Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Almost got Cisco VPN client working, but…pfsense SA failure???

    Scheduled Pinned Locked Moved IPsec
    19 Posts 11 Posters 25.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      limecat
      last edited by

      Im trying to get Cisco VPN client working against pfSense 2.0, and im nearly there– got password prompt, cisco lock icon clicks, and pfsense sees traffic coming through.  Im even seeing traffic flow to pfsense.

      The problem is that no return traffic ever goes.  Under IPsec status, the icon is yellow, and under SAD, the return traffic entry shows no data.  In the IPsec log, I get this:

      Sep 30 23:10:50 	racoon: WARNING: authtype mismatched: my:hmac-md5 peer:hmac-sha
      Sep 30 23:10:50 	racoon: WARNING: trns_id mismatched: my:3DES peer:AES
      Sep 30 23:10:50 	racoon: ERROR: not matched
      ........
      Sep 30 23:10:50 	racoon: ERROR: not matched
      Sep 30 23:10:50 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
      Sep 30 23:10:50 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
      Sep 30 23:10:50 	racoon: [Self]: INFO: IPsec-SA established: ESP 98.175.##.###[500]->98.218.###.##[500] spi=32432442(0x1eee13a)
      Sep 30 23:10:50 	racoon: [Self]: INFO: IPsec-SA established: ESP 98.175.##.###[500]->98.218.###.##[500] spi=1172355998(0x45e0bb9e)
      Sep 30 23:10:54 	racoon: ERROR: no configuration found for 98.218.###.##.
      Sep 30 23:10:54 	racoon: ERROR: failed to begin ipsec sa negotication.
      Sep 30 23:10:58 	racoon: ERROR: no configuration found for 98.218.###.##.
      Sep 30 23:10:58 	racoon: ERROR: failed to begin ipsec sa negotication.
      

      Those last two entries repeat, seemingly for every piece of traffic that goes through.

      My settings:

      Using Mobile IPsec–
      Providing a virtual IP and DNS

      Phase 1 settings:
      Interface:  WAN
      Auth Method:  Mutual PSK + Xauth
      Negotiation:  Agressive
      My identifier:  My IP address
      Peer identifier: UDN (user@domain.com)
      preshared key: mypks
      Policy Generation: on
      Proposal checking: obey
      Encryption: AES128, with MD5
      DH key group 2
      Nat Traversal enabled
      DPD on, 5 seconds, 5 retries

      Phase 2:
      Mode: tunnel
      Local network: 0.0.0.0/0
      Protocol: ESP
      Encryption: AES(auto), 3des
      Hash: md5
      PFS off

      Im using the UDN and PKS as the group usernames and passwords.  As I said, I can connect, I just dont get any return traffic.  I have verified that (except for SSH traffic), all ports and protocols on all interfaces and all VPN interfaces are set to "allow".  There are no NAT rules in place, all other settings should be at default.  Additionally, the ShrewSoft VPN client does connect.

      Anyone have any thoughts?

      1 Reply Last reply Reply Quote 0
      • L
        limecat
        last edited by

        I got it!!!
        Looks like I just needed to reboot my Laptop and / or the pfsense box, it now works wonderfully.

        Settings are as posted.  Only other thing I changed was to turn off Dead Peer Detection.

        I will keep tinkering and see if I can narrow down which settings are required, and which are tweakable.  It does appear that Phase1 proposal checking must be set to Obey (possibly other settings will work, default will not).  I think policy generation also had to either be on "on", or "unique".

        Probably wont finish testing till monday, but in case anyone has been dying to get cisco clients working with pfSense, here you go :)

        1 Reply Last reply Reply Quote 0
        • L
          limecat
          last edited by

          Looks like I spoke too soon.  The key, it seems was rebooting pfsense– once the first Cisco VPN client has authed, it works.  But after disconnecting from the VPN, no further connection attempts work.  Im not sure if it only applies to the client that connected, or if all further connection attempts would fail.

          Is there anyone who has access to the Cisco client who is up for some testing with me?  Please let me know, thanks.

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Did you tried vpnc client package from freebsd instead of IPSec gui config?

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • L
              limecat
              last edited by

              I can get shrewsoft vpn client to connect just fine, disconnect, reconnect, etc.

              The cisco client will ONLY connect if it is the first connection since the previous reboot, however.

              It might be a bug with Cisco, except that the Cisco client should not be able to tell whether someone has connected or not on the server end– something is happening on the server after the first connection that causes Cisco to not work.  It connects, goes through the whole process, claims the tunnel is up, but will refuse to route any traffic.

