Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC ShrewSoft VPN Woes

    Scheduled Pinned Locked Moved IPsec
    10 Posts 4 Posters 9.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sacrilegious
      last edited by

      Hello Chaps,

      Firstly I would like to thank you for making a ace product and those that contribute with the awesome guides.

      I am in the process of replacing my Cisco 1841 with a PFSensed Watchguard x750e, due the Cisco not been able to NAT and do packet inspection beyond 40Mb.

      I have become a bit stuck in my efforts to get a IPSEC VPN Set up, from the logs it is evident that the Shrewsoft VPN configuration is incorrect, my IPAD can VPN with no problems, being able to ping all the remote LAN and being able to browse the internet through the VPN.

      I can connect with with my ShrewSoft VPN connection, but i am unable to ping the PFsense box, or any machines on the Lan, would anyone the kind enough to offer some advice as to why this may be?

      Successful VPN connect and disconnect with IPAD:

      Oct 24 10:40:54 racoon: INFO: Released port 0
      Oct 24 10:40:54 racoon: [Self]: INFO: ISAKMP-SA deleted PFSENSE_PUBLIC_ADD[4500]-CLIENT_ADD[4500] spi:8dd95b8b34515e25:e7497b1fada304c0
      Oct 24 10:40:54 racoon: INFO: purged ISAKMP-SA spi=8dd95b8b34515e25:e7497b1fada304c0:00004bac.
      Oct 24 10:40:54 racoon: INFO: purged IPsec-SA spi=147830056.
      Oct 24 10:40:54 racoon: INFO: purging ISAKMP-SA spi=8dd95b8b34515e25:e7497b1fada304c0:00004bac.
      Oct 24 10:40:54 racoon: INFO: purged IPsec-SA proto_id=ESP spi=199313569.
      Oct 24 10:40:54 racoon: INFO: deleting a generated policy.
      Oct 24 10:40:36 racoon: [Self]: INFO: IPsec-SA established: ESP PFSENSE_PUBLIC_ADD[500]->CLIENT_ADD[500] spi=199313569(0xbe148a1)
      Oct 24 10:40:36 racoon: [Self]: INFO: IPsec-SA established: ESP PFSENSE_PUBLIC_ADD[500]->CLIENT_ADD[500] spi=147830056(0x8cfb528)
      Oct 24 10:40:36 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
      Oct 24 10:40:36 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
      Oct 24 10:40:36 racoon: INFO: no policy found, try to generate the policy : 10.173.201.1/32[0] 0.0.0.0/0[0] proto=any dir=in
      Oct 24 10:40:36 racoon: [Self]: INFO: respond new phase 2 negotiation: PFSENSE_PUBLIC_ADD[4500]<=>CLIENT_ADD[4500]
      Oct 24 10:40:36 racoon: WARNING: Ignored attribute 28683
      Oct 24 10:40:36 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
      Oct 24 10:40:35 racoon: INFO: login succeeded for user "VPN_NG"
      Oct 24 10:40:35 racoon: INFO: Using port 0
      Oct 24 10:40:31 racoon: [Self]: INFO: ISAKMP-SA established PFSENSE_PUBLIC_ADD[4500]-CLIENT_ADD[4500] spi:8dd95b8b34515e25:e7497b1fada304c0
      Oct 24 10:40:31 racoon: INFO: Sending Xauth request
      Oct 24 10:40:31 racoon: INFO: NAT detected: ME PEER
      Oct 24 10:40:31 racoon: [CLIENT_ADD] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
      Oct 24 10:40:31 racoon: INFO: NAT-D payload #1 doesn't match
      Oct 24 10:40:31 racoon: INFO: NAT-D payload #0 doesn't match
      Oct 24 10:40:31 racoon: [Self]: INFO: NAT-T: ports changed to: CLIENT_ADD[4500]<->PFSENSE_PUBLIC_ADD[4500]
      Oct 24 10:40:31 racoon: INFO: Adding xauth VID payload.
      Oct 24 10:40:31 racoon: [Self]: [PFSENSE_PUBLIC_ADD] INFO: Hashing PFSENSE_PUBLIC_ADD[500] with algo #2 (NAT-T forced)
      Oct 24 10:40:31 racoon: [CLIENT_ADD] INFO: Hashing CLIENT_ADD[500] with algo #2 (NAT-T forced)
      Oct 24 10:40:31 racoon: INFO: Adding remote and local NAT-D payloads.
      Oct 24 10:40:31 racoon: [CLIENT_ADD] INFO: Selected NAT-T version: RFC 3947
      Oct 24 10:40:31 racoon: INFO: received Vendor ID: DPD
      Oct 24 10:40:31 racoon: INFO: received Vendor ID: CISCO-UNITY
      Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
      Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
      Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
      Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
      Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
      Oct 24 10:40:31 racoon: INFO: received Vendor ID: RFC 3947
      Oct 24 10:40:31 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Oct 24 10:40:31 racoon: INFO: begin Aggressive mode.
      Oct 24 10:40:31 racoon: [Self]: INFO: respond new phase 1 negotiation: PFSENSE_PUBLIC_ADD[500]<=>CLIENT_ADD[500]

