PfSense 2.0-RC1: Road warrior with cisco(dynamic) as client failing in phase 2



  • Hello,

    I've followed the How-To on setting up a road warrior client in IPSEC, I actually had an ipsec running already, but unfortunately we're using a old PIX firewall to connect my cisco router with dynamic IP as client work, so now i have to migrate  these vpns to Pfsense.

    What I have so far, after I followed the how-to on http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To and http://www.hacktheory.com/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn/

    The setup is

    (10.10.10.1/32) LAN <-> Cisco Router 1841 (dynamic ip) <-> Internet <-> pfSense <-> LAN (10.255.254.0/29)

    Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(25c)

    Below, my CISCO configuration :

    
    crypto isakmp policy 1
     encr 3des
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key cisco123 address X.X.X.X no-xauth
    crypto isakmp profile VPN
       keyring default
       self-identity fqdn
       match identity address X.X.X.X 255.255.255.255
       initiate mode aggressive
    !
    !
    crypto ipsec transform-set VPN esp-3des esp-md5-hmac
    !
    crypto map VPN isakmp-profile VPN
    crypto map VPN 10 ipsec-isakmp
     set peer X.X.X.X
     set transform-set VPN
     set pfs group2
     match address 100
    !
    interface Loopback0
     ip address 10.10.10.1 255.255.255.255
    !
    interface FastEthernet0/0
     ip address X.X.X.X Y.Y.Y.Y
     duplex auto
     speed auto
     crypto map VPN
    !
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
    !
    access-list 100 permit ip host 10.10.10.1 10.255.254.0 0.0.0.7
    
    

    The most strange, is that cisco show the phase 2 successfully, but i cannot ping any IP's on the Pfsense LAN from the cisco LAN, below, my IPSEC log .

    
    Jun 27 09:31:53	racoon: [Self]: INFO: respond new phase 1 negotiation: 200.x.x.x[500]<=>200.x.x.x[500]
    Jun 27 09:31:53	racoon: INFO: begin Aggressive mode.
    Jun 27 09:31:53	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Jun 27 09:31:53	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jun 27 09:31:53	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jun 27 09:31:53	racoon: INFO: received Vendor ID: DPD
    Jun 27 09:31:53	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jun 27 09:31:53	racoon: INFO: received Vendor ID: CISCO-UNITY
    Jun 27 09:31:54	racoon: INFO: Adding xauth VID payload.
    Jun 27 09:31:54	racoon: [200.178.0.10] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Jun 27 09:31:54	racoon: [Self]: INFO: ISAKMP-SA established 200.x.x.x[500]-200.x.x.x[500] spi:926de3035193a36a:43c9a7aa18faa034
    Jun 27 09:31:54	racoon: [Self]: INFO: respond new phase 2 negotiation: 200.x.x.x[500]<=>200.x.x.x[500]
    Jun 27 09:31:54	racoon: INFO: Update the generated policy : 10.10.10.1/32[0] 10.255.254.0/29[0] proto=any dir=in
    Jun 27 09:31:54	racoon: [Self]: INFO: IPsec-SA established: ESP 200.x.x.x[500]->200.x.x.x[500] spi=99392649(0x5ec9c89)
    Jun 27 09:31:54	racoon: [Self]: INFO: IPsec-SA established: ESP 200.x.x.x[500]->200.x.x.x[500] spi=2320058353(0x8a4947f1)
    Jun 27 09:31:55	racoon: ERROR: no configuration found for 200.x.x.x.
    Jun 27 09:31:55	racoon: ERROR: failed to begin ipsec sa negotication. <---------------------------------
    
    

    Im using a FQDN + psk to identify my client, i create the HS.domain.com with a psk cisco123 on the Pre-Shared Keys tab,

    What now??? I'm a bit lost.. :-.

    PS : with ip static to ip static the Tunnel was stablished, but with dynamic IP don't work  :'(

    Best regards






  • Hi,

    i tested your setup a view month before and it worked.

    Post ur mobileconfig tab. Post ur Ipsec firewall rules.

    Start raccon in debug mode and analyse logs.

    Im still using the "old Pix" in my environment because its possible to set up multiple IPSEC mobile profiles. Remember PfSense can
    only handle one profile and radius auth isnt possible at the moment.

    cya



  • Hi!

    i attach my mobile client tab, I followed the how-to on http://www.huijgen.com/tunnel/, i dot exact configurations.

    I'm tryng ping the PFsense lan 10.255.254.1 or 10.255.254.2, the traffic still pass when i looking on System Logs - Firewall, but i can't ping =/




  • Hi,

    i think i got u wrong.

    Ur Mobile Client is another pfsense with dynamic ip right?

    cya



  • hi again spiritbreaker

    My mobile client is a cisco router with a dynamic ip, well…after change the rules for any to any in LAN and IPSEC tab, i can sucessfully ping the IP 10.255.254.1 from the Client using Shrew Client, but made this with a cisco router as client with dynamic IP, i can't ping the PFsense IP LAN

    Do you have a cisco router configuration to send me ?

    best regards



  • Hi,

    plz have a look at http://forum.pfsense.org/index.php/topic,38294.0.html.

    If i have enough time i will test it with an old pix as remoteclient.

    Why u need to connect the cisco as roadwarrior? you  already tested site to site with dyndns alias?

    cya



  • tks again spiritbreaker, i will look the topic

    best regards


  • Rebel Alliance Developer Netgate

    Looks like the same error as this:
    http://redmine.pfsense.org/issues/1351

    Pity the cisco doesn't support dyndns, you could just use a dyndns hostname as the endpoint IP.



  • tks jimp,

    well…after some troubles, i decide to tryng setup a no-ip service in my cisco router, that's was the only way how i connect with sucess my between cisco router with dynamic ip and my pfsense RC2 box.

    So, i stop use Mobile Client feature, and create a solid site to site configuration, setting up the Remote Gateway option as domain.no-ip.org

    best regards!


Locked