Connecting WinXP Cisco VPN client to PFSense IPSEC



  • Can anyone confirm whether what i am trying to accomplish is possible / not possible / not supported?

    I am trying to connect to PFSense IPSEC VPN (directly on the internet) from Windows XP (behind a NAT router) with Cisco VPN client. I'm using Preshared Key.

    It fails to connect, giving these logs.

    At the Cisco client:

    –--------------------------------------------------------------------------------
    Cisco Systems VPN Client Version 4.6.02.0011
    Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600 Service Pack 2

    304 CM/0x63100002         Begin connection process
    305 CVPND/0xE3400001         Microsoft IPSec Policy Agent service stopped successfully
    306 CM/0x63100004         Establish secure connection using Ethernet
    307 CM/0x63100024         Attempt connection with server "ss.ss.ss.ss"
    308 IKE/0x6300003B         Attempting to establish a connection with ss.ss.ss.ss.
    309 IKE/0x63000013         SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to ss.ss.ss.ss
    310 IPSEC/0x63700008         IPSec driver successfully started
    311 IPSEC/0x63700014         Deleted all keys
    312 IKE/0x6300002F         Received ISAKMP packet: peer = ss.ss.ss.ss
    313 IKE/0x63000014         RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(dpd)) from ss.ss.ss.ss
    314 IKE/0x63000001         Peer supports DPD
    315 IKE/0x63000001         IOS Vendor ID Contruction successful
    316 IKE/0x63000013         SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to ss.ss.ss.ss
    317 IKE/0x63000083         IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4
    318 CM/0x6310000E         Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
    319 IKE/0x63000017         Marking IKE SA for deletion  (I_Cookie=CA23216D1A1008F8 R_Cookie=E2B66E44790E28B4) reason = DEL_REASON_NON_UNITY_PEER
    320 IKE/0x63000013         SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to ss.ss.ss.ss
    321 IKE/0x6300004B         Discarding IKE SA negotiation (I_Cookie=CA23216D1A1008F8 R_Cookie=E2B66E44790E28B4) reason = DEL_REASON_NON_UNITY_PEER
    322 CM/0x63100014         Unable to establish Phase 1 SA with server "ss.ss.ss.ss" because of "DEL_REASON_NON_UNITY_PEER"
    323 CM/0x63100025         Initializing CVPNDrv
    324 IKE/0x63000001         IKE received signal to terminate VPN connection
    325 IKE/0x63000086         Microsoft IPSec Policy Agent service started successfully
    326 IPSEC/0x63700014         Deleted all keys
    327 IPSEC/0x63700014         Deleted all keys
    328 IPSEC/0x63700014         Deleted all keys
    329 IPSEC/0x6370000A         IPSec driver successfully stopped

    and at the IPSEC log in PFSense


    racoon: INFO: respond new phase 1 negotiation: ss.ss.ss.ss[500]<=>cc.cc.cc.cc[56512]
    racoon: INFO: begin Aggressive mode.
    racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    racoon: INFO: received Vendor ID: DPD
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    racoon: INFO: received Vendor ID: CISCO-UNITY
    racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    racoon: INFO: received Vendor ID: CISCO-UNITY
    racoon: INFO: ISAKMP-SA established ss.ss.ss.ss[500]-cc.cc.cc.cc[56512] spi:ca23216d1a1008f8:e2b66e44790e28b4
    racoon: ERROR: delete payload with invalid doi:0.
    –--------------------------------------------------------------------------------

    Again, anyone can help me by telling if what i'm trying to do is possible or not?

    Thanks.



  • Has someone got any experience trying to hook up Cisco VPN client to PFSense?

    Just asking again, since I'm kindda stuck on the issue :)

    I did see lots of entries about site to site VPN with Cisco devices, but couldn't find info regarding the Cisco VPN client for making VPN connection for individual machines..



  • I'm also very interested in this.  Wondering if there would be enough interest to post a bounty?



  • Cisco supports IPSEC, but I believe it uses some proprietary techniques such as "Group authentication" which may not be compatible.  It also needs a user authentication mechanism.  I've never been successful (or wanted to) in getting the Cisco VPN client to connect to anything other than a Cisco device.  That would be an IOS router, 3000 concentrator, PIX or ASA.

    Robert



  • Thanks for your thoughts on this, valnar.

    Would you recommend the OpenVPN client, then?  Perhaps I need try to it out again…



  • Have a look at the free IPSEC clients mentioned here: http://forum.pfsense.org/index.php/topic,2009.msg11516.html#msg11516

    For OpenVPN have a look at these GUI clients:
    http://openvpn.se/
    http://openvpn.net/gui.html


Locked