              I am opening a bug on this.

              1 Reply Last reply Reply Quote 0
              • T
                tubular031
                last edited by

                I am interested in how you fix this. I am on 2.0 with mobile client ipsec setup. I can connect with shrew soft no prob. Now I am trying to get the cisco client to work. It will connect but I can not ping or pass traffic.

                1 Reply Last reply Reply Quote 0
                • C
                  carril
                  last edited by

                  @limecat:

                  Im trying to get Cisco VPN client working against pfSense 2.0, and im nearly there– got password prompt, cisco lock icon clicks, and pfsense sees traffic coming through.  Im even seeing traffic flow to pfsense.

                  The problem is that no return traffic ever goes.  Under IPsec status, the icon is yellow, and under SAD, the return traffic entry shows no data.  In the IPsec log, I get this:

                  Sep 30 23:10:50 	racoon: WARNING: authtype mismatched: my:hmac-md5 peer:hmac-sha
                  Sep 30 23:10:50 	racoon: WARNING: trns_id mismatched: my:3DES peer:AES
                  Sep 30 23:10:50 	racoon: ERROR: not matched
                  ........
                  Sep 30 23:10:50 	racoon: ERROR: not matched
                  Sep 30 23:10:50 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
                  Sep 30 23:10:50 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
                  Sep 30 23:10:50 	racoon: [Self]: INFO: IPsec-SA established: ESP 98.175.##.###[500]->98.218.###.##[500] spi=32432442(0x1eee13a)
                  Sep 30 23:10:50 	racoon: [Self]: INFO: IPsec-SA established: ESP 98.175.##.###[500]->98.218.###.##[500] spi=1172355998(0x45e0bb9e)
                  Sep 30 23:10:54 	racoon: ERROR: no configuration found for 98.218.###.##.
                  Sep 30 23:10:54 	racoon: ERROR: failed to begin ipsec sa negotication.
                  Sep 30 23:10:58 	racoon: ERROR: no configuration found for 98.218.###.##.
                  Sep 30 23:10:58 	racoon: ERROR: failed to begin ipsec sa negotication.
                  

                  Those last two entries repeat, seemingly for every piece of traffic that goes through.

                  My settings:

                  Using Mobile IPsec–
                  Providing a virtual IP and DNS
                  I followed your steps, and work fine.
                  Sorry, could you please let me know how to set a new user an pass.

                  Phase 1 settings:
                  Interface:  WAN
                  Auth Method:  Mutual PSK + Xauth
                  Negotiation:  Agressive
                  My identifier:  My IP address
                  Peer identifier: UDN (user@domain.com)
                  preshared key: mypks
                  Policy Generation: on
                  Proposal checking: obey
                  Encryption: AES128, with MD5
                  DH key group 2
                  Nat Traversal enabled
                  DPD on, 5 seconds, 5 retries

                  Phase 2:
                  Mode: tunnel
                  Local network: 0.0.0.0/0
                  Protocol: ESP
                  Encryption: AES(auto), 3des
                  Hash: md5
                  PFS off

                  Im using the UDN and PKS as the group usernames and passwords.  As I said, I can connect, I just dont get any return traffic.  I have verified that (except for SSH traffic), all ports and protocols on all interfaces and all VPN interfaces are set to "allow".  There are no NAT rules in place, all other settings should be at default.  Additionally, the ShrewSoft VPN client does connect.

                  Anyone have any thoughts?

                  1 Reply Last reply Reply Quote 0
                  • C
                    carril
                    last edited by

                    I followed your steps and works perfectly.
                    Could you please let me know where to set up a user and pass ?
                    thanks

                    1 Reply Last reply Reply Quote 0
                    • L
                      limecat
                      last edited by

                      For the user, or the group?

                      For the user, create a new user account, and give them IPsec login permissions.

                      For the group, I think its the peer identifier.

                      1 Reply Last reply Reply Quote 0
                      • A
                        arthurbrownleeiv
                        last edited by

                        @limecat:

                        Looks like I spoke too soon.  The key, it seems was rebooting pfsense– once the first Cisco VPN client has authed, it works.  But after disconnecting from the VPN, no further connection attempts work.  Im not sure if it only applies to the client that connected, or if all further connection attempts would fail.

                        Is there anyone who has access to the Cisco client who is up for some testing with me?  Please let me know, thanks.

                        I'm game, as I'm facing the same issue now. This is going to be a big problem for most of our clients, as they all are using the CiscoVPN client.