      ShrewSoft:

      Oct 24 10:46:51 racoon: WARNING: Short payload
      Oct 24 10:46:51 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
      Oct 24 10:46:51 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
      Oct 24 10:46:46 racoon: WARNING: Short payload
      Oct 24 10:46:46 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
      Oct 24 10:46:46 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
      Oct 24 10:46:46 racoon: [Self]: INFO: ISAKMP-SA established PFSENSE_PUBLIC_ADD[4500]-CLIENT_ADD[1147] spi:cda024940f8fa319:b5bac1a5968617ca
      Oct 24 10:46:46 racoon: INFO: Sending Xauth request
      Oct 24 10:46:46 racoon: INFO: NAT detected: ME PEER
      Oct 24 10:46:46 racoon: INFO: NAT-D payload #1 doesn't match
      Oct 24 10:46:46 racoon: INFO: NAT-D payload #0 doesn't match
      Oct 24 10:46:46 racoon: INFO: Adding xauth VID payload.
      Oct 24 10:46:46 racoon: [Self]: [PFSENSE_PUBLIC_ADD] INFO: Hashing PFSENSE_PUBLIC_ADD[4500] with algo #2 (NAT-T forced)
      Oct 24 10:46:46 racoon: [CLIENT_ADD] INFO: Hashing CLIENT_ADD[1147] with algo #2 (NAT-T forced)
      Oct 24 10:46:46 racoon: INFO: Adding remote and local NAT-D payloads.
      Oct 24 10:46:46 racoon: [CLIENT_ADD] INFO: Selected NAT-T version: RFC 3947
      Oct 24 10:46:46 racoon: INFO: received Vendor ID: CISCO-UNITY
      Oct 24 10:46:46 racoon: INFO: received Vendor ID: DPD
      Oct 24 10:46:46 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Oct 24 10:46:46 racoon: INFO: received Vendor ID: RFC 3947
      Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
      Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Oct 24 10:46:46 racoon: INFO: begin Aggressive mode.
      Oct 24 10:46:46 racoon: [Self]: INFO: respond new phase 1 negotiation: PFSENSE_PUBLIC_ADD[4500]<=>CLIENT_ADD[1147]
      Oct 24 10:46:43 racoon: INFO: login succeeded for user "VPN_NG"
      Oct 24 10:46:43 racoon: INFO: Using port 0
      Oct 24 10:46:43 racoon: [CLIENT_ADD] INFO: received INITIAL-CONTACT
      Oct 24 10:46:43 racoon: [Self]: INFO: ISAKMP-SA established PFSENSE_PUBLIC_ADD[4500]-CLIENT_ADD[1147] spi:5d41d4152c5f4ce1:a3c3bb8aa2dac3de
      Oct 24 10:46:43 racoon: INFO: Sending Xauth request
      Oct 24 10:46:43 racoon: INFO: NAT detected: ME PEER
      Oct 24 10:46:43 racoon: INFO: NAT-D payload #1 doesn't match
      Oct 24 10:46:43 racoon: INFO: NAT-D payload #0 doesn't match
      Oct 24 10:46:43 racoon: [Self]: INFO: NAT-T: ports changed to: CLIENT_ADD[1147]<->PFSENSE_PUBLIC_ADD[4500]
      Oct 24 10:46:43 racoon: INFO: Adding xauth VID payload.
      Oct 24 10:46:43 racoon: [Self]: [PFSENSE_PUBLIC_ADD] INFO: Hashing PFSENSE_PUBLIC_ADD[500] with algo #2 (NAT-T forced)
      Oct 24 10:46:43 racoon: [CLIENT_ADD] INFO: Hashing CLIENT_ADD[500] with algo #2 (NAT-T forced)
      Oct 24 10:46:43 racoon: INFO: Adding remote and local NAT-D payloads.
      Oct 24 10:46:43 racoon: [CLIENT_ADD] INFO: Selected NAT-T version: RFC 3947
      Oct 24 10:46:43 racoon: INFO: received Vendor ID: CISCO-UNITY
      Oct 24 10:46:43 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Oct 24 10:46:43 racoon: INFO: received Vendor ID: RFC 3947
      Oct 24 10:46:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Oct 24 10:46:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Oct 24 10:46:43 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Oct 24 10:46:43 racoon: INFO: begin Aggressive mode.
      Oct 24 10:46:43 racoon: [Self]: INFO: respond new phase 1 negotiation: PFSENSE_PUBLIC_ADD[500]<=>CLIENT_ADD[500]

      Any help would be appreciated

      Many Thanks Neil

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        In Shew Soft, don't specify "auto" for all of the cipher and related values. Specify exactly what you have on the server config.

