Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connecting WinXP Cisco VPN client to PFSense IPSEC

    Scheduled Pinned Locked Moved IPsec
    6 Posts 4 Posters 16.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BasR
      last edited by

      Can anyone confirm whether what i am trying to accomplish is possible / not possible / not supported?

      I am trying to connect to PFSense IPSEC VPN (directly on the internet) from Windows XP (behind a NAT router) with Cisco VPN client. I'm using Preshared Key.

      It fails to connect, giving these logs.

      At the Cisco client:

      –--------------------------------------------------------------------------------
      Cisco Systems VPN Client Version 4.6.02.0011
      Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
      Client Type(s): Windows, WinNT
      Running on: 5.1.2600 Service Pack 2

      304 CM/0x63100002         Begin connection process
      305 CVPND/0xE3400001         Microsoft IPSec Policy Agent service stopped successfully
      306 CM/0x63100004         Establish secure connection using Ethernet
      307 CM/0x63100024         Attempt connection with server "ss.ss.ss.ss"
      308 IKE/0x6300003B         Attempting to establish a connection with ss.ss.ss.ss.
      309 IKE/0x63000013         SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to ss.ss.ss.ss
      310 IPSEC/0x63700008         IPSec driver successfully started
      311 IPSEC/0x63700014         Deleted all keys
      312 IKE/0x6300002F         Received ISAKMP packet: peer = ss.ss.ss.ss
      313 IKE/0x63000014         RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(dpd)) from ss.ss.ss.ss
      314 IKE/0x63000001         Peer supports DPD
      315 IKE/0x63000001         IOS Vendor ID Contruction successful
      316 IKE/0x63000013         SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to ss.ss.ss.ss
      317 IKE/0x63000083         IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4
      318 CM/0x6310000E         Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
      319 IKE/0x63000017         Marking IKE SA for deletion  (I_Cookie=CA23216D1A1008F8 R_Cookie=E2B66E44790E28B4) reason = DEL_REASON_NON_UNITY_PEER
      320 IKE/0x63000013         SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to ss.ss.ss.ss
      321 IKE/0x6300004B         Discarding IKE SA negotiation (I_Cookie=CA23216D1A1008F8 R_Cookie=E2B66E44790E28B4) reason = DEL_REASON_NON_UNITY_PEER
      322 CM/0x63100014         Unable to establish Phase 1 SA with server "ss.ss.ss.ss" because of "DEL_REASON_NON_UNITY_PEER"
      323 CM/0x63100025         Initializing CVPNDrv
      324 IKE/0x63000001         IKE received signal to terminate VPN connection
      325 IKE/0x63000086         Microsoft IPSec Policy Agent service started successfully
      326 IPSEC/0x63700014         Deleted all keys
      327 IPSEC/0x63700014         Deleted all keys
      328 IPSEC/0x63700014         Deleted all keys
      329 IPSEC/0x6370000A         IPSec driver successfully stopped

      and at the IPSEC log in PFSense


      racoon: INFO: respond new phase 1 negotiation: ss.ss.ss.ss[500]<=>cc.cc.cc.cc[56512]
      racoon: INFO: begin Aggressive mode.
      racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      racoon: INFO: received Vendor ID: DPD
      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      racoon: INFO: received Vendor ID: CISCO-UNITY
      racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
      racoon: INFO: received Vendor ID: CISCO-UNITY
      racoon: INFO: ISAKMP-SA established ss.ss.ss.ss[500]-cc.cc.cc.cc[56512] spi:ca23216d1a1008f8:e2b66e44790e28b4
      racoon: ERROR: delete payload with invalid doi:0.
      –--------------------------------------------------------------------------------

      Again, anyone can help me by telling if what i'm trying to do is possible or not?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • B
        BasR
        last edited by

        Has someone got any experience trying to hook up Cisco VPN client to PFSense?

        Just asking again, since I'm kindda stuck on the issue :)

        I did see lots of entries about site to site VPN with Cisco devices, but couldn't find info regarding the Cisco VPN client for making VPN connection for individual machines..

        1 Reply Last reply Reply Quote 0
        • S
          strick1226
          last edited by

          I'm also very interested in this.  Wondering if there would be enough interest to post a bounty?

          1 Reply Last reply Reply Quote 0
          • valnarV
            valnar
            last edited by

            Cisco supports IPSEC, but I believe it uses some proprietary techniques such as "Group authentication" which may not be compatible.  It also needs a user authentication mechanism.  I've never been successful (or wanted to) in getting the Cisco VPN client to connect to anything other than a Cisco device.  That would be an IOS router, 3000 concentrator, PIX or ASA.

            Robert

            1 Reply Last reply Reply Quote 0
            • S
              strick1226
              last edited by

              Thanks for your thoughts on this, valnar.

              Would you recommend the OpenVPN client, then?  Perhaps I need try to it out again…

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                Have a look at the free IPSEC clients mentioned here: http://forum.pfsense.org/index.php/topic,2009.msg11516.html#msg11516

                For OpenVPN have a look at these GUI clients:
                http://openvpn.se/
                http://openvpn.net/gui.html

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.