PfSense IPsec <-> Shrew: no configuration for …



  • I've had some success with an IPsec subnet-to-subnet VPN on a test network. However, getting a mobile client to work properly has been a dismal failure.

    I'm seeing the following in the IPsec log after attempting a connection with Shrew:

    Dec 6 22:00:57 racoon: ERROR: no configuration found for 172.31.254.70.
    Dec 6 22:00:57 racoon: ERROR: failed to begin ipsec sa negotication.
    
    

    From the Shrew side, everything seems fine. It doesn't complain at all. An interface appears with an appropriate IP address on the Windows box. However, pings to the remote network fail. Pings from the remote network back to the Shrew machine also fail.

    This seems similar to what was reported here:

    http://forum.pfsense.org/index.php/topic,34646.0.html

    As suggested in that topic, I've tried setting the Policy Generation to Unique and the Proposal Checking to Obey/Strict. Doing so gets Shrew to complain, but doesn't see pings working across the tunnel.

    This is pfSense 2.0-RELEASE and Shrew 2.1.7.

    Any ideas?



  • I should add that a subnet-subnet VPN is up and running on the same pfSense box on which I'm trying to get the mobile client connected too. Perhaps that introduces some issues.

    I've tried disabling NAT-T on one or both sides of this. No luck.

    I've had some success in figuring out how to get useful logging information out of Shrew. Under the IPsec tab, there is a complaint about ARP packets having malformed headers.



  • Here is what my System logs for IPsec say after clearing them and initiating a mobile connection from Shrew:

    Dec 7 17:28:48 racoon: [Self]: INFO: respond new phase 1 negotiation: 172.31.254.12[500]<=>172.31.254.70[500]
    Dec 7 17:28:48 racoon: INFO: begin Aggressive mode.
    Dec 7 17:28:48 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Dec 7 17:28:48 racoon: INFO: received Vendor ID: DPD
    Dec 7 17:28:48 racoon: INFO: received Vendor ID: CISCO-UNITY
    Dec 7 17:28:48 racoon: [Self]: INFO: ISAKMP-SA established 172.31.254.12[500]-172.31.254.70[500] spi:943b4292f4972330:f1ac6235d9c1c459
    Dec 7 17:28:48 racoon: [172.31.254.70] INFO: received INITIAL-CONTACT
    Dec 7 17:28:48 racoon: INFO: purging spi=2911728847.
    Dec 7 17:28:48 racoon: INFO: purging spi=3576419775.
    Dec 7 17:28:48 racoon: INFO: purging spi=194100428.
    Dec 7 17:28:48 racoon: INFO: purging spi=237344003.
    Dec 7 17:28:48 racoon: INFO: Using port 0
    Dec 7 17:28:48 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Dec 7 17:28:53 racoon: [Self]: INFO: respond new phase 2 negotiation: 172.31.254.12[500]<=>172.31.254.70[500]
    Dec 7 17:28:53 racoon: INFO: Update the generated policy : 192.168.31.1/32[0] 192.168.32.0/24[0] proto=any dir=in
    Dec 7 17:28:53 racoon: [Self]: INFO: IPsec-SA established: ESP 172.31.254.12[500]->172.31.254.70[500] spi=4566013(0x45abfd)
    Dec 7 17:28:53 racoon: [Self]: INFO: IPsec-SA established: ESP 172.31.254.12[500]->172.31.254.70[500] spi=3540071851(0xd30135ab)
    Dec 7 17:28:53 racoon: ERROR: libipsec failed pfkey check (Invalid address family)



  • Just a few more details:

    This is all on a test network 172.31.254.0/24. I've got pfSense 2.0-RELEASE running on an Alix box with a WAN address of 172.31.254.12/24 acting as the VPN concentrator.  The LAN network is 192.168.32.0/24.

    Client is Windows Vista box running Shrew 2.1.7. It is getting an address via DHCP at 172.31.254.70.

    Since the two boxes are both on the same network, my assumption is that I don't need NAT-T. Perhaps that is wrong.

    As for firewalling, I've disabled Windows firewall on the Windows machine and added allow all rules on all of the pfSense box's interfaces, including IPsec.

    The symptoms are that the connection comes up, with neither pfSense or Shrew complaining, but the traffic doesn't flow.

    The client (Windows box running Shrew) is accessing the test network through a WAP… Perhaps that is causing a routing issue, but all looks well from the routing table on the Windows workstation.



  • I have exact the same problem.
    I've tried almost any setting… it connects, I get an IP from pfsense, but no traffic.

    Also the errors in pfsense are sometimes different (without any change in settings on both sites)

    Most of the times I get this error: racoon: ERROR: failed to begin ipsec sa negotication
    also this one: racoon: ERROR: no configuration found for x.x.x.x
    But sometimes a phase 2 error (but I allready got the IP from the pfsense box) this doesn't happen often.

    I got this error aswell: racoon: ERROR: libipsec failed pfkey check (Invalid address family)

    I have NAT-T enabled and opened port 4500 (UDP) in my firewall.

    What could be wrong?

    Is there a bug in IPSEC?

    BtwI have also some site-2-site tunnels running on the same box, those work fine.

    Only the mobile client is not working.


Log in to reply