Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.0-RC1: Road warrior with cisco(dynamic) as client failing in phase 2

    Scheduled Pinned Locked Moved IPsec
    9 Posts 3 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chroot
      last edited by

      Hello,

      I've followed the How-To on setting up a road warrior client in IPSEC, I actually had an ipsec running already, but unfortunately we're using a old PIX firewall to connect my cisco router with dynamic IP as client work, so now i have to migrate  these vpns to Pfsense.

      What I have so far, after I followed the how-to on http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To and http://www.hacktheory.com/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn/

      The setup is

      (10.10.10.1/32) LAN <-> Cisco Router 1841 (dynamic ip) <-> Internet <-> pfSense <-> LAN (10.255.254.0/29)

      Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(25c)

      Below, my CISCO configuration :

      
      crypto isakmp policy 1
       encr 3des
       hash md5
       authentication pre-share
       group 2
      crypto isakmp key cisco123 address X.X.X.X no-xauth
      crypto isakmp profile VPN
         keyring default
         self-identity fqdn
         match identity address X.X.X.X 255.255.255.255
         initiate mode aggressive
      !
      !
      crypto ipsec transform-set VPN esp-3des esp-md5-hmac
      !
      crypto map VPN isakmp-profile VPN
      crypto map VPN 10 ipsec-isakmp
       set peer X.X.X.X
       set transform-set VPN
       set pfs group2
       match address 100
      !
      interface Loopback0
       ip address 10.10.10.1 255.255.255.255
      !
      interface FastEthernet0/0
       ip address X.X.X.X Y.Y.Y.Y
       duplex auto
       speed auto
       crypto map VPN
      !
      ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
      !
      access-list 100 permit ip host 10.10.10.1 10.255.254.0 0.0.0.7
      
      

      The most strange, is that cisco show the phase 2 successfully, but i cannot ping any IP's on the Pfsense LAN from the cisco LAN, below, my IPSEC log .

      
      Jun 27 09:31:53	racoon: [Self]: INFO: respond new phase 1 negotiation: 200.x.x.x[500]<=>200.x.x.x[500]
      Jun 27 09:31:53	racoon: INFO: begin Aggressive mode.
      Jun 27 09:31:53	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
      Jun 27 09:31:53	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Jun 27 09:31:53	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Jun 27 09:31:53	racoon: INFO: received Vendor ID: DPD
      Jun 27 09:31:53	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Jun 27 09:31:53	racoon: INFO: received Vendor ID: CISCO-UNITY
      Jun 27 09:31:54	racoon: INFO: Adding xauth VID payload.
      Jun 27 09:31:54	racoon: [200.178.0.10] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
      Jun 27 09:31:54	racoon: [Self]: INFO: ISAKMP-SA established 200.x.x.x[500]-200.x.x.x[500] spi:926de3035193a36a:43c9a7aa18faa034
      Jun 27 09:31:54	racoon: [Self]: INFO: respond new phase 2 negotiation: 200.x.x.x[500]<=>200.x.x.x[500]
      Jun 27 09:31:54	racoon: INFO: Update the generated policy : 10.10.10.1/32[0] 10.255.254.0/29[0] proto=any dir=in
      Jun 27 09:31:54	racoon: [Self]: INFO: IPsec-SA established: ESP 200.x.x.x[500]->200.x.x.x[500] spi=99392649(0x5ec9c89)
      Jun 27 09:31:54	racoon: [Self]: INFO: IPsec-SA established: ESP 200.x.x.x[500]->200.x.x.x[500] spi=2320058353(0x8a4947f1)
      Jun 27 09:31:55	racoon: ERROR: no configuration found for 200.x.x.x.
      Jun 27 09:31:55	racoon: ERROR: failed to begin ipsec sa negotication. <---------------------------------
      
      

      Im using a FQDN + psk to identify my client, i create the HS.domain.com with a psk cisco123 on the Pre-Shared Keys tab,

      What now??? I'm a bit lost.. :-.

      PS : with ip static to ip static the Tunnel was stablished, but with dynamic IP don't work  :'(

      Best regards

      mobile3.png
      mobile3.png_thumb
      mobile2.png
      mobile2.png_thumb

      "If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

      bzanelato.blogspot.com

      1 Reply Last reply Reply Quote 0
      • S
        spiritbreaker
        last edited by

        Hi,

        i tested your setup a view month before and it worked.

        Post ur mobileconfig tab. Post ur Ipsec firewall rules.

        Start raccon in debug mode and analyse logs.

        Im still using the "old Pix" in my environment because its possible to set up multiple IPSEC mobile profiles. Remember PfSense can
        only handle one profile and radius auth isnt possible at the moment.

        cya

        Pfsense running at 11 Locations
        -mobile OPENVPN and IPSEC
        -multiwan failover
        -filtering proxy(squidguard) in bridgemode with ntop monitoring

        1 Reply Last reply Reply Quote 0
        • C
          chroot
          last edited by

          Hi!

          i attach my mobile client tab, I followed the how-to on http://www.huijgen.com/tunnel/, i dot exact configurations.

          I'm tryng ping the PFsense lan 10.255.254.1 or 10.255.254.2, the traffic still pass when i looking on System Logs - Firewall, but i can't ping =/

          mobile5.png
          mobile5.png_thumb

          "If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

          bzanelato.blogspot.com

          1 Reply Last reply Reply Quote 0
          • S
            spiritbreaker
            last edited by

            Hi,

            i think i got u wrong.

            Ur Mobile Client is another pfsense with dynamic ip right?

            cya

            Pfsense running at 11 Locations
            -mobile OPENVPN and IPSEC
            -multiwan failover
            -filtering proxy(squidguard) in bridgemode with ntop monitoring

            1 Reply Last reply Reply Quote 0
            • C
              chroot
              last edited by

              hi again spiritbreaker

              My mobile client is a cisco router with a dynamic ip, well…after change the rules for any to any in LAN and IPSEC tab, i can sucessfully ping the IP 10.255.254.1 from the Client using Shrew Client, but made this with a cisco router as client with dynamic IP, i can't ping the PFsense IP LAN

              Do you have a cisco router configuration to send me ?

              best regards

              "If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

              bzanelato.blogspot.com

              1 Reply Last reply Reply Quote 0
              • S
                spiritbreaker
                last edited by

                Hi,

                plz have a look at http://forum.pfsense.org/index.php/topic,38294.0.html.

                If i have enough time i will test it with an old pix as remoteclient.

                Why u need to connect the cisco as roadwarrior? you  already tested site to site with dyndns alias?

                cya

                Pfsense running at 11 Locations
                -mobile OPENVPN and IPSEC
                -multiwan failover
                -filtering proxy(squidguard) in bridgemode with ntop monitoring

                1 Reply Last reply Reply Quote 0
                • C
                  chroot
                  last edited by

                  tks again spiritbreaker, i will look the topic

                  best regards

                  "If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

                  bzanelato.blogspot.com

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Looks like the same error as this:
                    http://redmine.pfsense.org/issues/1351

                    Pity the cisco doesn't support dyndns, you could just use a dyndns hostname as the endpoint IP.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • C
                      chroot
                      last edited by

                      tks jimp,

                      well…after some troubles, i decide to tryng setup a no-ip service in my cisco router, that's was the only way how i connect with sucess my between cisco router with dynamic ip and my pfsense RC2 box.

                      So, i stop use Mobile Client feature, and create a solid site to site configuration, setting up the Remote Gateway option as domain.no-ip.org

                      best regards!

                      "If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

                      bzanelato.blogspot.com

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.