2.0RC3 - ipsec road warrior - shrew soft client - tunnel established no traffic



  • Hi All,
    I've got a strange issue.
    Configuration re-copied from fully FreeBSD server installation to pfsense on alix 2D2.
    On pure FreeBSD installation everything works fine.
    Configuration is simple.

    Alix router:
    WAN - pppoe from ISP (static IP)
    LAN - small Local net (192.168.1.0/24)

    IPSEC road warrior/mobile clients. (Mobile client on IPSEC tab Check.)
    tunnel established, Phase 1 and 2 OK.

    Firewalls rules on IPSEC interface:
    Pass all from any to any.

    on WAN interface:
    pass all from any to any.

    tcpdump -i enc0 ->> not showing traffic ? (interface is UP)

    tcpdump from WAN interface, port 500, 4500, and proto ESP.
    listening on pppoe0, link-type NULL (BSD loopback), capture size 96 bytes
    20:36:03.118901 IP user-31-174-200-130.play-internet.pl.isakmp > 94-40-192-30.tktelekom.pl.isakmp: isakmp: phase 1 I agg
    20:36:03.290885 IP 94-40-192-30.tktelekom.pl.isakmp > user-31-174-200-130.play-internet.pl.isakmp: isakmp: phase 1 R agg
    20:36:03.478601 IP user-31-174-200-130.play-internet.pl.isakmp > 94-40-192-30.tktelekom.pl.isakmp: isakmp: phase 1 I agg[E]
    20:36:03.493307 IP 94-40-192-30.tktelekom.pl.isakmp > user-31-174-200-130.play-internet.pl.isakmp: isakmp: phase 2/others R inf[E]
    20:36:03.498702 IP user-31-174-200-130.play-internet.pl.isakmp > 94-40-192-30.tktelekom.pl.isakmp: isakmp: phase 2/others I inf[E]
    20:36:03.520815 IP user-31-174-200-130.play-internet.pl.isakmp > 94-40-192-30.tktelekom.pl.isakmp: isakmp: phase 2/others I #6[E]
    20:36:03.523624 IP 94-40-192-30.tktelekom.pl.isakmp > user-31-174-200-130.play-internet.pl.isakmp: isakmp: phase 2/others R #6[E]
    20:36:18.576908 IP user-31-174-200-130.play-internet.pl.isakmp > 94-40-192-30.tktelekom.pl.isakmp: isakmp: phase 2/others I inf[E]
    20:36:18.578208 IP 94-40-192-30.tktelekom.pl.isakmp > user-31-174-200-130.play-internet.pl.isakmp: isakmp: phase 2/others R inf[E]
    20:36:21.752138 IP user-31-174-200-130.play-internet.pl.isakmp > 94-40-192-30.tktelekom.pl.isakmp: isakmp: phase 2/others I oakley-quick[E]
    20:36:21.761648 IP 94-40-192-30.tktelekom.pl.isakmp > user-31-174-200-130.play-internet.pl.isakmp: isakmp: phase 2/others R oakley-quick[E]
    20:36:21.912888 IP user-31-174-200-130.play-internet.pl.isakmp > 94-40-192-30.tktelekom.pl.isakmp: isakmp: phase 2/others I oakley-quick[E]
    20:36:26.591303 IP user-31-174-200-130.play-internet.pl > 94-40-192-30.tktelekom.pl: ESP(spi=0x0f6666aa,seq=0x1), length 100
    20:36:31.673631 IP user-31-174-200-130.play-internet.pl > 94-40-192-30.tktelekom.pl: ESP(spi=0x0f6666aa,seq=0x2), length 100
    20:36:33.803829 IP user-31-174-200-130.play-internet.pl.isakmp > 94-40-192-30.tktelekom.pl.isakmp: isakmp: phase 2/others I inf[E]
    20:36:33.805109 IP 94-40-192-30.tktelekom.pl.isakmp > user-31-174-200-130.play-internet.pl.isakmp: isakmp: phase 2/others R inf[E]
    20:36:37.200105 IP user-31-174-200-130.play-internet.pl > 94-40-192-30.tktelekom.pl: ESP(spi=0x0f6666aa,seq=0x3), length 100

