Different 3G APN: one works, other doesn't



  • Hello,

    I'm having issues with an ipsec VPN over 3G with TIM Italy mobile carrier.

    Log when using working APN wap.tim.it

    
    Oct 5 17:22:43 	racoon: [Self]: INFO: respond new phase 1 negotiation: 78.x.x.x[500]<=>217.200.185.88[500]
    Oct 5 17:22:43 	racoon: INFO: begin Aggressive mode.
    Oct 5 17:22:43 	racoon: INFO: received Vendor ID: RFC 3947
    Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 5 17:22:43 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Oct 5 17:22:43 	racoon: INFO: received Vendor ID: CISCO-UNITY
    Oct 5 17:22:43 	racoon: INFO: received Vendor ID: DPD
    Oct 5 17:22:43 	racoon: [217.200.185.88] INFO: Selected NAT-T version: RFC 3947
    Oct 5 17:22:43 	racoon: INFO: Adding remote and local NAT-D payloads.
    Oct 5 17:22:43 	racoon: [217.200.185.88] INFO: Hashing 217.200.185.88[500] with algo #2
    Oct 5 17:22:43 	racoon: [Self]: [78.x.x.x] INFO: Hashing 78.x.x.x[500] with algo #2
    Oct 5 17:22:43 	racoon: INFO: Adding xauth VID payload.
    Oct 5 17:22:44 	racoon: [Self]: INFO: NAT-T: ports changed to: 217.200.185.88[4500]<->78.x.x.x[4500]
    Oct 5 17:22:44 	racoon: [Self]: [78.x.x.x] INFO: Hashing 78.x.x.x[4500] with algo #2
    Oct 5 17:22:44 	racoon: INFO: NAT-D payload #0 verified
    Oct 5 17:22:44 	racoon: [217.200.185.88] INFO: Hashing 217.200.185.88[4500] with algo #2
    Oct 5 17:22:44 	racoon: INFO: NAT-D payload #1 doesn't match
    Oct 5 17:22:44 	racoon: [217.200.185.88] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Oct 5 17:22:44 	racoon: INFO: NAT detected: PEER
    Oct 5 17:22:44 	racoon: INFO: Sending Xauth request
    Oct 5 17:22:44 	racoon: [Self]: INFO: ISAKMP-SA established 78.x.x.x[4500]-217.200.185.88[4500] spi:dbc7d12874709ade:220e093d69d2ec6a
    Oct 5 17:22:44 	racoon: INFO: Using port 0
    Oct 5 17:22:44 	racoon: INFO: login succeeded for user "bruno"
    Oct 5 17:22:45 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Oct 5 17:22:45 	racoon: ERROR: Cannot open "/etc/motd"
    Oct 5 17:22:45 	racoon: WARNING: Ignored attribute 28683
    Oct 5 17:22:45 	racoon: [Self]: INFO: respond new phase 2 negotiation: 78.x.x.x[4500]<=>217.200.185.88[4500]
    Oct 5 17:22:45 	racoon: INFO: no policy found, try to generate the policy : 192.168.4.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    Oct 5 17:22:45 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Oct 5 17:22:45 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
    Oct 5 17:22:46 	racoon: [Self]: INFO: IPsec-SA established: ESP 78.x.x.x[500]->217.200.185.88[500] spi=86628296(0x529d7c8)
    Oct 5 17:22:46 	racoon: [Self]: INFO: IPsec-SA established: ESP 78.x.x.x[500]->217.200.185.88[500] spi=40106304(0x263f940)
    
    

