IPSec with iPod worked before now it's not…



  • My IPSec stopped working. So I reviewed the various guides and double checked everything. On my mobile device I get the message authentication failed.
    Here's the log files.
    Jul 28 20:46:19 racoon: [Self]: INFO: respond new phase 1 negotiation: 74.47.185.227[500]<=>61.148.255.138[500]
    Jul 28 20:46:19 racoon: INFO: begin Aggressive mode.
    Jul 28 20:46:19 racoon: INFO: received Vendor ID: RFC 3947
    Jul 28 20:46:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Jul 28 20:46:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Jul 28 20:46:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Jul 28 20:46:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Jul 28 20:46:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Jul 28 20:46:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jul 28 20:46:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jul 28 20:46:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jul 28 20:46:19 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jul 28 20:46:19 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jul 28 20:46:19 racoon: INFO: received Vendor ID: DPD
    Jul 28 20:46:19 racoon: [61.148.255.138] INFO: Selected NAT-T version: RFC 3947
    Jul 28 20:46:19 racoon: INFO: Adding remote and local NAT-D payloads.
    Jul 28 20:46:19 racoon: [61.148.255.138] INFO: Hashing 61.148.255.138[500] with algo #2
    Jul 28 20:46:19 racoon: [Self]: [74.47.185.227] INFO: Hashing 74.47.185.227[500] with algo #2
    Jul 28 20:46:19 racoon: INFO: Adding xauth VID payload.
    Jul 28 20:46:19 racoon: [Self]: INFO: NAT-T: ports changed to: 61.148.255.138[4500]<->74.47.185.227[4500]
    Jul 28 20:46:19 racoon: [Self]: [74.47.185.227] INFO: Hashing 74.47.185.227[4500] with algo #2
    Jul 28 20:46:19 racoon: INFO: NAT-D payload #0 verified
    Jul 28 20:46:19 racoon: [61.148.255.138] INFO: Hashing 61.148.255.138[4500] with algo #2
    Jul 28 20:46:19 racoon: INFO: NAT-D payload #1 doesn't match
    Jul 28 20:46:19 racoon: [61.148.255.138] ERROR: notification INITIAL-CONTACT received in aggressive exchange.B
    Jul 28 20:46:19 racoon: INFO: NAT detected: PEER
    Jul 28 20:46:19 racoon: INFO: Sending Xauth request
    Jul 28 20:46:19 racoon: [Self]: INFO: ISAKMP-SA established 74.47.185.227[4500]-61.148.255.138[4500] spi:5ae68325adff41e3:aada1db07c03b37c
    Jul 28 20:46:20 racoon: INFO: Using port 0
    Jul 28 20:46:20 racoon: INFO: login succeeded for user "remote"

    That last line seems to me it should work? Not sure what else to do. My PPTP VPN works (although I can't tunnel outside the home network) and Openvpn works too.

    Ideas? Not sure how to post conf file as all I have is iPod to work on.



  • 88 views and not 1 suggestion?

    I did some more testing and I've found that each time I try and connect the VPN service crashes!

    I VPN in through PPTP and restart the service
    Disconnect my PPTP connection
    Try and connect using IPsec
    On my iPod I get "authentication failed" message
    I reconnect usin PPTP
    And view the system log below

    Last 50 system log entries
    Aug 4 20:29:42 syslogd: kernel boot file is /boot/kernel/kernel
    Aug 4 20:32:01 php: /status_services.php: Forcefully reloading IPsec racoon daemon
    Aug 4 20:32:11 php: /status_services.php: Forcefully reloading IPsec racoon daemon
    Aug 4 20:35:25 kernel: pid 33182 (racoon), uid 0: exited on signal 11 (core dumped)

    This is an AMD64 2.0 release build.

    Does anybody have any questions, suggestions, requests for other data/logs?
    Just tell me what/where and I'll post it



  • Could you try testing this with pfsense 2.1-BETA?

    There have been a number of patches applied to ipsec-tools 0.8.0 (although several more patches have been commited to the ipsec-tools tree http://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/crypto/dist/ipsec-tools/src/ that haven't made it into pfsense yet)

    PS: You could also run racoon in high verbosity mode and check the discussions in
    http://sourceforge.net/mailarchive/forum.php?forum_name=ipsec-tools-commits


Locked