Almost got Cisco VPN client working, but…pfsense SA failure???

limecat

Im trying to get Cisco VPN client working against pfSense 2.0, and im nearly there– got password prompt, cisco lock icon clicks, and pfsense sees traffic coming through.  Im even seeing traffic flow to pfsense.

The problem is that no return traffic ever goes.  Under IPsec status, the icon is yellow, and under SAD, the return traffic entry shows no data.  In the IPsec log, I get this:

Sep 30 23:10:50 	racoon: WARNING: authtype mismatched: my:hmac-md5 peer:hmac-sha
Sep 30 23:10:50 	racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Sep 30 23:10:50 	racoon: ERROR: not matched
........
Sep 30 23:10:50 	racoon: ERROR: not matched
Sep 30 23:10:50 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Sep 30 23:10:50 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Sep 30 23:10:50 	racoon: [Self]: INFO: IPsec-SA established: ESP 98.175.##.###[500]->98.218.###.##[500] spi=32432442(0x1eee13a)
Sep 30 23:10:50 	racoon: [Self]: INFO: IPsec-SA established: ESP 98.175.##.###[500]->98.218.###.##[500] spi=1172355998(0x45e0bb9e)
Sep 30 23:10:54 	racoon: ERROR: no configuration found for 98.218.###.##.
Sep 30 23:10:54 	racoon: ERROR: failed to begin ipsec sa negotication.
Sep 30 23:10:58 	racoon: ERROR: no configuration found for 98.218.###.##.
Sep 30 23:10:58 	racoon: ERROR: failed to begin ipsec sa negotication.

Those last two entries repeat, seemingly for every piece of traffic that goes through.

My settings:

Using Mobile IPsec–
Providing a virtual IP and DNS

Phase 1 settings:
Interface:  WAN
Auth Method:  Mutual PSK + Xauth
Negotiation:  Agressive
My identifier:  My IP address
Peer identifier: UDN (user@domain.com)
preshared key: mypks
Policy Generation: on
Proposal checking: obey
Encryption: AES128, with MD5
DH key group 2
Nat Traversal enabled
DPD on, 5 seconds, 5 retries

Phase 2:
Mode: tunnel
Local network: 0.0.0.0/0
Protocol: ESP
Encryption: AES(auto), 3des
Hash: md5
PFS off

Im using the UDN and PKS as the group usernames and passwords.  As I said, I can connect, I just dont get any return traffic.  I have verified that (except for SSH traffic), all ports and protocols on all interfaces and all VPN interfaces are set to "allow".  There are no NAT rules in place, all other settings should be at default.  Additionally, the ShrewSoft VPN client does connect.

Anyone have any thoughts?

limecat

I got it!!!
Looks like I just needed to reboot my Laptop and / or the pfsense box, it now works wonderfully.

Settings are as posted.  Only other thing I changed was to turn off Dead Peer Detection.

I will keep tinkering and see if I can narrow down which settings are required, and which are tweakable.  It does appear that Phase1 proposal checking must be set to Obey (possibly other settings will work, default will not).  I think policy generation also had to either be on "on", or "unique".

Probably wont finish testing till monday, but in case anyone has been dying to get cisco clients working with pfSense, here you go :)

limecat

Looks like I spoke too soon.  The key, it seems was rebooting pfsense– once the first Cisco VPN client has authed, it works.  But after disconnecting from the VPN, no further connection attempts work.  Im not sure if it only applies to the client that connected, or if all further connection attempts would fail.

Is there anyone who has access to the Cisco client who is up for some testing with me?  Please let me know, thanks.

marcelloc

Did you tried vpnc client package from freebsd instead of IPSec gui config?

limecat

I can get shrewsoft vpn client to connect just fine, disconnect, reconnect, etc.

The cisco client will ONLY connect if it is the first connection since the previous reboot, however.

It might be a bug with Cisco, except that the Cisco client should not be able to tell whether someone has connected or not on the server end– something is happening on the server after the first connection that causes Cisco to not work.  It connects, goes through the whole process, claims the tunnel is up, but will refuse to route any traffic.

I am opening a bug on this.

tubular031

I am interested in how you fix this. I am on 2.0 with mobile client ipsec setup. I can connect with shrew soft no prob. Now I am trying to get the cisco client to work. It will connect but I can not ping or pass traffic.

carril

@limecat:

Im trying to get Cisco VPN client working against pfSense 2.0, and im nearly there– got password prompt, cisco lock icon clicks, and pfsense sees traffic coming through.  Im even seeing traffic flow to pfsense.

