Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VPN functionality after upgrade from 1.2.3 to 2.1

    IPsec
    1
    2
    1299
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AceLine last edited by

      Hi everybody,
      Hi pfSense-Team,

      I have a problem on a Bull Server running pfSense 2.1. I upgraded it just two days ago from 1.2.3 for NAT-Reflection to work (it didn´t on 1.2.3), now NAT-Reflection works perfect but all my VPN functionality is gone.

      Before I used PPTP and openVPN - both of them worked great. Now I tried to get up and running with PPTP and also with openVPN again, but no chance… not from inside and not from outside of the network.

      So I decided to start over with ipSEC: First I configured it as in the documentation and tried to find a way to connect with Windows 7 board client. As I found out, this is not possible at all. So I went on with the steps in the documentation and tried to configure and connect with Shrew VPN Client software - and in deed this seemed to work at least from inside the network. Filled with power and entusiasm I left the office and in the afternoon I tried to connect to the VPN from outside - but no chance.

      Shrew Client says: negotiation timeout occurred

      Does anybody have a glue or at least a hint on how to go further?

      I made the How-To from the documentation step by step exactly point for point. The upgrade to 2.1 was made with the config.xml from the 1.2.3 version where VPN worked before.

      Best regards,

      Ingmar

      System Logs > IPsec:

      From inside the network:

      Nov 19 07:54:30 racoon: [Self]: INFO: respond new phase 1 negotiation: <public-ip-pfsense>[500]<=>192.168.40.200[500]
      Nov 19 07:54:30 racoon: INFO: begin Aggressive mode.
      Nov 19 07:54:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Nov 19 07:54:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Nov 19 07:54:30 racoon: INFO: received Vendor ID: RFC 3947
      Nov 19 07:54:30 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Nov 19 07:54:30 racoon: INFO: received Vendor ID: CISCO-UNITY
      Nov 19 07:54:30 racoon: [192.168.40.200] INFO: Selected NAT-T version: RFC 3947
      Nov 19 07:54:31 racoon: INFO: Adding remote and local NAT-D payloads.
      Nov 19 07:54:31 racoon: [192.168.40.200] INFO: Hashing 192.168.40.200[500] with algo #2 (NAT-T forced)
      Nov 19 07:54:31 racoon: [Self]: [<public-ip-pfsense>] INFO: Hashing <public-ip-pfsense>[500] with algo #2 (NAT-T forced)
      Nov 19 07:54:31 racoon: [Self]: INFO: NAT-T: ports changed to: 192.168.40.200[4500]<-><public-ip-pfsense>[4500]
      Nov 19 07:54:31 racoon: INFO: NAT-D payload #0 doesn't match
      Nov 19 07:54:31 racoon: INFO: NAT-D payload #1 doesn't match
      Nov 19 07:54:31 racoon: INFO: NAT detected: ME PEER
      Nov 19 07:54:31 racoon: [Self]: INFO: ISAKMP-SA established <public-ip-pfsense>[4500]-192.168.40.200[4500] spi:fc487bf6ac1d1128:c7e9f86830bcf993
      Nov 19 07:54:31 racoon: [192.168.40.200] INFO: received INITIAL-CONTACT
      Nov 19 07:54:31 racoon: INFO: Using port 0
      Nov 19 07:54:31 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
      Nov 19 07:54:31 racoon: [Self]: INFO: respond new phase 2 negotiation: <public-ip-pfsense>[4500]<=>192.168.40.200[4500]
      Nov 19 07:54:31 racoon: INFO: no policy found, try to generate the policy : 10.0.2.1/32[0] 192.168.20.0/24[0] proto=any dir=in
      Nov 19 07:54:31 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
      Nov 19 07:54:31 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
      Nov 19 07:54:31 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
      Nov 19 07:54:31 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
      Nov 19 07:54:31 racoon: WARNING: authtype mismatched: my:hmac-md5 peer:hmac-sha
      Nov 19 07:54:31 racoon: [Self]: INFO: IPsec-SA established: ESP <public-ip-pfsense>[500]->192.168.40.200[500] spi=226294782(0xd7cfbfe)
      Nov 19 07:54:31 racoon: [Self]: INFO: IPsec-SA established: ESP <public-ip-pfsense>[500]->192.168.40.200[500] spi=845928547(0x326bd863)
      Nov 19 07:54:56 racoon: INFO: deleting a generated policy.
      Nov 19 07:54:56 racoon: INFO: purged IPsec-SA proto_id=ESP spi=845928547.
      Nov 19 07:54:56 racoon: [Self]: INFO: ISAKMP-SA expired <public-ip-pfsense>[4500]-192.168.40.200[4500] spi:fc487bf6ac1d1128:c7e9f86830bcf993
      Nov 19 07:54:56 racoon: [Self]: INFO: ISAKMP-SA deleted <public-ip-pfsense>[4500]-192.168.40.200[4500] spi:fc487bf6ac1d1128:c7e9f86830bcf993
      Nov 19 07:54:56 racoon: INFO: Released port 0

      From outside the network: I don´t get any sys log on this

      I also made a portscan with nmap from a linux machine and it says: 500 open/filtered and 4500 open/filtered</public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense>

      1 Reply Last reply Reply Quote 0
      • A
        AceLine last edited by

        OpenVPN not working… IPsec not working... PPTP not working... No help, no metter. I downgraded to 1.2.3 and it works perfectly...

        1 Reply Last reply Reply Quote 0
        • First post
          Last post