Ipsec from IOS "the vpn server did not respond"
-
Hello guys.
I followed verbatim the steps on the following guide to set up IPSEC
http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0
From the IOS Vpn Client i get : ""the vpn server did not respond""
On the logs i have:
Nov 21 22:01:38 racoon: INFO: unsupported PF_KEY message REGISTER
Nov 21 22:04:38 racoon: INFO: unsupported PF_KEY message REGISTERAnd on the Status->IPSec tab i have what's shown on the screenshot underneath.
I must be missing something huge.
![Screen shot 2011-11-21 at 22.11.39.png](/public/imported_attachments/1/Screen shot 2011-11-21 at 22.11.39.png)
![Screen shot 2011-11-21 at 22.11.39.png_thumb](/public/imported_attachments/1/Screen shot 2011-11-21 at 22.11.39.png_thumb) -
Nov 21 22:01:38 racoon: INFO: unsupported PF_KEY message REGISTER
Nov 21 22:04:38 racoon: INFO: unsupported PF_KEY message REGISTERThese are just info messages. Do you see any errors in the IPsec log?
Please post the entire log.
-
Hey Lint.
Here's some more logs:
Nov 22 00:03:50 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Nov 22 00:03:50 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) Nov 22 00:03:50 racoon: INFO: Reading configuration from "/var/etc/racoon.conf" Nov 22 00:03:50 racoon: INFO: Resize address pool from 0 to 253 Nov 22 00:03:50 racoon: [Self]: INFO: 87.241.xx.xx[4500] used for NAT-T Nov 22 00:03:50 racoon: [Self]: INFO: 87.241.xx.xx[4500] used as isakmp port (fd=14) Nov 22 00:03:50 racoon: [Self]: INFO: 87.241.xx.xx[500] used for NAT-T Nov 22 00:03:50 racoon: [Self]: INFO: 87.241.xx.xx[500] used as isakmp port (fd=15) Nov 22 00:03:50 racoon: INFO: unsupported PF_KEY message REGISTER Nov 22 00:03:57 racoon: INFO: unsupported PF_KEY message REGISTER Nov 22 00:04:02 racoon: INFO: unsupported PF_KEY message REGISTER Nov 22 00:12:48 racoon: INFO: unsupported PF_KEY message REGISTER
This is all i get from racoon from the moment it starts.
As far as the PF_KEY message goes, indeed i found that out after i posted.
At this point my main problem is the yellow icon on the tunnel status.
As the documentations says: "A yellow icon indicates that the tunnel is not fully up and active."After setting it up verbatim as on the docs, on the IPSEC Rules Tab i created a allow-all rule.
But on the logs i see no activity of any attempted connection transaction.MY doubts are regarding WAN rules.
On this box i have also OpenVPN (which works fine) and there is a rule to allow traffic on the specified port-After configuring IPSEC i also tried opening UDP/500 and all ESP, but still i get nothing.
PS. The "the vpn server did not respond" message i now get it from any device i try to connect. Iphone, mac. linux box and so on. So
i'm pretty sure that estabilishes a pattern. -
UPDATE: IPSEC and the tunnel seems to work fine per se. Although the status icon remains yellow.
All this though when i'm inside my own network.
So this definitely rules that the issue is the accessibility of the required posts from outside the network.attached there is a sc of the configured rules on my WAN interface.
and also a screenshot of the logs where the inbound request are being blocked.
Any help would be appreciated.
![Screen shot 2011-11-23 at 11.05.53.png](/public/imported_attachments/1/Screen shot 2011-11-23 at 11.05.53.png)
![Screen shot 2011-11-23 at 11.05.53.png_thumb](/public/imported_attachments/1/Screen shot 2011-11-23 at 11.05.53.png_thumb)
![Screen shot 2011-11-23 at 16.17.52.png](/public/imported_attachments/1/Screen shot 2011-11-23 at 16.17.52.png)
![Screen shot 2011-11-23 at 16.17.52.png_thumb](/public/imported_attachments/1/Screen shot 2011-11-23 at 16.17.52.png_thumb) -
click the X on one of those logs, which rule is blocking it?
The rules you show look fine assuming the interface IP of the COLT interface (as shown under Status>Interfaces) is the same as the destination IP shown in the firewall log, and that you don't have any rules above that or floating rules blocking things.
-
UPDATE: IPSEC and the tunnel seems to work fine per se. Although the status icon remains yellow.
Actually, I have not seen the indicator change status, even when connected. It could be broken. I have not tried to confirm this, but I will test another connection/firewall to determine what happens.
For this reason, focus on the SAD, SAP and logs tabs.
Like Chris mentioned, the rules look fine, only if the gateway and interface are correct.
-
Checked and re-set up the ipsec again this morning.
I have no other extra rules nowhere else and the interface address is the one that's being blocked from the logs.
It's very frustrating also because OpenVpn and a bunch of NAT'ed ports work just fine from outside.I attach a screenshot of the rules for that interface and one of the rule that's blocking them. DENY ALL.
UPDATE: additionally, i just tested a ALLOW ANY rule from the destination ip towards the wan, and they still get blocked by the Deny All rule. Whilst everything else on the same tbl is fine.
Eeeeh, this is becoming slowly very frustrating.![Screen shot 2011-11-24 at 10.07.35.png](/public/imported_attachments/1/Screen shot 2011-11-24 at 10.07.35.png)
![Screen shot 2011-11-24 at 10.07.35.png_thumb](/public/imported_attachments/1/Screen shot 2011-11-24 at 10.07.35.png_thumb)
![Screen shot 2011-11-24 at 10.08.37.png](/public/imported_attachments/1/Screen shot 2011-11-24 at 10.08.37.png)
![Screen shot 2011-11-24 at 10.08.37.png_thumb](/public/imported_attachments/1/Screen shot 2011-11-24 at 10.08.37.png_thumb) -
Those rules are on the correct interface, on the COLT interface? Your rules aren't right, not enough here to tell you why though.
-
Resolved.
Here's the nitty gritty.
I few days ago i had installed/uninstalled squid/lightsquid.
Lightsquid had not uninstalled properly and had the monitor hanging.
So none of the rules i was adding was getting written.Installed uninstalled squid/lightsquid again.
Lef the same rules again.Ipsec now works.
Thank you all.