The problem is that no return traffic ever goes.  Under IPsec status, the icon is yellow, and under SAD, the return traffic entry shows no data.  In the IPsec log, I get this:

Sep 30 23:10:50 	racoon: WARNING: authtype mismatched: my:hmac-md5 peer:hmac-sha
Sep 30 23:10:50 	racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Sep 30 23:10:50 	racoon: ERROR: not matched
........
Sep 30 23:10:50 	racoon: ERROR: not matched
Sep 30 23:10:50 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Sep 30 23:10:50 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Sep 30 23:10:50 	racoon: [Self]: INFO: IPsec-SA established: ESP 98.175.##.###[500]->98.218.###.##[500] spi=32432442(0x1eee13a)
Sep 30 23:10:50 	racoon: [Self]: INFO: IPsec-SA established: ESP 98.175.##.###[500]->98.218.###.##[500] spi=1172355998(0x45e0bb9e)
Sep 30 23:10:54 	racoon: ERROR: no configuration found for 98.218.###.##.
Sep 30 23:10:54 	racoon: ERROR: failed to begin ipsec sa negotication.
Sep 30 23:10:58 	racoon: ERROR: no configuration found for 98.218.###.##.
Sep 30 23:10:58 	racoon: ERROR: failed to begin ipsec sa negotication.

Those last two entries repeat, seemingly for every piece of traffic that goes through.

My settings:

Using Mobile IPsec–
Providing a virtual IP and DNS
I followed your steps, and work fine.
Sorry, could you please let me know how to set a new user an pass.

Phase 1 settings:
Interface:  WAN
Auth Method:  Mutual PSK + Xauth
Negotiation:  Agressive
My identifier:  My IP address
Peer identifier: UDN (user@domain.com)
preshared key: mypks
Policy Generation: on
Proposal checking: obey
Encryption: AES128, with MD5
DH key group 2
Nat Traversal enabled
DPD on, 5 seconds, 5 retries

Phase 2:
Mode: tunnel
Local network: 0.0.0.0/0
Protocol: ESP
Encryption: AES(auto), 3des
Hash: md5
PFS off

Im using the UDN and PKS as the group usernames and passwords.  As I said, I can connect, I just dont get any return traffic.  I have verified that (except for SSH traffic), all ports and protocols on all interfaces and all VPN interfaces are set to "allow".  There are no NAT rules in place, all other settings should be at default.  Additionally, the ShrewSoft VPN client does connect.

Anyone have any thoughts?

carril

I followed your steps and works perfectly.
Could you please let me know where to set up a user and pass ?
thanks

limecat

For the user, or the group?

For the user, create a new user account, and give them IPsec login permissions.

For the group, I think its the peer identifier.

arthurbrownleeiv

@limecat:

Looks like I spoke too soon.  The key, it seems was rebooting pfsense– once the first Cisco VPN client has authed, it works.  But after disconnecting from the VPN, no further connection attempts work.  Im not sure if it only applies to the client that connected, or if all further connection attempts would fail.

Is there anyone who has access to the Cisco client who is up for some testing with me?  Please let me know, thanks.

I'm game, as I'm facing the same issue now. This is going to be a big problem for most of our clients, as they all are using the CiscoVPN client.

jarlel

Hi, did anyone figure out how to set up pfSense so that connecting with a Cisco VPN client works?

Thanks in advance.

boogieshafer

this issue sounds similar to the problems i was seeing with the Shrew client where after resets to the pfsense ipsec process i could get the client to connect once and pass traffic, but subsequent connections would connect but fail to pass traffic

for me the fix for that was, on the pfsense side, try setting the P1 Policy Generation to "unique"

bdwyer

I used the "unique" change as well as forcing NAT traversal to overcome similar issues.  On the policy tab on the Shrewsoft VPN client I also adjusted it to unique.  After making these two changes, I can consistently connect from my laptop and iPhone.  I don't know what the downside of forcing NAT traversal is other than ditching the delivery characteristics of TCP, however I think for high latency links, NAT-T might actually be necessary.

vrayanchu

Hi,

I am getting the same issue with cisco client, I am able to authenticate the pfsense box but not able to access local lan. I am using client version 5.0.06… ,

Please any one can suggest to me.

Thanks,
vrayanchu

valnar

Anybody figure this out?  Running the latest pfSense 2.01 and I login with my Cisco VPN client, but get the "can't access or ping anything on the Local LAN" issue.

Was this patch rolled into 2.01 or something later?
http://redmine.pfsense.org/issues/1970

jimp

As suggested on http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 :
    Policy Generation: Unique
    Proposal Checking: Strict
    NAT Traversal: Force

valnar

I am still having the same problem with using the Cisco VPN client as outlined here:
http://blog.benca.net/2012/03/05/serving-ipsec-vpn-with-pfsense/

limecat

I can confirm that this issue occurs with the 2.1 nightly as of 4/23/2013 with the latest Cisco VPN Ipsec client, using Strict / Unique / Force and all options as specified in
http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

If proposal checking is set to "strict", I get

Apr 28 12:19:31	racoon: [Self]: INFO: respond new phase 1 negotiation: {Scrubbed}[500]<=>{Scrubbed}[50539]
Apr 28 12:19:31	racoon: INFO: begin Aggressive mode.
Apr 28 12:19:31	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 28 12:19:31	racoon: INFO: received Vendor ID: DPD
Apr 28 12:19:31	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 28 12:19:31	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 28 12:19:31	racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 28 12:19:31	racoon: [{Scrubbed}] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Apr 28 12:19:31	racoon: ERROR: no suitable proposal found.
Apr 28 12:19:31	racoon: [{Scrubbed}] ERROR: failed to get valid proposal.
Apr 28 12:19:31	racoon: [{Scrubbed}] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Apr 28 12:19:31	racoon: [{Scrubbed}] ERROR: phase1 negotiation failed.