    Log when using NON working APN ibox.tim.it

    
    Oct 5 17:26:18 	racoon: [Self]: INFO: respond new phase 1 negotiation: 78.x.x.x[500]<=>2.193.139.251[500]
    Oct 5 17:26:18 	racoon: INFO: begin Aggressive mode.
    Oct 5 17:26:18 	racoon: INFO: received Vendor ID: RFC 3947
    Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 5 17:26:18 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Oct 5 17:26:18 	racoon: INFO: received Vendor ID: CISCO-UNITY
    Oct 5 17:26:18 	racoon: INFO: received Vendor ID: DPD
    Oct 5 17:26:18 	racoon: [2.193.139.251] INFO: Selected NAT-T version: RFC 3947
    Oct 5 17:26:18 	racoon: INFO: Adding remote and local NAT-D payloads.
    Oct 5 17:26:18 	racoon: [2.193.139.251] INFO: Hashing 2.193.139.251[500] with algo #2
    Oct 5 17:26:18 	racoon: [Self]: [78.x.x.x] INFO: Hashing 78.x.x.x[500] with algo #2
    Oct 5 17:26:18 	racoon: INFO: Adding xauth VID payload.
    Oct 5 17:26:18 	racoon: [Self]: [78.x.x.x] INFO: Hashing 78.x.x.x[500] with algo #2
    Oct 5 17:26:18 	racoon: INFO: NAT-D payload #0 verified
    Oct 5 17:26:18 	racoon: [2.193.139.251] INFO: Hashing 2.193.139.251[500] with algo #2
    Oct 5 17:26:18 	racoon: INFO: NAT-D payload #1 verified
    Oct 5 17:26:18 	racoon: [2.193.139.251] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Oct 5 17:26:18 	racoon: INFO: NAT not detected
    Oct 5 17:26:18 	racoon: INFO: Sending Xauth request
    Oct 5 17:26:18 	racoon: [Self]: INFO: ISAKMP-SA established 78.x.x.x[500]-2.193.139.251[500] spi:737f70dbffde31f9:5175dd43cc5ce5d4
    Oct 5 17:26:18 	racoon: INFO: Using port 0
    Oct 5 17:26:18 	racoon: INFO: login succeeded for user "bruno"
    Oct 5 17:26:18 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Oct 5 17:26:18 	racoon: ERROR: Cannot open "/etc/motd"
    Oct 5 17:26:18 	racoon: WARNING: Ignored attribute 28683
    Oct 5 17:26:18 	racoon: [Self]: INFO: respond new phase 2 negotiation: 78.x.x.x[500]<=>2.193.139.251[500]
    Oct 5 17:26:18 	racoon: INFO: no policy found, try to generate the policy : 192.168.4.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    Oct 5 17:26:19 	racoon: [Self]: INFO: IPsec-SA established: ESP 78.x.x.x[500]->2.193.139.251[500] spi=236400927(0xe17311f)
    Oct 5 17:26:19 	racoon: [Self]: INFO: IPsec-SA established: ESP 78.x.x.x[500]->2.193.139.251[500] spi=21759015(0x14c0427)
    Oct 5 17:26:19 	racoon: ERROR: no configuration found for 2.193.139.251.
    Oct 5 17:26:19 	racoon: ERROR: failed to begin ipsec sa negotication.
    Oct 5 17:26:27 	racoon: ERROR: no configuration found for 2.193.139.251.
    Oct 5 17:26:27 	racoon: ERROR: failed to begin ipsec sa negotication.
    Oct 5 17:26:39 	racoon: ERROR: no configuration found for 2.193.139.251.
    Oct 5 17:26:39 	racoon: ERROR: failed to begin ipsec sa negotication.
    Oct 5 17:26:40 	racoon: ERROR: no configuration found for 2.193.139.251.
    Oct 5 17:26:40 	racoon: ERROR: failed to begin ipsec sa negotication.
    
    

    the only difference I notice is about NAT, "Oct 5 17:22:44 racoon: INFO: NAT detected: PEER" vs "Oct 5 17:26:18 racoon: INFO: NAT not detected", and IP ranges being completely different.

    Could it be something wrong on the pfsense box? I can't find on google anything related to the carrier and ipsec limitations on that APN. All devices tested were apple BTW (ipad3 iOS6, iphone4s iOS 5.1.1).

    thanks
    B



  • Setting NAT Traversal to Force in Phase 1 seems to have fixed the issue for now.


Log in to reply