Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC RA-VPN. Lion vs Snow Leo

    IPsec
    1
    1
    2.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sdwindr1
      last edited by

      Hello All,

      Ive been pulling my hair out with this so I am hoping that someone here may be able to shed some light. Ive been using PFSense for my "Road Warriar VPN" for some time now. Usually the OS varies, however When i moved my MBP to OSX 10.7 from 10.6, the built in client broke. I dont know what was changed or how, but I cannot seem to find any descent info anywhere.

      I have also compared the Racoon Config files (/private/etc/racoon/racoon.conf) on both systems. They appear to be identical.

      The following are the logs from Lion when trying to connect:

      =============================================
      10/16/11 10:36:30.710 AM configd: IPSec connecting to server *****.dyndns-at-home.com
      10/16/11 10:36:30.712 AM configd: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
      10/16/11 10:36:30.776 AM configd: IPSec Phase1 starting.
      10/16/11 10:36:30.790 AM racoon: IPSec connecting to server x.x.x.x
      10/16/11 10:36:30.790 AM racoon: Connecting.
      10/16/11 10:36:30.790 AM racoon: IPSec Phase1 started (Initiated by me).
      10/16/11 10:36:30.797 AM racoon: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
      10/16/11 10:36:33.798 AM racoon: IKE Packet: transmit success. (Phase1 Retransmit).
      10/16/11 10:36:36.799 AM racoon: IKE Packet: transmit success. (Phase1 Retransmit).
      10/16/11 10:36:39.801 AM racoon: IKE Packet: transmit success. (Phase1 Retransmit).
      10/16/11 10:36:40.777 AM configd: IPSec disconnecting from server x.x.x.x
      10/16/11 10:36:40.781 AM racoon: IPSec disconnecting from server x.x.x.x

      The following are the logs from PFSense during the same connection:

      Oct 16 10:21:13    racoon: [Self]: INFO: respond new phase 1 negotiation: x.x.x.x[500]<=>x.x.x.x[495]
      Oct 16 10:21:13    racoon: INFO: begin Aggressive mode.
      Oct 16 10:21:13    racoon: INFO: received Vendor ID: RFC 3947
      Oct 16 10:21:13    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
      Oct 16 10:21:13    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
      Oct 16 10:21:13    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
      Oct 16 10:21:13    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
      Oct 16 10:21:13    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
      Oct 16 10:21:13    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Oct 16 10:21:13    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Oct 16 10:21:13    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Oct 16 10:21:13    racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Oct 16 10:21:13    racoon: INFO: received Vendor ID: CISCO-UNITY
      Oct 16 10:21:13    racoon: INFO: received Vendor ID: DPD
      Oct 16 10:21:13    racoon: [x.x.x.x] INFO: Selected NAT-T version: RFC 3947
      Oct 16 10:21:13    racoon: [x.x.x.x] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Oct 16 10:21:13    racoon: [x.x.x.x] ERROR: couldn't find the pskey for x.x.x.x.
      Oct 16 10:21:13    racoon: [x.x.x.x] ERROR: failed to process ph1 packet (side: 1, status: 2).
      Oct 16 10:21:13    racoon: [x.x.x.x] ERROR: phase1 negotiation failed.

