase 2 negotiation:  xxx.xxx.xxx.xxx[4500]<=> xxx.xxx.xxx.xxx[52005]
Oct 16 17:11:52 	racoon: []: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Oct 16 17:11:52 	racoon: []: INFO: login succeeded for user "vpn"
Oct 16 17:11:52 	racoon: []: INFO: Using port 0
Oct 16 17:11:52 	racoon: []: INFO: ISAKMP-SA established  xxx.xxx.xxx.xxx[4500]- xxx.xxx.xxx.xxx[52005] spi:9483a6a3f6d54d54:ecdfc1da4b53ab37
Oct 16 17:11:52 	racoon: []: INFO: Sending Xauth request
Oct 16 17:11:52 	racoon: []: INFO: NAT detected: ME PEER
Oct 16 17:11:52 	racoon: []: INFO: NAT-D payload #1 doesn't match
Oct 16 17:11:52 	racoon: []: INFO: Hashing  xxx.xxx.xxx.xxx[52005] with algo #2
Oct 16 17:11:52 	racoon: []: INFO: NAT-D payload #0 doesn't match
Oct 16 17:11:52 	racoon: []: INFO: Hashing  xxx.xxx.xxx.xxx1[4500] with algo #2
Oct 16 17:11:52 	racoon: []: INFO: NAT-T: ports changed to:  xxx.xxx.xxx.xxx[52005]<-> xxx.xxx.xxx.xxx[4500]
Oct 16 17:11:52 	racoon: []: INFO: Adding xauth VID payload.
Oct 16 17:11:52 	racoon: []: INFO: Hashing  xxx.xxx.xxx.xxx[500] with algo #2
Oct 16 17:11:52 	racoon: []: INFO: Hashing  xxx.xxx.xxx.xxx[500] with algo #2
Oct 16 17:11:52 	racoon: []: INFO: Adding remote and local NAT-D payloads.
Oct 16 17:11:52 	racoon: []: INFO: Selected NAT-T version: RFC 3947
Oct 16 17:11:52 	racoon: []: WARNING: No ID match.
Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: CISCO-UNITY
Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: DPD
Oct 16 17:11:52 	racoon: []: INFO: received broken Microsoft ID: FRAGMENTATION
Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: RFC 3947
Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Oct 16 17:11:52 	racoon: []: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Oct 16 17:11:52 	racoon: []: INFO: begin Aggressive mode.
Oct 16 17:11:52 	racoon: []: INFO: respond new phase 1 negotiation:  xxx.xxx.xxx.xxx[500]<=> xxx.xxx.xxx.xxx[500]

          strict:

          Oct 16 17:16:10     racoon: []: ERROR: phase1 negotiation failed.
Oct 16 17:16:10     racoon: []: ERROR: failed to pre-process packet.
Oct 16 17:16:10     racoon: []: ERROR: failed to get valid proposal.
Oct 16 17:16:10     racoon: []: ERROR: no suitable proposal found.
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#18) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#18) = 3DES-CBC:DES-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#17) = SHA:MD5
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#17) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#17) = 3DES-CBC:DES-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#16) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#16) = 3DES-CBC:CAST-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#15) = SHA:MD5
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#15) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#15) = 3DES-CBC:CAST-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#14) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#13) = SHA:MD5
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#13) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#12) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#12) = 3DES-CBC:Blowfish-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#11) = SHA:MD5
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#11) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#11) = 3DES-CBC:Blowfish-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#10) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#10) = 3DES-CBC:Blowfish-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#9) = SHA:MD5
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#9) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#9) = 3DES-CBC:Blowfish-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#8) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = 3DES-CBC:Blowfish-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = SHA:MD5
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#7) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = 3DES-CBC:Blowfish-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#6) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = 3DES-CBC:AES-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = SHA:MD5
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#5) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 3DES-CBC:AES-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#4) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 3DES-CBC:AES-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = SHA:MD5
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#3) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 3DES-CBC:AES-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#2) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 3DES-CBC:AES-CBC
Oct 16 17:16:10     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5
Oct 16 17:16:10     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = XAuth pskey server:XAuth pskey client
Oct 16 17:16:10     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 3DES-CBC:AES-CBC
Oct 16 17:16:10     racoon: []: INFO: Selected NAT-T version: RFC 3947
Oct 16 17:16:10     racoon: []: WARNING: No ID match.
Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: CISCO-UNITY
Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: DPD
Oct 16 17:16:10     racoon: []: INFO: received broken Microsoft ID: FRAGMENTATION
Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: RFC 3947
Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Oct 16 17:16:10     racoon: []: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Oct 16 17:16:10     racoon: []: INFO: begin Aggressive mode.
Oct 16 17:16:10     racoon: []: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500]

          claim:

