Invalid Exchange type?

  • I am working on trying to get mobile clients to work with my IPsec vpn so I can get access to some network resources.  Here's what I'm getting:

    racoon: ERROR: Invalid exchange type 6 from (my IP)[500]. 
    INFO: ISAKMP-SA established (pfsense IP - external)[500]-(my IP)[500] spi:(long key) 
    INFO: received Vendor ID: RFC 3947 
    INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
    INFO: received Vendor ID: CISCO-UNITY 
    INFO: begin Aggressive mode. 
    INFO: respond new phase 1 negotiation: (pfsense IP - external)[500]<=>(my IP)[500] 

    Anyone have any suggestions as to what I cna do to get the correct exchange type?  I am using Shrew Soft VPN on windows xp sp2 (behind a NAT) and connecting to an IPsec VPN on a 1.0.1 pfsense box.

  • I just installed the Shrew Soft VPN client and get the same error as you when trying to connect to a pfsense IPSEC endpoint.  I did some searching and saw this posted on the lists:

    _Exchange type 6 is ISAKMP Transactional Config ( or modecfg ). It
    appears that pfsense either doesn't have an interface for isakmp modecfg
    setup or the version you are using has it disabled. Modecfg is what
    allows for all the dynamic configuration of the client. Support for this
    feature can be enabled by compiling ipsec-tools with the hybrid option.

    But please note, not all versions of ipsec-tools support all the
    options that the client does. The ipsec-tools project is about to branch
    0.7 which will support all the features the client does in a stable
    release branch ( see the notes in the client documentation features list ).

    You should still be able to use the client with pfsense but you will
    need to make sure that …

    1. the pfsense ipsec-tools version supports the generate policy option
    2. you disable all the dynamic client configuration feature
    3. it uses the hook scripts to punch holes in pf for vpn client traffic

    Hope this helps,


    This was posted on 9-26-2006 at:

    This VPN client does look neat though…

  • Thank you!

    Wonder if there is an option for the generate policy deep inside pfsense =0

Log in to reply