PfSense 2.0-RC1: Road warrior with cisco(dynamic) as client failing in phase 2
I've followed the How-To on setting up a road warrior client in IPSEC, I actually had an ipsec running already, but unfortunately we're using a old PIX firewall to connect my cisco router with dynamic IP as client work, so now i have to migrate these vpns to Pfsense.
What I have so far, after I followed the how-to on http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To and http://www.hacktheory.com/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn/
The setup is
(10.10.10.1/32) LAN <-> Cisco Router 1841 (dynamic ip) <-> Internet <-> pfSense <-> LAN (10.255.254.0/29)
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(25c)
Below, my CISCO configuration :
crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco123 address X.X.X.X no-xauth crypto isakmp profile VPN keyring default self-identity fqdn match identity address X.X.X.X 255.255.255.255 initiate mode aggressive ! ! crypto ipsec transform-set VPN esp-3des esp-md5-hmac ! crypto map VPN isakmp-profile VPN crypto map VPN 10 ipsec-isakmp set peer X.X.X.X set transform-set VPN set pfs group2 match address 100 ! interface Loopback0 ip address 10.10.10.1 255.255.255.255 ! interface FastEthernet0/0 ip address X.X.X.X Y.Y.Y.Y duplex auto speed auto crypto map VPN ! ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ! access-list 100 permit ip host 10.10.10.1 10.255.254.0 0.0.0.7
The most strange, is that cisco show the phase 2 successfully, but i cannot ping any IP's on the Pfsense LAN from the cisco LAN, below, my IPSEC log .
Jun 27 09:31:53 racoon: [Self]: INFO: respond new phase 1 negotiation: 200.x.x.x<=>200.x.x.x Jun 27 09:31:53 racoon: INFO: begin Aggressive mode. Jun 27 09:31:53 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Jun 27 09:31:53 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Jun 27 09:31:53 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Jun 27 09:31:53 racoon: INFO: received Vendor ID: DPD Jun 27 09:31:53 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Jun 27 09:31:53 racoon: INFO: received Vendor ID: CISCO-UNITY Jun 27 09:31:54 racoon: INFO: Adding xauth VID payload. Jun 27 09:31:54 racoon: [220.127.116.11] ERROR: notification INITIAL-CONTACT received in aggressive exchange. Jun 27 09:31:54 racoon: [Self]: INFO: ISAKMP-SA established 200.x.x.x-200.x.x.x spi:926de3035193a36a:43c9a7aa18faa034 Jun 27 09:31:54 racoon: [Self]: INFO: respond new phase 2 negotiation: 200.x.x.x<=>200.x.x.x Jun 27 09:31:54 racoon: INFO: Update the generated policy : 10.10.10.1/32 10.255.254.0/29 proto=any dir=in Jun 27 09:31:54 racoon: [Self]: INFO: IPsec-SA established: ESP 200.x.x.x->200.x.x.x spi=99392649(0x5ec9c89) Jun 27 09:31:54 racoon: [Self]: INFO: IPsec-SA established: ESP 200.x.x.x->200.x.x.x spi=2320058353(0x8a4947f1) Jun 27 09:31:55 racoon: ERROR: no configuration found for 200.x.x.x. Jun 27 09:31:55 racoon: ERROR: failed to begin ipsec sa negotication. <---------------------------------
Im using a FQDN + psk to identify my client, i create the HS.domain.com with a psk cisco123 on the Pre-Shared Keys tab,
What now??? I'm a bit lost.. :-.
PS : with ip static to ip static the Tunnel was stablished, but with dynamic IP don't work :'(
i tested your setup a view month before and it worked.
Post ur mobileconfig tab. Post ur Ipsec firewall rules.
Start raccon in debug mode and analyse logs.
Im still using the "old Pix" in my environment because its possible to set up multiple IPSEC mobile profiles. Remember PfSense can
only handle one profile and radius auth isnt possible at the moment.
i attach my mobile client tab, I followed the how-to on http://www.huijgen.com/tunnel/, i dot exact configurations.
I'm tryng ping the PFsense lan 10.255.254.1 or 10.255.254.2, the traffic still pass when i looking on System Logs - Firewall, but i can't ping =/
i think i got u wrong.
Ur Mobile Client is another pfsense with dynamic ip right?
hi again spiritbreaker
My mobile client is a cisco router with a dynamic ip, well…after change the rules for any to any in LAN and IPSEC tab, i can sucessfully ping the IP 10.255.254.1 from the Client using Shrew Client, but made this with a cisco router as client with dynamic IP, i can't ping the PFsense IP LAN
Do you have a cisco router configuration to send me ?
plz have a look at http://forum.pfsense.org/index.php/topic,38294.0.html.
If i have enough time i will test it with an old pix as remoteclient.
Why u need to connect the cisco as roadwarrior? you already tested site to site with dyndns alias?
tks again spiritbreaker, i will look the topic
Looks like the same error as this:
Pity the cisco doesn't support dyndns, you could just use a dyndns hostname as the endpoint IP.
well…after some troubles, i decide to tryng setup a no-ip service in my cisco router, that's was the only way how i connect with sucess my between cisco router with dynamic ip and my pfsense RC2 box.
So, i stop use Mobile Client feature, and create a solid site to site configuration, setting up the Remote Gateway option as domain.no-ip.org