Different 3G APN: one works, other doesn't
-
Hello,
I'm having issues with an ipsec VPN over 3G with TIM Italy mobile carrier.
Log when using working APN wap.tim.it
Oct 5 17:22:43 racoon: [Self]: INFO: respond new phase 1 negotiation: 78.x.x.x[500]<=>217.200.185.88[500] Oct 5 17:22:43 racoon: INFO: begin Aggressive mode. Oct 5 17:22:43 racoon: INFO: received Vendor ID: RFC 3947 Oct 5 17:22:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Oct 5 17:22:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Oct 5 17:22:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Oct 5 17:22:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Oct 5 17:22:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Oct 5 17:22:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Oct 5 17:22:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Oct 5 17:22:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Oct 5 17:22:43 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Oct 5 17:22:43 racoon: INFO: received Vendor ID: CISCO-UNITY Oct 5 17:22:43 racoon: INFO: received Vendor ID: DPD Oct 5 17:22:43 racoon: [217.200.185.88] INFO: Selected NAT-T version: RFC 3947 Oct 5 17:22:43 racoon: INFO: Adding remote and local NAT-D payloads. Oct 5 17:22:43 racoon: [217.200.185.88] INFO: Hashing 217.200.185.88[500] with algo #2 Oct 5 17:22:43 racoon: [Self]: [78.x.x.x] INFO: Hashing 78.x.x.x[500] with algo #2 Oct 5 17:22:43 racoon: INFO: Adding xauth VID payload. Oct 5 17:22:44 racoon: [Self]: INFO: NAT-T: ports changed to: 217.200.185.88[4500]<->78.x.x.x[4500] Oct 5 17:22:44 racoon: [Self]: [78.x.x.x] INFO: Hashing 78.x.x.x[4500] with algo #2 Oct 5 17:22:44 racoon: INFO: NAT-D payload #0 verified Oct 5 17:22:44 racoon: [217.200.185.88] INFO: Hashing 217.200.185.88[4500] with algo #2 Oct 5 17:22:44 racoon: INFO: NAT-D payload #1 doesn't match Oct 5 17:22:44 racoon: [217.200.185.88] ERROR: notification INITIAL-CONTACT received in aggressive exchange. Oct 5 17:22:44 racoon: INFO: NAT detected: PEER Oct 5 17:22:44 racoon: INFO: Sending Xauth request Oct 5 17:22:44 racoon: [Self]: INFO: ISAKMP-SA established 78.x.x.x[4500]-217.200.185.88[4500] spi:dbc7d12874709ade:220e093d69d2ec6a Oct 5 17:22:44 racoon: INFO: Using port 0 Oct 5 17:22:44 racoon: INFO: login succeeded for user "bruno" Oct 5 17:22:45 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Oct 5 17:22:45 racoon: ERROR: Cannot open "/etc/motd" Oct 5 17:22:45 racoon: WARNING: Ignored attribute 28683 Oct 5 17:22:45 racoon: [Self]: INFO: respond new phase 2 negotiation: 78.x.x.x[4500]<=>217.200.185.88[4500] Oct 5 17:22:45 racoon: INFO: no policy found, try to generate the policy : 192.168.4.1/32[0] 0.0.0.0/0[0] proto=any dir=in Oct 5 17:22:45 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Oct 5 17:22:45 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Oct 5 17:22:46 racoon: [Self]: INFO: IPsec-SA established: ESP 78.x.x.x[500]->217.200.185.88[500] spi=86628296(0x529d7c8) Oct 5 17:22:46 racoon: [Self]: INFO: IPsec-SA established: ESP 78.x.x.x[500]->217.200.185.88[500] spi=40106304(0x263f940)
Log when using NON working APN ibox.tim.it