    Nothing strange in logs.
    racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
    Jun 27 21:17:06 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
    Jun 27 21:17:06 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Jun 27 21:17:06 racoon: INFO: Resize address pool from 0 to 253
    Jun 27 21:17:06 racoon: [Self]: INFO: 94.40.192.30[4500] used for NAT-T
    Jun 27 21:17:06 racoon: [Self]: INFO: 94.40.192.30[4500] used as isakmp port (fd=14)
    Jun 27 21:17:06 racoon: [Self]: INFO: 94.40.192.30[500] used for NAT-T
    Jun 27 21:17:06 racoon: [Self]: INFO: 94.40.192.30[500] used as isakmp port (fd=15)
    Jun 27 21:17:06 racoon: INFO: unsupported PF_KEY message REGISTER
    Jun 27 21:17:06 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
    Jun 27 21:17:06 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in
    Jun 27 21:17:16 racoon: [Self]: INFO: respond new phase 1 negotiation: 94.40.192.30[500]<=>31.174.200.130[500]
    Jun 27 21:17:16 racoon: INFO: begin Aggressive mode.
    Jun 27 21:17:16 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Jun 27 21:17:16 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    Jun 27 21:17:16 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jun 27 21:17:16 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jun 27 21:17:16 racoon: INFO: received Vendor ID: RFC 3947
    Jun 27 21:17:16 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Jun 27 21:17:16 racoon: INFO: received Vendor ID: DPD
    Jun 27 21:17:16 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jun 27 21:17:16 racoon: [31.174.200.130] INFO: Selected NAT-T version: RFC 3947
    Jun 27 21:17:16 racoon: INFO: Adding remote and local NAT-D payloads.
    Jun 27 21:17:16 racoon: [31.174.200.130] INFO: Hashing 31.174.200.130[500] with algo #1
    Jun 27 21:17:16 racoon: [Self]: [94.40.192.30] INFO: Hashing 94.40.192.30[500] with algo #1
    Jun 27 21:17:16 racoon: [Self]: [94.40.192.30] INFO: Hashing 94.40.192.30[500] with algo #1
    Jun 27 21:17:16 racoon: INFO: NAT-D payload #0 verified
    Jun 27 21:17:16 racoon: [31.174.200.130] INFO: Hashing 31.174.200.130[500] with algo #1
    Jun 27 21:17:16 racoon: INFO: NAT-D payload #1 verified
    Jun 27 21:17:16 racoon: INFO: NAT not detected
    Jun 27 21:17:16 racoon: [Self]: INFO: ISAKMP-SA established 94.40.192.30[500]-31.174.200.130[500] spi:0b0b606d163a3900:bd07acec75af13f4
    Jun 27 21:17:16 racoon: [31.174.200.130] INFO: received INITIAL-CONTACT
    Jun 27 21:17:16 racoon: INFO: Using port 0
    Jun 27 21:17:16 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Jun 27 21:17:33 racoon: [Self]: INFO: respond new phase 2 negotiation: 94.40.192.30[500]<=>31.174.200.130[500]
    Jun 27 21:17:33 racoon: INFO: Update the generated policy : 192.168.254.1/32[0] 192.168.1.0/24[0] proto=any dir=in

    tcpdump on pflog0 not showing blocked traffic.

    to shrew client config is pushed, to split network 192.168.1.0/24, and give a virtual ip of end of tunnel to 192.168.254.0/24
    Mobile clients are using Shrew Soft VPN 2.1.7 and ISP from Mobile GSM Play (Polish GSM ISP).

    I have check, that ISP is not blocking IPSEC traffic. (IPSEC, ESP, AH, is pass all from any to any)

    No NAT-T.

    P.S.
    I've read that other users got also the same problem with no solution.
    Anyone ?








  • Success.
    Everything works.

    The are lacks in default of documentation and Howtos of IPSEC road warrior.



  • nice! great job

    can u post here the solution ?



  • I have noticed that there are some big gaps in the documentation for the Road Warrior IPSec for v 1.2.3 when using it with v 2.0. Obviously I'm aware that this documentation was done specifically for 1.2 but does anyone have any notes on what you need to do different for version 2.0 to get this to work?


Locked