          Oct 16 17:20:27     racoon: []: ERROR: failed to pre-process packet.
Oct 16 17:20:27     racoon: []: ERROR: failed to get sainfo.
Oct 16 17:20:27     racoon: []: ERROR: failed to get sainfo.
Oct 16 17:20:27     racoon: []: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[4500]<=>xxx.xxx.xxx.xxx[26145]
Oct 16 17:20:22     racoon: []: ERROR: failed to pre-process packet.
Oct 16 17:20:22     racoon: []: ERROR: failed to get sainfo.
Oct 16 17:20:22     racoon: []: ERROR: failed to get sainfo.
Oct 16 17:20:22     racoon: []: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[4500]<=>xxx.xxx.xxx.xxx[26145]
Oct 16 17:19:33     racoon: []: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Oct 16 17:19:33     racoon: []: INFO: login succeeded for user "vpn"
Oct 16 17:19:33     racoon: []: INFO: Using port 0
Oct 16 17:19:33     racoon: []: INFO: ISAKMP-SA established xxx.xxx.xxx.xxx[4500]-xxx.xxx.xxx.xxx[26145] spi:5dd79ef30dc1fd5f:f59a4e58a3730483
Oct 16 17:19:33     racoon: []: INFO: Sending Xauth request
Oct 16 17:19:33     racoon: []: INFO: NAT detected: ME PEER
Oct 16 17:19:33     racoon: []: INFO: NAT-D payload #1 doesn't match
Oct 16 17:19:33     racoon: []: INFO: Hashing xxx.xxx.xxx.xxx[26145] with algo #2
Oct 16 17:19:33     racoon: []: INFO: NAT-D payload #0 doesn't match
Oct 16 17:19:33     racoon: []: INFO: Hashing xxx.xxx.xxx.xxx[4500] with algo #2
Oct 16 17:19:33     racoon: []: INFO: NAT-T: ports changed to: xxx.xxx.xxx.xxx[26145]<->xxx.xxx.xxx.xxx[4500]
Oct 16 17:19:33     racoon: []: INFO: Adding xauth VID payload.
Oct 16 17:19:33     racoon: []: INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #2
Oct 16 17:19:33     racoon: []: INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #2
Oct 16 17:19:33     racoon: []: INFO: Adding remote and local NAT-D payloads.
Oct 16 17:19:33     racoon: []: INFO: Selected NAT-T version: RFC 3947
Oct 16 17:19:33     racoon: []: WARNING: No ID match.
Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: CISCO-UNITY
Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: DPD
Oct 16 17:19:33     racoon: []: INFO: received broken Microsoft ID: FRAGMENTATION
Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: RFC 3947
Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Oct 16 17:19:33     racoon: []: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Oct 16 17:19:33     racoon: []: INFO: begin Aggressive mode.
Oct 16 17:19:33     racoon: []: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500]

          Exact:

          Oct 16 17:22:55     racoon: []: ERROR: phase1 negotiation failed.
Oct 16 17:22:55     racoon: []: ERROR: failed to pre-process packet.
Oct 16 17:22:55     racoon: []: ERROR: failed to get valid proposal.
Oct 16 17:22:55     racoon: []: ERROR: no suitable proposal found.
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#18) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#18) = 3DES-CBC:DES-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#17) = SHA:MD5
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#17) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#17) = 3DES-CBC:DES-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#16) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#16) = 3DES-CBC:CAST-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#15) = SHA:MD5
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#15) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#15) = 3DES-CBC:CAST-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#14) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#13) = SHA:MD5
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#13) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#12) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#12) = 3DES-CBC:Blowfish-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#11) = SHA:MD5
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#11) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#11) = 3DES-CBC:Blowfish-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#10) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#10) = 3DES-CBC:Blowfish-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#9) = SHA:MD5
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#9) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#9) = 3DES-CBC:Blowfish-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#8) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = 3DES-CBC:Blowfish-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = SHA:MD5
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#7) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = 3DES-CBC:Blowfish-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#6) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = 3DES-CBC:AES-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = SHA:MD5
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#5) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 3DES-CBC:AES-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#4) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 3DES-CBC:AES-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = SHA:MD5
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#3) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 3DES-CBC:AES-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#2) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 3DES-CBC:AES-CBC
Oct 16 17:22:55     racoon: []: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = SHA:MD5
Oct 16 17:22:55     racoon: []: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = XAuth pskey server:XAuth pskey client
Oct 16 17:22:55     racoon: []: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 3DES-CBC:AES-CBC
Oct 16 17:22:55     racoon: []: INFO: Selected NAT-T version: RFC 3947
Oct 16 17:22:55     racoon: []: WARNING: No ID match.
Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: CISCO-UNITY
Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: DPD
Oct 16 17:22:55     racoon: []: INFO: received broken Microsoft ID: FRAGMENTATION
Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: RFC 3947
Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Oct 16 17:22:55     racoon: []: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Oct 16 17:22:55     racoon: []: INFO: begin Aggressive mode.
Oct 16 17:22:55     racoon: []: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500]

          plz help me :)

          cya spiritbreaker

          vpn_p1.png
          vpn_p1.png_thumb
          vpn_p2.png
          vpn_p2.png_thumb

