<![CDATA[Connecting WinXP Cisco VPN client to PFSense IPSEC]]>Can anyone confirm whether what i am trying to accomplish is possible / not possible / not supported?

I am trying to connect to PFSense IPSEC VPN (directly on the internet) from Windows XP (behind a NAT router) with Cisco VPN client. I'm using Preshared Key.

It fails to connect, giving these logs.

At the Cisco client:

–--------------------------------------------------------------------------------
Cisco Systems VPN Client Version 4.6.02.0011
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

304 CM/0x63100002         Begin connection process
305 CVPND/0xE3400001         Microsoft IPSec Policy Agent service stopped successfully
306 CM/0x63100004         Establish secure connection using Ethernet
307 CM/0x63100024         Attempt connection with server "ss.ss.ss.ss"
308 IKE/0x6300003B         Attempting to establish a connection with ss.ss.ss.ss.
309 IKE/0x63000013         SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to ss.ss.ss.ss
310 IPSEC/0x63700008         IPSec driver successfully started
311 IPSEC/0x63700014         Deleted all keys
312 IKE/0x6300002F         Received ISAKMP packet: peer = ss.ss.ss.ss
313 IKE/0x63000014         RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(dpd)) from ss.ss.ss.ss
314 IKE/0x63000001         Peer supports DPD
315 IKE/0x63000001         IOS Vendor ID Contruction successful
316 IKE/0x63000013         SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to ss.ss.ss.ss
317 IKE/0x63000083         IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4
318 CM/0x6310000E         Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
319 IKE/0x63000017         Marking IKE SA for deletion  (I_Cookie=CA23216D1A1008F8 R_Cookie=E2B66E44790E28B4) reason = DEL_REASON_NON_UNITY_PEER
320 IKE/0x63000013         SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to ss.ss.ss.ss
321 IKE/0x6300004B         Discarding IKE SA negotiation (I_Cookie=CA23216D1A1008F8 R_Cookie=E2B66E44790E28B4) reason = DEL_REASON_NON_UNITY_PEER
322 CM/0x63100014         Unable to establish Phase 1 SA with server "ss.ss.ss.ss" because of "DEL_REASON_NON_UNITY_PEER"
323 CM/0x63100025         Initializing CVPNDrv
324 IKE/0x63000001         IKE received signal to terminate VPN connection
325 IKE/0x63000086         Microsoft IPSec Policy Agent service started successfully
326 IPSEC/0x63700014         Deleted all keys
327 IPSEC/0x63700014         Deleted all keys
328 IPSEC/0x63700014         Deleted all keys
329 IPSEC/0x6370000A         IPSec driver successfully stopped

and at the IPSEC log in PFSense

racoon: INFO: respond new phase 1 negotiation: ss.ss.ss.ss[500]<=>cc.cc.cc.cc[56512]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
racoon: INFO: received Vendor ID: DPD
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO: received broken Microsoft ID: FRAGMENTATION
racoon: INFO: received Vendor ID: CISCO-UNITY
racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
racoon: INFO: received Vendor ID: CISCO-UNITY
racoon: INFO: ISAKMP-SA established ss.ss.ss.ss[500]-cc.cc.cc.cc[56512] spi:ca23216d1a1008f8:e2b66e44790e28b4
racoon: ERROR: delete payload with invalid doi:0.
–--------------------------------------------------------------------------------

Again, anyone can help me by telling if what i'm trying to do is possible or not?

Thanks.

]]>https://forum.netgate.com/topic/2837/connecting-winxp-cisco-vpn-client-to-pfsense-ipsecRSS for NodeWed, 15 Apr 2026 16:36:07 GMTWed, 13 Dec 2006 00:01:27 GMT60<![CDATA[Reply to Connecting WinXP Cisco VPN client to PFSense IPSEC on Wed, 03 Jan 2007 18:15:47 GMT]]>Have a look at the free IPSEC clients mentioned here: http://forum.pfsense.org/index.php/topic,2009.msg11516.html#msg11516

For OpenVPN have a look at these GUI clients:
http://openvpn.se/
http://openvpn.net/gui.html

]]>https://forum.netgate.com/post/146773https://forum.netgate.com/post/146773Wed, 03 Jan 2007 18:15:47 GMT<![CDATA[Reply to Connecting WinXP Cisco VPN client to PFSense IPSEC on Wed, 03 Jan 2007 17:32:35 GMT]]>Thanks for your thoughts on this, valnar.

Would you recommend the OpenVPN client, then?  Perhaps I need try to it out again…

]]>https://forum.netgate.com/post/146768https://forum.netgate.com/post/146768Wed, 03 Jan 2007 17:32:35 GMT<![CDATA[Reply to Connecting WinXP Cisco VPN client to PFSense IPSEC on Wed, 03 Jan 2007 16:30:46 GMT]]>Cisco supports IPSEC, but I believe it uses some proprietary techniques such as "Group authentication" which may not be compatible.  It also needs a user authentication mechanism.  I've never been successful (or wanted to) in getting the Cisco VPN client to connect to anything other than a Cisco device.  That would be an IOS router, 3000 concentrator, PIX or ASA.

Robert

]]>https://forum.netgate.com/post/146764https://forum.netgate.com/post/146764Wed, 03 Jan 2007 16:30:46 GMT<![CDATA[Reply to Connecting WinXP Cisco VPN client to PFSense IPSEC on Wed, 20 Dec 2006 18:45:18 GMT]]>I'm also very interested in this.  Wondering if there would be enough interest to post a bounty?

]]>https://forum.netgate.com/post/146193https://forum.netgate.com/post/146193Wed, 20 Dec 2006 18:45:18 GMT<![CDATA[Reply to Connecting WinXP Cisco VPN client to PFSense IPSEC on Fri, 15 Dec 2006 02:22:18 GMT]]>Has someone got any experience trying to hook up Cisco VPN client to PFSense?

Just asking again, since I'm kindda stuck on the issue :)

I did see lots of entries about site to site VPN with Cisco devices, but couldn't find info regarding the Cisco VPN client for making VPN connection for individual machines..

]]>https://forum.netgate.com/post/145852https://forum.netgate.com/post/145852Fri, 15 Dec 2006 02:22:18 GMT