                        1 Reply Last reply Reply Quote 0
                        • J
                          jarlel
                          last edited by

                          Hi, did anyone figure out how to set up pfSense so that connecting with a Cisco VPN client works?

                          Thanks in advance.

                          1 Reply Last reply Reply Quote 0
                          • B
                            boogieshafer
                            last edited by

                            this issue sounds similar to the problems i was seeing with the Shrew client where after resets to the pfsense ipsec process i could get the client to connect once and pass traffic, but subsequent connections would connect but fail to pass traffic

                            for me the fix for that was, on the pfsense side, try setting the P1 Policy Generation to "unique"

                            1 Reply Last reply Reply Quote 0
                            • B
                              bdwyer
                              last edited by

                              I used the "unique" change as well as forcing NAT traversal to overcome similar issues.  On the policy tab on the Shrewsoft VPN client I also adjusted it to unique.  After making these two changes, I can consistently connect from my laptop and iPhone.  I don't know what the downside of forcing NAT traversal is other than ditching the delivery characteristics of TCP, however I think for high latency links, NAT-T might actually be necessary.

                              CCNP, MCITP

                              Intel Atom N550 - 2gb DDR3
                              Jetway NC9C-550-LF
                              Antec ISK 300-150
                              HP ProCurve 1810-24
                              Cisco 1841 & 2821, Cisco 3550 x3

                              1 Reply Last reply Reply Quote 0
                              • V
                                vrayanchu
                                last edited by

                                Hi,

                                I am getting the same issue with cisco client, I am able to authenticate the pfsense box but not able to access local lan. I am using client version 5.0.06… ,

                                Please any one can suggest to me.

                                Thanks,
                                vrayanchu

                                1 Reply Last reply Reply Quote 0
                                • valnarV
                                  valnar
                                  last edited by

                                  Anybody figure this out?  Running the latest pfSense 2.01 and I login with my Cisco VPN client, but get the "can't access or ping anything on the Local LAN" issue.

                                  Was this patch rolled into 2.01 or something later?
                                  http://redmine.pfsense.org/issues/1970

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    As suggested on http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 :
                                        Policy Generation: Unique
                                        Proposal Checking: Strict
                                        NAT Traversal: Force

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • valnarV
                                      valnar
                                      last edited by

                                      I am still having the same problem with using the Cisco VPN client as outlined here:
                                      http://blog.benca.net/2012/03/05/serving-ipsec-vpn-with-pfsense/

                                      1 Reply Last reply Reply Quote 0
                                      • L
                                        limecat
                                        last edited by

                                        I can confirm that this issue occurs with the 2.1 nightly as of 4/23/2013 with the latest Cisco VPN Ipsec client, using Strict / Unique / Force and all options as specified in
                                        http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

                                        If proposal checking is set to "strict", I get

                                        Apr 28 12:19:31	racoon: [Self]: INFO: respond new phase 1 negotiation: {Scrubbed}[500]<=>{Scrubbed}[50539]
                                        Apr 28 12:19:31	racoon: INFO: begin Aggressive mode.
                                        Apr 28 12:19:31	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
                                        Apr 28 12:19:31	racoon: INFO: received Vendor ID: DPD
                                        Apr 28 12:19:31	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
                                        Apr 28 12:19:31	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
                                        Apr 28 12:19:31	racoon: INFO: received Vendor ID: CISCO-UNITY
                                        Apr 28 12:19:31	racoon: [{Scrubbed}] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
                                        Apr 28 12:19:31	racoon: ERROR: no suitable proposal found.
                                        Apr 28 12:19:31	racoon: [{Scrubbed}] ERROR: failed to get valid proposal.
                                        Apr 28 12:19:31	racoon: [{Scrubbed}] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
                                        Apr 28 12:19:31	racoon: [{Scrubbed}] ERROR: phase1 negotiation failed.
                                        

                                        If it is set to "obey", the issue described (one correct connection, followed by all others failing) recurs with the following log:

