VPN functionality after upgrade from 1.2.3 to 2.1



  • Hi everybody,
    Hi pfSense-Team,

    I have a problem on a Bull Server running pfSense 2.1. I upgraded it just two days ago from 1.2.3 for NAT-Reflection to work (it didn´t on 1.2.3), now NAT-Reflection works perfect but all my VPN functionality is gone.

    Before I used PPTP and openVPN - both of them worked great. Now I tried to get up and running with PPTP and also with openVPN again, but no chance… not from inside and not from outside of the network.

    So I decided to start over with ipSEC: First I configured it as in the documentation and tried to find a way to connect with Windows 7 board client. As I found out, this is not possible at all. So I went on with the steps in the documentation and tried to configure and connect with Shrew VPN Client software - and in deed this seemed to work at least from inside the network. Filled with power and entusiasm I left the office and in the afternoon I tried to connect to the VPN from outside - but no chance.

    Shrew Client says: negotiation timeout occurred

    Does anybody have a glue or at least a hint on how to go further?

    I made the How-To from the documentation step by step exactly point for point. The upgrade to 2.1 was made with the config.xml from the 1.2.3 version where VPN worked before.

    Best regards,

    Ingmar

    System Logs > IPsec:

    From inside the network:

    Nov 19 07:54:30 racoon: [Self]: INFO: respond new phase 1 negotiation: <public-ip-pfsense>[500]<=>192.168.40.200[500]
    Nov 19 07:54:30 racoon: INFO: begin Aggressive mode.
    Nov 19 07:54:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Nov 19 07:54:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Nov 19 07:54:30 racoon: INFO: received Vendor ID: RFC 3947
    Nov 19 07:54:30 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Nov 19 07:54:30 racoon: INFO: received Vendor ID: CISCO-UNITY
    Nov 19 07:54:30 racoon: [192.168.40.200] INFO: Selected NAT-T version: RFC 3947
    Nov 19 07:54:31 racoon: INFO: Adding remote and local NAT-D payloads.
    Nov 19 07:54:31 racoon: [192.168.40.200] INFO: Hashing 192.168.40.200[500] with algo #2 (NAT-T forced)
    Nov 19 07:54:31 racoon: [Self]: [<public-ip-pfsense>] INFO: Hashing <public-ip-pfsense>[500] with algo #2 (NAT-T forced)
    Nov 19 07:54:31 racoon: [Self]: INFO: NAT-T: ports changed to: 192.168.40.200[4500]<-><public-ip-pfsense>[4500]
    Nov 19 07:54:31 racoon: INFO: NAT-D payload #0 doesn't match
    Nov 19 07:54:31 racoon: INFO: NAT-D payload #1 doesn't match
    Nov 19 07:54:31 racoon: INFO: NAT detected: ME PEER
    Nov 19 07:54:31 racoon: [Self]: INFO: ISAKMP-SA established <public-ip-pfsense>[4500]-192.168.40.200[4500] spi:fc487bf6ac1d1128:c7e9f86830bcf993
    Nov 19 07:54:31 racoon: [192.168.40.200] INFO: received INITIAL-CONTACT
    Nov 19 07:54:31 racoon: INFO: Using port 0
    Nov 19 07:54:31 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Nov 19 07:54:31 racoon: [Self]: INFO: respond new phase 2 negotiation: <public-ip-pfsense>[4500]<=>192.168.40.200[4500]
    Nov 19 07:54:31 racoon: INFO: no policy found, try to generate the policy : 10.0.2.1/32[0] 192.168.20.0/24[0] proto=any dir=in
    Nov 19 07:54:31 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Nov 19 07:54:31 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
    Nov 19 07:54:31 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
    Nov 19 07:54:31 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
    Nov 19 07:54:31 racoon: WARNING: authtype mismatched: my:hmac-md5 peer:hmac-sha
    Nov 19 07:54:31 racoon: [Self]: INFO: IPsec-SA established: ESP <public-ip-pfsense>[500]->192.168.40.200[500] spi=226294782(0xd7cfbfe)
    Nov 19 07:54:31 racoon: [Self]: INFO: IPsec-SA established: ESP <public-ip-pfsense>[500]->192.168.40.200[500] spi=845928547(0x326bd863)
    Nov 19 07:54:56 racoon: INFO: deleting a generated policy.
    Nov 19 07:54:56 racoon: INFO: purged IPsec-SA proto_id=ESP spi=845928547.
    Nov 19 07:54:56 racoon: [Self]: INFO: ISAKMP-SA expired <public-ip-pfsense>[4500]-192.168.40.200[4500] spi:fc487bf6ac1d1128:c7e9f86830bcf993
    Nov 19 07:54:56 racoon: [Self]: INFO: ISAKMP-SA deleted <public-ip-pfsense>[4500]-192.168.40.200[4500] spi:fc487bf6ac1d1128:c7e9f86830bcf993
    Nov 19 07:54:56 racoon: INFO: Released port 0

    From outside the network: I don´t get any sys log on this

    I also made a portscan with nmap from a linux machine and it says: 500 open/filtered and 4500 open/filtered</public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense>



  • OpenVPN not working… IPsec not working... PPTP not working... No help, no metter. I downgraded to 1.2.3 and it works perfectly...