If it is set to "obey", the issue described (one correct connection, followed by all others failing) recurs with the following log:

Apr 28 12:24:29	racoon: [Self]: INFO: ISAKMP-SA established {SERVER_IP}[4500]-{CLIENT_IP}[59241] spi:7db617222bab00f1:2ca5d8efdb8a9a4a
Apr 28 12:24:29	racoon: INFO: Using port 0
Apr 28 12:24:29	racoon: user 'ipsectest' authenticated
Apr 28 12:24:29	racoon: INFO: login succeeded for user "ipsectest"
Apr 28 12:24:29	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Apr 28 12:24:29	racoon: ERROR: Cannot open "/etc/motd"
Apr 28 12:24:29	racoon: WARNING: Ignored attribute 28683
Apr 28 12:24:29	racoon: WARNING: Ignored attribute 28684
Apr 28 12:24:29	racoon: [Self]: INFO: respond new phase 2 negotiation: {SERVER_IP}[4500]<=>{CLIENT_IP}[59241]
Apr 28 12:24:29	racoon: INFO: Update the generated policy : 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in
{REPEATS X4}     Apr 28 12:24:29	racoon: ERROR: not matched  	{REPEATS X4}
Apr 28 12:24:29	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Apr 28 12:24:29	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Apr 28 12:24:29	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
Apr 28 12:24:29	racoon: ERROR: not matched
Apr 28 12:24:29	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Apr 28 12:24:29	racoon: [Self]: INFO: IPsec-SA established: ESP {SERVER_IP}[500]->{CLIENT_IP}[500] spi=38303437(0x24876cd)
Apr 28 12:24:29	racoon: [Self]: INFO: IPsec-SA established: ESP {SERVER_IP}[500]->{CLIENT_IP}[500] spi=3442386948(0xcd2ea804)
Apr 28 12:24:30	racoon: ERROR: no configuration found for {CLIENT_IP}.
Apr 28 12:24:30	racoon: ERROR: failed to begin ipsec sa negotication.
Apr 28 12:24:41	racoon: ERROR: no configuration found for {CLIENT_IP}.
Apr 28 12:24:41	racoon: ERROR: failed to begin ipsec sa negotication.
Apr 28 12:24:42	racoon: ERROR: no configuration found for {CLIENT_IP}.
{ad infinitum until disconnect}
{Disconnecting here}
Apr 28 12:29:30	racoon: [98.218.150.61] ERROR: delete payload with invalid doi:0.
Apr 28 12:29:30	racoon: [Self]: INFO: ISAKMP-SA expired {SERVER_IP}[4500]-{CLIENT_IP}[59949] spi:38e4590885e9aa23:bcb3607bd17ead8e
Apr 28 12:29:30	racoon: INFO: deleting a generated policy.
Apr 28 12:29:30	racoon: [Self]: INFO: ISAKMP-SA deleted {SERVER_IP}[4500]-{CLIENT_IP}[59949] spi:38e4590885e9aa23:bcb3607bd17ead8e
Apr 28 12:29:30	racoon: INFO: Released port 0

The "warning: authtype mismatched" can be eliminated by switching to MD5, but it doesnt make a difference.  Generating traffic triggers two more "error: failed… error:  no config..." lines in the ipsec log.

limecat

This appears to be a routing issue:  I can do a packet capture on the IPSec interface of pfsense, and I can see incoming pings, and their destination:

12:52:18.793013 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP}: ICMP echo request, id 1, seq 1871, length 40
12:52:19.826520 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP}: ICMP echo request, id 1, seq 1872, length 40
12:52:21.329649 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP}: ICMP echo request, id 1, seq 1873, length 40
12:52:23.829947 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP2}: ICMP echo request, id 1, seq 1881, length 40
12:52:25.326576 (authentic,confidential): SPI 0x083c9c1c: IP 10.1.53.1 > {LAN_IP2}: ICMP echo request, id 1, seq 1882, length 40

After I disconnect, and have cleared the ipsec log, this appears after a moment or two:

Apr 28 12:49:50	racoon: DEBUG: pk_recv: retry[0] recv()
Apr 28 12:49:50	racoon: DEBUG: got pfkey ACQUIRE message
Apr 28 12:49:50	racoon: DEBUG: suitable outbound SP found: 0.0.0.0/0[0] 10.1.53.1/32[0] proto=any dir=out.
Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe728: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: {LAN_SUBNET}/24[0] {LAN_IP}/32[0] proto=any dir=in
Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe728: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501648: {LAN_IP}/32[0] {LAN_SUBNET}/24[0] proto=any dir=out
Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe728: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x285013c8: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Apr 28 12:49:50	racoon: [Unknown Gateway/Dynamic]: DEBUG: suitable inbound SP found: 10.1.53.1/32[0] 0.0.0.0/0[0] proto=any dir=in.

Im not sure if that is relevant or not.