Oct 5 17:26:18 racoon: [Self]: INFO: respond new phase 1 negotiation: 78.x.x.x[500]<=>2.193.139.251[500] Oct 5 17:26:18 racoon: INFO: begin Aggressive mode. Oct 5 17:26:18 racoon: INFO: received Vendor ID: RFC 3947 Oct 5 17:26:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Oct 5 17:26:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Oct 5 17:26:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Oct 5 17:26:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Oct 5 17:26:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Oct 5 17:26:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Oct 5 17:26:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Oct 5 17:26:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Oct 5 17:26:18 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Oct 5 17:26:18 racoon: INFO: received Vendor ID: CISCO-UNITY Oct 5 17:26:18 racoon: INFO: received Vendor ID: DPD Oct 5 17:26:18 racoon: [2.193.139.251] INFO: Selected NAT-T version: RFC 3947 Oct 5 17:26:18 racoon: INFO: Adding remote and local NAT-D payloads. Oct 5 17:26:18 racoon: [2.193.139.251] INFO: Hashing 2.193.139.251[500] with algo #2 Oct 5 17:26:18 racoon: [Self]: [78.x.x.x] INFO: Hashing 78.x.x.x[500] with algo #2 Oct 5 17:26:18 racoon: INFO: Adding xauth VID payload. Oct 5 17:26:18 racoon: [Self]: [78.x.x.x] INFO: Hashing 78.x.x.x[500] with algo #2 Oct 5 17:26:18 racoon: INFO: NAT-D payload #0 verified Oct 5 17:26:18 racoon: [2.193.139.251] INFO: Hashing 2.193.139.251[500] with algo #2 Oct 5 17:26:18 racoon: INFO: NAT-D payload #1 verified Oct 5 17:26:18 racoon: [2.193.139.251] ERROR: notification INITIAL-CONTACT received in aggressive exchange. Oct 5 17:26:18 racoon: INFO: NAT not detected Oct 5 17:26:18 racoon: INFO: Sending Xauth request Oct 5 17:26:18 racoon: [Self]: INFO: ISAKMP-SA established 78.x.x.x[500]-2.193.139.251[500] spi:737f70dbffde31f9:5175dd43cc5ce5d4 Oct 5 17:26:18 racoon: INFO: Using port 0 Oct 5 17:26:18 racoon: INFO: login succeeded for user "bruno" Oct 5 17:26:18 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Oct 5 17:26:18 racoon: ERROR: Cannot open "/etc/motd" Oct 5 17:26:18 racoon: WARNING: Ignored attribute 28683 Oct 5 17:26:18 racoon: [Self]: INFO: respond new phase 2 negotiation: 78.x.x.x[500]<=>2.193.139.251[500] Oct 5 17:26:18 racoon: INFO: no policy found, try to generate the policy : 192.168.4.1/32[0] 0.0.0.0/0[0] proto=any dir=in Oct 5 17:26:19 racoon: [Self]: INFO: IPsec-SA established: ESP 78.x.x.x[500]->2.193.139.251[500] spi=236400927(0xe17311f) Oct 5 17:26:19 racoon: [Self]: INFO: IPsec-SA established: ESP 78.x.x.x[500]->2.193.139.251[500] spi=21759015(0x14c0427) Oct 5 17:26:19 racoon: ERROR: no configuration found for 2.193.139.251. Oct 5 17:26:19 racoon: ERROR: failed to begin ipsec sa negotication. Oct 5 17:26:27 racoon: ERROR: no configuration found for 2.193.139.251. Oct 5 17:26:27 racoon: ERROR: failed to begin ipsec sa negotication. Oct 5 17:26:39 racoon: ERROR: no configuration found for 2.193.139.251. Oct 5 17:26:39 racoon: ERROR: failed to begin ipsec sa negotication. Oct 5 17:26:40 racoon: ERROR: no configuration found for 2.193.139.251. Oct 5 17:26:40 racoon: ERROR: failed to begin ipsec sa negotication.
the only difference I notice is about NAT, "Oct 5 17:22:44 racoon: INFO: NAT detected: PEER" vs "Oct 5 17:26:18 racoon: INFO: NAT not detected", and IP ranges being completely different.
Could it be something wrong on the pfsense box? I can't find on google anything related to the carrier and ipsec limitations on that APN. All devices tested were apple BTW (ipad3 iOS6, iphone4s iOS 5.1.1).
thanks
B -
Setting NAT Traversal to Force in Phase 1 seems to have fixed the issue for now.