Invalid Exchange type?
I am working on trying to get mobile clients to work with my IPsec vpn so I can get access to some network resources. Here's what I'm getting:
racoon: ERROR: Invalid exchange type 6 from (my IP). INFO: ISAKMP-SA established (pfsense IP - external)-(my IP) spi:(long key) INFO: received Vendor ID: RFC 3947 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 INFO: received Vendor ID: CISCO-UNITY INFO: begin Aggressive mode. INFO: respond new phase 1 negotiation: (pfsense IP - external)<=>(my IP)
Anyone have any suggestions as to what I cna do to get the correct exchange type? I am using Shrew Soft VPN on windows xp sp2 (behind a NAT) and connecting to an IPsec VPN on a 1.0.1 pfsense box.
I just installed the Shrew Soft VPN client and get the same error as you when trying to connect to a pfsense IPSEC endpoint. I did some searching and saw this posted on the Shrew.net lists:
_Exchange type 6 is ISAKMP Transactional Config ( or modecfg ). It
appears that pfsense either doesn't have an interface for isakmp modecfg
setup or the version you are using has it disabled. Modecfg is what
allows for all the dynamic configuration of the client. Support for this
feature can be enabled by compiling ipsec-tools with the hybrid option.
But please note, not all versions of ipsec-tools support all the
options that the client does. The ipsec-tools project is about to branch
0.7 which will support all the features the client does in a stable
release branch ( see the notes in the client documentation features list ).
You should still be able to use the client with pfsense but you will
need to make sure that …
- the pfsense ipsec-tools version supports the generate policy option
- you disable all the dynamic client configuration feature
- it uses the hook scripts to punch holes in pf for vpn client traffic
Hope this helps,
This was posted on 9-26-2006 at: http://lists.shrew.net/pipermail/vpn-help/2006-September/000568.html
This VPN client does look neat though…
Wonder if there is an option for the generate policy deep inside pfsense =0