        (Or ditch IPsec for windows clients, OpenVPN is much better all around for that)

        Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by

          Also ensure that the Phase-2 lifetimes match.

          1 Reply Last reply Reply Quote 0
          • S
            Sacrilegious
            last edited by

            Hello Guy's.

            Thank you, I will insure all values match, and report back

            1 Reply Last reply Reply Quote 0
            • S
              Sacrilegious
              last edited by

              Hi Guy's

              All values match, but i am still getting the same:

              Oct 26 13:52:51 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
              Oct 26 13:52:51 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
              Oct 26 13:52:46 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
              Oct 26 13:52:46 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange

              Is there any way to get any more detailed logs?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                if it says that xauth failed, my first guess would be the username/password used for auth, or perhaps the account you're trying to use doesn't have the IPsec xauth privilege.

                Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • S
                  Sacrilegious
                  last edited by

                  I thought that to, but my ipad works fine with the same credentials

                  Effective Privileges
                  Inherited From Name Description
                  Remote Workers User - VPN - IPsec xauth Dialin Indicates whether the user is allowed to dial in via IPsec xauth (Note: Does not allow shell access, but may allow the user to create ssh tunnels)

                  It is definitely a Shrewsoft issue than a PFsense issue, im actually surprised how much i can muck about the IPSEC config on the PFsensebox and the IPAD still connects and works every time.

                  I would rather use IPSEC than OpenVPN, but that just as I understand it a little more,

                  Im currently using the nano version installed on a CF card, which (i believe) to be causing me other issues, so as soon as i get around to getting a PITA ssd i will be doing another install, so starting with a clean slate may help.

                  Neil

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    When I was updating the IPsec chapter in the book the other day I had Shrew Soft talking to the server fine using Xauth so I know it works. If it's an issue in Shrew Soft, it's in your settings.

                    OpenVPN is much, much, much better for mobile clients. There really is no contest there.

                    Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • S
                      Sacrilegious
                      last edited by

                      Hello Jimp,

                      As you suggested I used Open VPN, very easy to use, and scalable. Doesnt link windows 8 much though, but i can live with it.

                      regards Neil

                      1 Reply Last reply Reply Quote 0
                      • K
                        ksun6868
                        last edited by

                        Well, it is probably too late for you, but I thought I should share my experience with pfSense and Shrewd VPN Client.

                        On the pfSense side, I simply followed the exact instruction of http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0.

                        On Windows7 I downloaded http://www.shrew.net/download/vpn/vpn-client-2.1.7-release.exe.

                        Here are the configurations on the shrewd side,

                        General
                        Hostname: <the server's="" ip="" address="">Port: 500
                        Auto Configuration: ike config pull
                        Address Method: Use a virtual adapter and assigned address
                        MTU: Obtain automatically
                        Client
                        NAT Traversal: force-rfc
                        NAT Traversal Port: 4500
                        Keep-alive packet rate: 15/Secs
                        IKE Fragmentation: enable
                        Maximum package size: 540 Bytes
                        Enable Dead Peer Detection
                        Enable Client Login Banner
                        Name Resolution
                        No WiINS/DNS server
                        Authentication
                        Local Identity
                        Ā  Identification Type: Key Identifier
                        Ā  Key ID String: vpnusers@example.com (or whatever you filled up for Peer identifier: User Distinguished Name when you set up pfSense server Phase1)
                        Ā  Remote Identity
                        Ā  Ā  Identification Type: IP Address
                        Ā  Credentials
                        Ā  Ā  Pre Shared Key:Ā  aaabbbccc (or whatever you set up for Pre-Shared Key on the server side)
                        Phase 1
                        Ā  Exchange Type: aggressive
                        Ā  DH Exchange: group 2
                        Ā  Cipher Algorithm: aes
                        Ā  Cipher Key Length: 128 Bits
                        Ā  Hash Algorithm: sha1
                        Ā  Key Life Time Limit: 86400 Secs
                        Ā  Key Life Data limit: 0 KBytes
                        Phase 2
                        Ā  Transform Algorithm: esp-aes
                        Ā  Transform Key Length: 128 Bits
                        Ā  HMAC Algorithm: sha1
                        Ā  PFS Exchange: disabled
                        Ā  Compression Algorithm: disabled
                        Ā  Key Life Time limit: 3600 Secs
                        Ā  Key Life Data limit: 0 Kbytes
                        Policy
                        Policy Generation Level: unique
                        Remote Network Resource
                        Ā  0.0.0.0/0.0.0.0

                        If you can verify this also works for you, it would be nice if someone could expand the Device Setup session of http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 to include Shrewd client.

                        Hope this helps.

                        Kang Sun</the>

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.