Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Invalid Exchange type?

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 11.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      I am working on trying to get mobile clients to work with my IPsec vpn so I can get access to some network resources.  Here's what I'm getting:

      racoon: ERROR: Invalid exchange type 6 from (my IP)[500]. 
INFO: ISAKMP-SA established (pfsense IP - external)[500]-(my IP)[500] spi:(long key) 
INFO: received Vendor ID: RFC 3947 
INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
INFO: received Vendor ID: CISCO-UNITY 
INFO: begin Aggressive mode. 
INFO: respond new phase 1 negotiation: (pfsense IP - external)[500]<=>(my IP)[500]

      Anyone have any suggestions as to what I cna do to get the correct exchange type?  I am using Shrew Soft VPN on windows xp sp2 (behind a NAT) and connecting to an IPsec VPN on a 1.0.1 pfsense box.

      1 Reply Last reply Reply Quote 0
      • R
        razor2000
        last edited by

        I just installed the Shrew Soft VPN client and get the same error as you when trying to connect to a pfsense IPSEC endpoint.  I did some searching and saw this posted on the Shrew.net lists:

        _Exchange type 6 is ISAKMP Transactional Config ( or modecfg ). It
        appears that pfsense either doesn't have an interface for isakmp modecfg
        setup or the version you are using has it disabled. Modecfg is what
        allows for all the dynamic configuration of the client. Support for this
        feature can be enabled by compiling ipsec-tools with the hybrid option.

        But please note, not all versions of ipsec-tools support all the
        options that the client does. The ipsec-tools project is about to branch
        0.7 which will support all the features the client does in a stable
        release branch ( see the notes in the client documentation features list ).

        You should still be able to use the client with pfsense but you will
        need to make sure that …

        1. the pfsense ipsec-tools version supports the generate policy option
        2. you disable all the dynamic client configuration feature
        3. it uses the hook scripts to punch holes in pf for vpn client traffic

        Hope this helps,

        -Matthew_

        This was posted on 9-26-2006 at: http://lists.shrew.net/pipermail/vpn-help/2006-September/000568.html

        This VPN client does look neat though…

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          Thank you!

          Wonder if there is an option for the generate policy deep inside pfsense =0

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.