RAS VPN with SHREW Connects but wont pass traffic!
-
Ive got a weird problem with two different pfsense firewalls having the same issue.
The the vpn connects just fine but not traffic is passing! Ive checked rules etc..
I setup shrewsoft with a ipsec client vpn per some howto that i found and setup the firewall as followsvpn–> ipsec --> mobile client
aggressive
blowfish
sha1
df group 2
sa life 86400
p2
blowfish
sha1
no pfs
lifetime 3600setup preshared user id and key
then setup
rules ipsec <--> any any
BTW,
Ive set this up and had about a 50/50 success with other pfsense firewalls!
Any Ideas!! Please!
Thanks,
Pat
P.S. pptp works just fine! :'(
I just found something on this! If i connect on the public segment the VPN works and passes traffic!! Is this a NAT issue or MTU issue? any ideas is appreciated! -
Hi,
what version do u use?
what about ipsec log?
post ur racoon.conf
cya
-
I'm running Version 1.2.3
Ipsec log:
Oct 22 20:34:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 135.146.152.222[500]<=>135.146.128.190[195]
Oct 22 20:34:20 racoon: INFO: begin Aggressive mode.
Oct 22 20:34:20 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Oct 22 20:34:20 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Oct 22 20:34:20 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 22 20:34:20 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 22 20:34:20 racoon: INFO: received Vendor ID: RFC 3947
Oct 22 20:34:20 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Oct 22 20:34:20 racoon: INFO: received Vendor ID: CISCO-UNITY
Oct 22 20:34:20 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 135.146.152.222[500]-135.146.128.190[195] spi:5b9a6bac351fb7e6:ffe7c1e03e70e177
Oct 22 20:34:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 135.146.152.222[0]<=>135.146.128.190[0]
Oct 22 20:34:20 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.1.121/32[0] 172.16.20.0/24[0] proto=any dir=in
Oct 22 20:34:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 135.146.128.190[0]->135.146.152.222[0] spi=56873971(0x363d3f3)
Oct 22 20:34:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 135.146.152.222[0]->135.146.128.190[0] spi=3081559935(0xb7acdf7f)
Oct 22 20:34:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.121/32[0] 172.16.20.0/24[0] proto=any dir=in"
Oct 22 20:34:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.20.0/24[0] 192.168.1.121/32[0] proto=any dir=out"racoon.conf :
listen {
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
}
path pre_shared_key "/var/etc/psk.txt";path certificate "/var/etc";
remote anonymous {
exchange_mode aggressive;
my_identifier address "135.146.152.222";initial_contact on;
dpd_delay 120;
ike_frag on;
passive on;
generate_policy on;
support_proxy on;
proposal_check obey;proposal {
encryption_algorithm des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 3600 secs;
}
lifetime time 3600 secs;
}sainfo anonymous {
encryption_algorithm des,blowfish;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 secs;
}Any tweaks let me know!
Thanks,
Pat -
Hi pad,
U tried to start racon in debug mode for more details? Are there any firewall events?
hit me if im wrong but v 1.2.3 dont support nat-t for mobile vpn. In order to work ur vpn client needs a official ip.
Limitations
* NAT-T is not supported until version 2.0, which means mobile clients behind NAT are not supported. This limits pfSense's usefulness with mobile IPsec clients. OpenVPN or PPTP is a better solution.
* Some of the more advanced capabilities of ipsec-tools are not supported until 2.0, including DPD, XAuth, NAT-T, and others.cya