Mobile IPsec help



  • I am trying to connect the Shrewsoft VPN client to a pfSense firewall running the 2.0 code.

    The pfSense firewall is behind another pfSense firewall, but I have forwarded UDP ports 500 and 4500 to the internal firewall.  I do not believe that ESP is required to be forwarded; however, I have forwarded it as well.  The session is attempted, but eventually times out.

    I replaced the actual IP address with the word IP below.

    Any thoughts or comments?

    
    Nov 18 00:59:38 racoon: ERROR: phase1 negotiation failed due to time up. 0c9f90ba3ea0a0d7:f663f3b628713ad3 
    Nov 18 00:59:17 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by IP[500] (1). 
    Nov 18 00:59:08 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by IP[500] (1). 
    Nov 18 00:58:58 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by IP[500] (1). 
    Nov 18 00:58:48 racoon: [Self]: [192.168.0.1] INFO: Hashing 192.168.0.1[500] with algo #2 
    Nov 18 00:58:48 racoon: [IP] INFO: Hashing IP[500] with algo #2 
    Nov 18 00:58:48 racoon: INFO: Adding remote and local NAT-D payloads. 
    Nov 18 00:58:48 racoon: [IP] INFO: Selected NAT-T version: RFC 3947 
    Nov 18 00:58:48 racoon: INFO: received Vendor ID: CISCO-UNITY 
    Nov 18 00:58:48 racoon: INFO: received Vendor ID: DPD 
    Nov 18 00:58:48 racoon: INFO: received Vendor ID: RFC 3947 
    Nov 18 00:58:48 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
    Nov 18 00:58:48 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
    Nov 18 00:58:48 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01 
    Nov 18 00:58:48 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 
    Nov 18 00:58:48 racoon: INFO: begin Aggressive mode. 
    Nov 18 00:58:48 racoon: [Self]: INFO: respond new phase 1 negotiation: 192.168.0.1[500]<=>IP[500] 
    
    

    I have followed the guide for configuration on the firewall and client from here: http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To



  • Disregard, I tried to connect from another connection, and it worked fine.

    I realized that my home pfSense firewall was the problem  :o



  • I ended up adapting the config as mentioned here: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

    I now have nearly all devices working fine with pfSense, mobile and Windows with Shrew Soft.

    However, the Shrew Soft VPN client on Linux seems to be troublesome.  Sometimes, it does not add routes automatically.  I fixed this with a shell script.  However, another problem came up.  It will connect, but I cannot access the network from the client side.  From the network side, I can access my client workstation.  Very odd issues…I will keep trying and will post a solution if I get it going.  I see traffic moving both ways in the security association during the problems.

    The Windows client, Ipad, mobile phone, etc. work perfectly everytime.  I noticed that the Linux client is missing some options like dual DNS, which the Windows client has.  I really do not want to use my Windows VM for my VPN sessions, so I will continue to work on this problem and post information here.

    I have tried this setup on Ubuntu 10.10, 11.04, and 11.11.  I have also tried to pull configuration, and manually set the options.  The end result is that the client seems to be unreliable.



  • Hey Lint, i really need some help on this IPSEC trek.
    Seems like we've followed the same guide. Very similar setup-
    Yet i'm banging my head on that other thread with no result.

    IPSEC per se works fine, adn i can test that from inside the WAN.
    The rules are added (though i hear mixed statements wether there already are hidden ones as one enables IPSEC), and yet on my logs all UDP packets on port 500 are blocked.

    Am i missing something so obvious?



  • Fixed!

    Shrew works perfectly for me on Linux now.

    In summary, I had to disable spoof protection.

    Here is what I had to do in order to get it working:

    
    Modified /etc/sysctl.conf
    Modifed /etc/sysctl.d/10-network-security.conf
    Changed .rp_filter=1 to .rp_filter=0 for all occurances
    Rebooted
    
    

    I also posted more information on my website.

    All devices are now working through IPsec with PSK and XAuth.


Log in to reply