                                        Apr 28 12:24:29	racoon: [Self]: INFO: ISAKMP-SA established {SERVER_IP}[4500]-{CLIENT_IP}[59241] spi:7db617222bab00f1:2ca5d8efdb8a9a4a
                                        Apr 28 12:24:29	racoon: INFO: Using port 0
                                        Apr 28 12:24:29	racoon: user 'ipsectest' authenticated
                                        Apr 28 12:24:29	racoon: INFO: login succeeded for user "ipsectest"
                                        Apr 28 12:24:29	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
                                        Apr 28 12:24:29	racoon: ERROR: Cannot open "/etc/motd"
                                        Apr 28 12:24:29	racoon: WARNING: Ignored attribute 28683
                                        Apr 28 12:24:29	racoon: WARNING: Ignored attribute 28684
                                        Apr 28 12:24:29	racoon: [Self]: INFO: respond new phase 2 negotiation: {SERVER_IP}[4500]<=>{CLIENT_IP}[59241]
                                        Apr 28 12:24:29	racoon: INFO: Update the generated policy : 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in
                                        {REPEATS X4}     Apr 28 12:24:29	racoon: ERROR: not matched  	{REPEATS X4}
                                        Apr 28 12:24:29	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
                                        Apr 28 12:24:29	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
                                        Apr 28 12:24:29	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
                                        Apr 28 12:24:29	racoon: ERROR: not matched
                                        Apr 28 12:24:29	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
                                        Apr 28 12:24:29	racoon: [Self]: INFO: IPsec-SA established: ESP {SERVER_IP}[500]->{CLIENT_IP}[500] spi=38303437(0x24876cd)
                                        Apr 28 12:24:29	racoon: [Self]: INFO: IPsec-SA established: ESP {SERVER_IP}[500]->{CLIENT_IP}[500] spi=3442386948(0xcd2ea804)
                                        Apr 28 12:24:30	racoon: ERROR: no configuration found for {CLIENT_IP}.
                                        Apr 28 12:24:30	racoon: ERROR: failed to begin ipsec sa negotication.
                                        Apr 28 12:24:41	racoon: ERROR: no configuration found for {CLIENT_IP}.
                                        Apr 28 12:24:41	racoon: ERROR: failed to begin ipsec sa negotication.
                                        Apr 28 12:24:42	racoon: ERROR: no configuration found for {CLIENT_IP}.
                                        {ad infinitum until disconnect}
                                        {Disconnecting here}
                                        Apr 28 12:29:30	racoon: [98.218.150.61] ERROR: delete payload with invalid doi:0.
                                        Apr 28 12:29:30	racoon: [Self]: INFO: ISAKMP-SA expired {SERVER_IP}[4500]-{CLIENT_IP}[59949] spi:38e4590885e9aa23:bcb3607bd17ead8e
                                        Apr 28 12:29:30	racoon: INFO: deleting a generated policy.
                                        Apr 28 12:29:30	racoon: [Self]: INFO: ISAKMP-SA deleted {SERVER_IP}[4500]-{CLIENT_IP}[59949] spi:38e4590885e9aa23:bcb3607bd17ead8e
                                        Apr 28 12:29:30	racoon: INFO: Released port 0
                                        

                                        The "warning: authtype mismatched" can be eliminated by switching to MD5, but it doesnt make a difference.  Generating traffic triggers two more "error: failed… error:  no config..." lines in the ipsec log.

                                        1 Reply Last reply Reply Quote 0
                                        • L
                                          limecat
                                          last edited by

                                          This appears to be a routing issue:  I can do a packet capture on the IPSec interface of pfsense, and I can see incoming pings, and their destination:

                                          12:52:18.793013 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP}: ICMP echo request, id 1, seq 1871, length 40
                                          12:52:19.826520 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP}: ICMP echo request, id 1, seq 1872, length 40
                                          12:52:21.329649 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP}: ICMP echo request, id 1, seq 1873, length 40
                                          12:52:23.829947 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP2}: ICMP echo request, id 1, seq 1881, length 40
                                          12:52:25.326576 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP2}: ICMP echo request, id 1, seq 1882, length 40
                                          

                                          After I disconnect, and have cleared the ipsec log, this appears after a moment or two:

                                          Apr 28 12:49:50	racoon: DEBUG: pk_recv: retry[0] recv()
                                          Apr 28 12:49:50	racoon: DEBUG: got pfkey ACQUIRE message
                                          Apr 28 12:49:50	racoon: DEBUG: suitable outbound SP found: 0.0.0.0/0[0] 10.1.53.1/32[0] proto=any dir=out.
                                          Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe728: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in
                                          Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: {LAN_SUBNET}/24[0] {LAN_IP}/32[0] proto=any dir=in
                                          Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe728: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in
                                          Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501648: {LAN_IP}/32[0] {LAN_SUBNET}/24[0] proto=any dir=out
                                          Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe728: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in
                                          Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x285013c8: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in
                                          Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: suitable inbound SP found: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in.
                                          

                                          Im not sure if that is relevant or not.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.