Phase2, subnet missmatch???



  • Hello!!

    i gotten this far at least with my first VPN pfsense 2.0 AMD x64 -> Android 3.1

    but at Phase 2 i get a subnet miss-match… i don't understand this really.... could this be that my tablets ISP got a dynamic ip and a proxy (Swedish Telia) ?

    x.x.x.x = my pfsense WAN IP
    y.y.y.y = my tablets WAN IP

    Jul 17 23:50:57 racoon: DEBUG: getsainfo params: loc='x.x.x.x' rmt='y.y.y.y' peer='y.y.y.y' client='y.y.y.y' id=1
    Jul 17 23:50:57 racoon: DEBUG: evaluating sainfo: loc='192.168.0.0/24', rmt='192.168.1.0/24', peer='ANY', id=1
    Jul 17 23:50:57 racoon: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
    Jul 17 23:50:57 racoon: DEBUG: cmpid target: '<my-pfsense-dynamic-ip>'
    Jul 17 23:50:57 racoon: DEBUG: cmpid source: '192.168.0.0/24'
    Jul 17 23:50:57 racoon: ERROR: failed to get sainfo.
    Jul 17 23:50:57 racoon: ERROR: failed to get sainfo.
    Jul 17 23:50:57 racoon: [mytablet]: [y.y.y.y] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Jul 17 23:50:57 racoon: DEBUG: IV freed

    $ cat /var/etc/racoon.conf
    # This file is automatically generated. Do not edit
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    listen
    {
    	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    	isakmp x.x.x.x [500];
    	isakmp_natt x.x.x.x [4500];
    }
    
    remote y.y.y.y
    {
    	ph1id 1;
    	exchange_mode main;
    	my_identifier address x.x.x.x;
    	peers_identifier address y.y.y.y;
    	ike_frag on;
    	generate_policy = unique;
    	initial_contact = on;
    	nat_traversal = force;
    
    	support_proxy on;
    	proposal_check obey;
    
    	proposal
    	{
    		authentication_method pre_shared_key;
    		encryption_algorithm aes 128;
    		hash_algorithm sha1;
    		dh_group 2;
    		lifetime time 3600 secs;
    	}
    }
    
    sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/32 any
    {
    	remoteid 1;
    	encryption_algorithm aes 128;
    	authentication_algorithm hmac_sha1;
    
    	lifetime time 3600 secs;
    	compression_algorithm deflate;
    }
    

    Local Network Type: LAN subnet
    Remote Network Type: Network, 192.168.1.0/24

    Automatically ping host: 192.168.1.5 (don't exist but if i understand this correct i don't need to)

    
    $ cat /var/etc/spd.conf
    spdadd 192.168.0.1/32 192.168.0.0/24 any -P out none;
    spdadd 192.168.0.0/24 192.168.0.1/32 any -P in none;
    spdadd 192.168.0.0/24 192.168.1.0/32 any -P out ipsec esp/tunnel/x.x.x.x-y.y.y.y/unique;
    spdadd 192.168.1.0/32 192.168.0.0/24 any -P in ipsec esp/tunnel/y.y.y.y-x.x.x.x/unique;
    
    

    anyone got an clue why?</my-pfsense-dynamic-ip>


Log in to reply