Android 4.0.X, Ice Cream Sandwich to pfSense

sasl

Hi @ll,

I' tried the following: IPsec Xauth PSK (IP Server Setup & Client Setup: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0)
Still no luck:-(
The last entry in the IPSec log is: login succeeded for user "vpn", ok the User is ok but what does this mean:
racoon: INFO: NAT-D payload #1 doesn't match

Here is the full log (IP's changed, so don't be confused about the not matching IP's)

May 17 13:07:58 	racoon: [1.2.1.71] INFO: DPD: remote (ISAKMP-SA spi=1e00add3ca021995:137bacd5a3eaf441) seems to be dead.
May 17 13:07:58 	racoon: INFO: purging ISAKMP-SA spi=1e00add3ca021995:137bacd5a3eaf441:00008ff2.
May 17 13:07:58 	racoon: INFO: purged ISAKMP-SA spi=1e00add3ca021995:137bacd5a3eaf441:00008ff2.
May 17 13:07:58 	racoon: [Self]: INFO: ISAKMP-SA deleted 8.2.2.7[4500]-1.2.1.1[30114] spi:1e00add3ca021995:137bacd5a3eaf441
May 17 13:07:58 	racoon: INFO: Released port 0
May 17 13:08:03 	racoon: [Self]: INFO: respond new phase 1 negotiation: 8.2.2.7[500]<=>1.2.1.71[30148]
May 17 13:08:03 	racoon: INFO: begin Aggressive mode.
May 17 13:08:03 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 17 13:08:03 	racoon: INFO: received Vendor ID: RFC 3947
May 17 13:08:03 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 17 13:08:03 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 17 13:08:03 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
May 17 13:08:03 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May 17 13:08:03 	racoon: INFO: received Vendor ID: CISCO-UNITY
May 17 13:08:03 	racoon: INFO: received Vendor ID: DPD
May 17 13:08:03 	racoon: [1.2.1.1] INFO: Selected NAT-T version: RFC 3947
May 17 13:08:03 	racoon: INFO: Adding remote and local NAT-D payloads.
May 17 13:08:03 	racoon: [1.2.1.1] INFO: Hashing 1.2.1.1[30148] with algo #2
May 17 13:08:03 	racoon: [Self]: [8.2.2.7] INFO: Hashing 8.2.2.5[500] with algo #2
May 17 13:08:03 	racoon: INFO: Adding xauth VID payload.
May 17 13:08:03 	racoon: [Self]: INFO: NAT-T: ports changed to: 1.2.1.7[30114]<->8.2.2.5[4500]
May 17 13:08:03 	racoon: [Self]: [84.227.229.75] INFO: Hashing 8.2.2.5[4500] with algo #2
May 17 13:08:03 	racoon: INFO: NAT-D payload #0 verified
May 17 13:08:03 	racoon: [194.230.159.71] INFO: Hashing 1.2.1.1[30114] with algo #2
May 17 13:08:03 	racoon: INFO: NAT-D payload #1 doesn't match
May 17 13:08:03 	racoon: INFO: NAT detected: PEER
May 17 13:08:03 	racoon: INFO: Sending Xauth request
May 17 13:08:03 	racoon: [Self]: INFO: ISAKMP-SA established 8.2.2.5[4500]-1.2.1.1[30114] spi:84561ca2af4f4dd6:35882d27fc8536ef
May 17 13:08:03 	racoon: [194.230.159.71] INFO: received INITIAL-CONTACT
May 17 13:08:03 	racoon: INFO: Using port 0
May 17 13:08:03 	racoon: INFO: login succeeded for user "vpn"

Anbody got it working? Any ideas how to solve this or is there a workaround?

Regards from Switzerland

sasl

Great News :)

Found a VPN Client which works with IPsec Xauth PSK -> VpnCilla (from Playstore)

jimp

OpenVPN client for ICS also works :-)
No root required:
https://play.google.com/store/apps/details?id=de.blinkt.openvpn

I have ICS on my Transformer Prime, and so far I haven't managed to get a working IPsec connection from there. Though I do get one on my Droid X and Droid RAZR. Hopefully the RAZR gets ICS soonish so I'll have an additional data point for 4.0…

jimp

Made a liar out of myself just now… Attempted an IPsec PSK+Xauth connection again and it worked.

Perhaps one of the several firmware updates since the last time I tried it made it work.