      For Reference, the successful logs on OSX 10.6.7

      10/16/11 10:02:04 AM    racoon[3293]    Connecting.
      10/16/11 10:02:04 AM    racoon[3293]    IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
      10/16/11 10:02:04 AM    racoon[3293]    IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
      10/16/11 10:02:04 AM    racoon[3293]    IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
      10/16/11 10:02:04 AM    racoon[3293]    IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
      10/16/11 10:02:04 AM    racoon[3293]    IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
      10/16/11 10:02:07 AM    racoon[3293]    IKE Packet: transmit success. (Mode-Config message).
      10/16/11 10:02:07 AM    racoon[3293]    IKEv1 XAUTH: success. (XAUTH Status is OK).
      10/16/11 10:02:07 AM    racoon[3293]    IKE Packet: transmit success. (Mode-Config message).
      10/16/11 10:02:07 AM    racoon[3293]    IKEv1 Config: retransmited. (Mode-Config retransmit).
      10/16/11 10:02:07 AM    racoon[3293]    IKE Packet: receive success. (MODE-Config).
      10/16/11 10:02:07 AM    configd[14]    event_callback: Address added. previous interface setting (name: en0, address: x.x.x.x), current interface setting name: utun0, family: 1001, address: x.x.x.x, subnet: 255.255.255.0, destination: x.x.x.x).
      10/16/11 10:02:07 AM    racoon[3293]    IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
      10/16/11 10:02:07 AM    kernel    utun_ctl_connect: creating interface utun0
      10/16/11 10:02:07 AM    configd[14]    network configuration changed.
      10/16/11 10:02:07 AM    racoon[3293]    IKE Packet: receive success. (Initiator, Quick-Mode message 2).
      10/16/11 10:02:07 AM    racoon[3293]    IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
      10/16/11 10:02:07 AM    racoon[3293]    IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).

      For Reference, the successful logs on PFSense

      Oct 16 10:25:15    racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Oct 16 10:25:15    racoon: INFO: received Vendor ID: CISCO-UNITY
      Oct 16 10:25:15    racoon: INFO: received Vendor ID: DPD
      Oct 16 10:25:15    racoon: [x.x.x.x] INFO: Selected NAT-T version: RFC 3947
      Oct 16 10:25:15    racoon: INFO: Adding remote and local NAT-D payloads.
      Oct 16 10:25:15    racoon: [x.x.x.x] INFO: Hashing x.x.x.x[294] with algo #1
      Oct 16 10:25:15    racoon: [Self]: [x.x.x.x] INFO: Hashing x.x.x.x[500] with algo #1
      Oct 16 10:25:15    racoon: INFO: Adding xauth VID payload.
      Oct 16 10:25:15    racoon: [Self]: INFO: NAT-T: ports changed to: x.x.x.x[31656]<->x.x.x.x[4500]
      Oct 16 10:25:15    racoon: [Self]: [x.x.x.x] INFO: Hashing x.x.x.x[4500] with algo #1
      Oct 16 10:25:15    racoon: INFO: NAT-D payload #0 verified
      Oct 16 10:25:15    racoon: [x.x.x.x] INFO: Hashing x.x.x.x[31656] with algo #1
      Oct 16 10:25:15    racoon: INFO: NAT-D payload #1 doesn't match
      Oct 16 10:25:15    racoon: [x.x.x.x] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
      Oct 16 10:25:15    racoon: INFO: NAT detected: PEER
      Oct 16 10:25:15    racoon: INFO: Sending Xauth request
      Oct 16 10:25:15    racoon: [Self]: INFO: ISAKMP-SA established x.x.x.x[4500]-x.x.x.x[31656] spi:9e7a28932fdcaf3d:5916dbd4d0a7ad1e
      Oct 16 10:25:21    racoon: INFO: Using port 0
      Oct 16 10:25:21    racoon: INFO: login succeeded for user "*****"
      Oct 16 10:25:21    racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
      Oct 16 10:25:21    racoon: WARNING: Ignored attribute 28683
      Oct 16 10:25:21    racoon: [Self]: INFO: respond new phase 2 negotiation: x.x.x.x[4500]<=>x.x.x.x[31656]
      Oct 16 10:25:21    racoon: INFO: no policy found, try to generate the policy : x.x.x.x[0] x.x.x.x[0] proto=any dir=in
      Oct 16 10:25:21    racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
      Oct 16 10:25:21    racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:3DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:3DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:3DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:3DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:3DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:3DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:3DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:3DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:DES peer:AES
      Oct 16 10:25:21    racoon: WARNING: trns_id mismatched: my:DES peer:AES
      Oct 16 10:25:21    racoon: [Self]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=33546230(0x1ffdff6)
      Oct 16 10:25:21    racoon: [Self]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=135418854(0x81253e6)

      If anyone knows where to find the ACTUAL config files from PFSense and/or OSX, I would be happy to post those up for reference as well.

      Thank you to anyone who can help. I have also posted up on the Apple Support Forums: https://discussions.apple.com/thread/3397747

      James

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.