PfSense 2.0-RC1: Road warrior with cisco(dynamic) as client failing in phase 2

chroot

Hello,

I've followed the How-To on setting up a road warrior client in IPSEC, I actually had an ipsec running already, but unfortunately we're using a old PIX firewall to connect my cisco router with dynamic IP as client work, so now i have to migrate these vpns to Pfsense.

What I have so far, after I followed the how-to on http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To and http://www.hacktheory.com/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn/

The setup is

(10.10.10.1/32) LAN <-> Cisco Router 1841 (dynamic ip) <-> Internet <-> pfSense <-> LAN (10.255.254.0/29)

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(25c)

Below, my CISCO configuration :


crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address X.X.X.X no-xauth
crypto isakmp profile VPN
   keyring default
   self-identity fqdn
   match identity address X.X.X.X 255.255.255.255
   initiate mode aggressive
!
!
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
!
crypto map VPN isakmp-profile VPN
crypto map VPN 10 ipsec-isakmp
 set peer X.X.X.X
 set transform-set VPN
 set pfs group2
 match address 100
!
interface Loopback0
 ip address 10.10.10.1 255.255.255.255
!
interface FastEthernet0/0
 ip address X.X.X.X Y.Y.Y.Y
 duplex auto
 speed auto
 crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
access-list 100 permit ip host 10.10.10.1 10.255.254.0 0.0.0.7

The most strange, is that cisco show the phase 2 successfully, but i cannot ping any IP's on the Pfsense LAN from the cisco LAN, below, my IPSEC log .


Jun 27 09:31:53	racoon: [Self]: INFO: respond new phase 1 negotiation: 200.x.x.x[500]<=>200.x.x.x[500]
Jun 27 09:31:53	racoon: INFO: begin Aggressive mode.
Jun 27 09:31:53	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Jun 27 09:31:53	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 27 09:31:53	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 27 09:31:53	racoon: INFO: received Vendor ID: DPD
Jun 27 09:31:53	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jun 27 09:31:53	racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 27 09:31:54	racoon: INFO: Adding xauth VID payload.
Jun 27 09:31:54	racoon: [200.178.0.10] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Jun 27 09:31:54	racoon: [Self]: INFO: ISAKMP-SA established 200.x.x.x[500]-200.x.x.x[500] spi:926de3035193a36a:43c9a7aa18faa034
Jun 27 09:31:54	racoon: [Self]: INFO: respond new phase 2 negotiation: 200.x.x.x[500]<=>200.x.x.x[500]
Jun 27 09:31:54	racoon: INFO: Update the generated policy : 10.10.10.1/32[0] 10.255.254.0/29[0] proto=any dir=in
Jun 27 09:31:54	racoon: [Self]: INFO: IPsec-SA established: ESP 200.x.x.x[500]->200.x.x.x[500] spi=99392649(0x5ec9c89)
Jun 27 09:31:54	racoon: [Self]: INFO: IPsec-SA established: ESP 200.x.x.x[500]->200.x.x.x[500] spi=2320058353(0x8a4947f1)
Jun 27 09:31:55	racoon: ERROR: no configuration found for 200.x.x.x.
Jun 27 09:31:55	racoon: ERROR: failed to begin ipsec sa negotication. <---------------------------------

Im using a FQDN + psk to identify my client, i create the HS.domain.com with a psk cisco123 on the Pre-Shared Keys tab,

What now??? I'm a bit lost.. :-.

PS : with ip static to ip static the Tunnel was stablished, but with dynamic IP don't work :'(

Best regards

mobile3.png_thumb

mobile2.png_thumb

spiritbreaker

Hi,

i tested your setup a view month before and it worked.

Post ur mobileconfig tab. Post ur Ipsec firewall rules.

Start raccon in debug mode and analyse logs.

Im still using the "old Pix" in my environment because its possible to set up multiple IPSEC mobile profiles. Remember PfSense can
only handle one profile and radius auth isnt possible at the moment.

cya

chroot

Hi!

i attach my mobile client tab, I followed the how-to on http://www.huijgen.com/tunnel/, i dot exact configurations.

I'm tryng ping the PFsense lan 10.255.254.1 or 10.255.254.2, the traffic still pass when i looking on System Logs - Firewall, but i can't ping =/

mobile5.png_thumb

spiritbreaker

Hi,

i think i got u wrong.

Ur Mobile Client is another pfsense with dynamic ip right?

cya

chroot

hi again spiritbreaker

My mobile client is a cisco router with a dynamic ip, well…after change the rules for any to any in LAN and IPSEC tab, i can sucessfully ping the IP 10.255.254.1 from the Client using Shrew Client, but made this with a cisco router as client with dynamic IP, i can't ping the PFsense IP LAN

Do you have a cisco router configuration to send me ?

best regards

spiritbreaker

Hi,

plz have a look at http://forum.pfsense.org/index.php/topic,38294.0.html.

If i have enough time i will test it with an old pix as remoteclient.

Why u need to connect the cisco as roadwarrior? you already tested site to site with dyndns alias?

cya

chroot

tks again spiritbreaker, i will look the topic

best regards

jimp

Looks like the same error as this:
http://redmine.pfsense.org/issues/1351

Pity the cisco doesn't support dyndns, you could just use a dyndns hostname as the endpoint IP.

chroot

tks jimp,

well…after some troubles, i decide to tryng setup a no-ip service in my cisco router, that's was the only way how i connect with sucess my between cisco router with dynamic ip and my pfsense RC2 box.

So, i stop use Mobile Client feature, and create a solid site to site configuration, setting up the Remote Gateway option as domain.no-ip.org

best regards!