          Pfsense running at 11 Locations
          -mobile OPENVPN and IPSEC
          -multiwan failover
          -filtering proxy(squidguard) in bridgemode with ntop monitoring

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Can you update to the latest snapshot and try again?

            There were a couple commits on the IPsec GUI code, it may make a difference in what you are seeing.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • S
              spiritbreaker
              last edited by

              Hi jimp,

              i tested with 2.0-BETA4  (i386) built on Thu Oct 14 01:16:12 EDT 2010 FreeBSD 8.1-RELEASE-p1 (You are on the latest version.)

              There is no newer snapshot available.

              cya

              Pfsense running at 11 Locations
              -mobile OPENVPN and IPSEC
              -multiwan failover
              -filtering proxy(squidguard) in bridgemode with ntop monitoring

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                There is a snapshot building now that will have the fixes, it isn't ready yet.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • S
                  spiritbreaker
                  last edited by

                  HI jimp,

                  updated to 2.0-BETA4  (i386) built on Mon Oct 18 15:51:06 EDT 2010 FreeBSD 8.1-RELEASE-p1

                  But problem isnt solved. Phase 2 still not working.

                  cya

                  Pfsense running at 11 Locations
                  -mobile OPENVPN and IPSEC
                  -multiwan failover
                  -filtering proxy(squidguard) in bridgemode with ntop monitoring

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Can't believe I overlooked this before, but did you actually set that up directly on the Tunnel tab, or the Mobile tab?

                    To connect in with the Shrew Soft client you should be configuring things from the Mobile tab, which will make a special mobile client phase 1 entry.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • S
                      spiritbreaker
                      last edited by

                      Hi jimp,

                      i configured on tunnel and mobile tab as u can see in screenshots on earlier posts. Im sure this setup was working with screwsoft one month before.

                      My racoon config seems normal. I try with shrewsoft auto settings and with explicit p1 and p2 settings but nothing work.

                      Do u need more screenshots?

                      Cya

                      Pfsense running at 11 Locations
                      -mobile OPENVPN and IPSEC
                      -multiwan failover
                      -filtering proxy(squidguard) in bridgemode with ntop monitoring

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Ah, yeah I see it now, the Xauth part had me mixed up, since the PSK shows up on the phase 1 config then.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • S
                          spiritbreaker
                          last edited by

                          I hope this means u found the issue. :)

                          Little question btw  ;D

                          1. Is it possible to use radius for Xauth? Radius auth test on Diagnostics -> Authentication works fine. I changed primary auth to radius on Users tab but it dont work for mobile ipsec.
                          Is there a workarround?

                          2. Status of mobile ipsec connections is always down even when mobile clients are connected. Is that a bug of the gui?

                          Cya

                          Pfsense running at 11 Locations
                          -mobile OPENVPN and IPSEC
                          -multiwan failover
                          -filtering proxy(squidguard) in bridgemode with ntop monitoring

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            No, still haven't found the issue, I just thought I was reading something wrong in what you had there.

                            Radius for IPsec should have worked, though at one time the ipsec port was missing the radius bits. I haven't checked lately.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • S
                              spiritbreaker
                              last edited by

                              Hi jimp,

                              -> http://forum.pfsense.org/index.php/topic,30188.msg156312.html#msg156312

                              Shrewsoft Client: Policy Generation Level -> unique solves connection problems.

                              But Cisco VPN Client work only with vpn.inc modification.

                              racoon.conf for cisco vpn client (windows clients):

change:

sainfo subnet <lansubnet>/24 any anonymous

to

sainfo anonymous</lansubnet>

                              Cya

                              Pfsense running at 11 Locations
                              -mobile OPENVPN and IPSEC
                              -multiwan failover
                              -filtering proxy(squidguard) in bridgemode with ntop monitoring

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                We do print just "sainfo anonymous" in some cases, like pure-psk remote tunnels.

                                If it turns out that is really needed for xauth tunnels as well, I can amend the code to take that into account.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  I just committed a change that should print just "sainfo anonymous" also for xauth-psk setups.

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.