VPN functionality after upgrade from 1.2.3 to 2.1
-
Hi everybody,
Hi pfSense-Team,I have a problem on a Bull Server running pfSense 2.1. I upgraded it just two days ago from 1.2.3 for NAT-Reflection to work (it didn´t on 1.2.3), now NAT-Reflection works perfect but all my VPN functionality is gone.
Before I used PPTP and openVPN - both of them worked great. Now I tried to get up and running with PPTP and also with openVPN again, but no chance… not from inside and not from outside of the network.
So I decided to start over with ipSEC: First I configured it as in the documentation and tried to find a way to connect with Windows 7 board client. As I found out, this is not possible at all. So I went on with the steps in the documentation and tried to configure and connect with Shrew VPN Client software - and in deed this seemed to work at least from inside the network. Filled with power and entusiasm I left the office and in the afternoon I tried to connect to the VPN from outside - but no chance.
Shrew Client says: negotiation timeout occurred
Does anybody have a glue or at least a hint on how to go further?
I made the How-To from the documentation step by step exactly point for point. The upgrade to 2.1 was made with the config.xml from the 1.2.3 version where VPN worked before.
Best regards,
Ingmar
System Logs > IPsec:
From inside the network:
Nov 19 07:54:30 racoon: [Self]: INFO: respond new phase 1 negotiation: <public-ip-pfsense>[500]<=>192.168.40.200[500]
Nov 19 07:54:30 racoon: INFO: begin Aggressive mode.
Nov 19 07:54:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Nov 19 07:54:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Nov 19 07:54:30 racoon: INFO: received Vendor ID: RFC 3947
Nov 19 07:54:30 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Nov 19 07:54:30 racoon: INFO: received Vendor ID: CISCO-UNITY
Nov 19 07:54:30 racoon: [192.168.40.200] INFO: Selected NAT-T version: RFC 3947
Nov 19 07:54:31 racoon: INFO: Adding remote and local NAT-D payloads.
Nov 19 07:54:31 racoon: [192.168.40.200] INFO: Hashing 192.168.40.200[500] with algo #2 (NAT-T forced)
Nov 19 07:54:31 racoon: [Self]: [<public-ip-pfsense>] INFO: Hashing <public-ip-pfsense>[500] with algo #2 (NAT-T forced)
Nov 19 07:54:31 racoon: [Self]: INFO: NAT-T: ports changed to: 192.168.40.200[4500]<-><public-ip-pfsense>[4500]
Nov 19 07:54:31 racoon: INFO: NAT-D payload #0 doesn't match
Nov 19 07:54:31 racoon: INFO: NAT-D payload #1 doesn't match
Nov 19 07:54:31 racoon: INFO: NAT detected: ME PEER
Nov 19 07:54:31 racoon: [Self]: INFO: ISAKMP-SA established <public-ip-pfsense>[4500]-192.168.40.200[4500] spi:fc487bf6ac1d1128:c7e9f86830bcf993
Nov 19 07:54:31 racoon: [192.168.40.200] INFO: received INITIAL-CONTACT
Nov 19 07:54:31 racoon: INFO: Using port 0
Nov 19 07:54:31 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Nov 19 07:54:31 racoon: [Self]: INFO: respond new phase 2 negotiation: <public-ip-pfsense>[4500]<=>192.168.40.200[4500]
Nov 19 07:54:31 racoon: INFO: no policy found, try to generate the policy : 10.0.2.1/32[0] 192.168.20.0/24[0] proto=any dir=in
Nov 19 07:54:31 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Nov 19 07:54:31 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Nov 19 07:54:31 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
Nov 19 07:54:31 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
Nov 19 07:54:31 racoon: WARNING: authtype mismatched: my:hmac-md5 peer:hmac-sha
Nov 19 07:54:31 racoon: [Self]: INFO: IPsec-SA established: ESP <public-ip-pfsense>[500]->192.168.40.200[500] spi=226294782(0xd7cfbfe)
Nov 19 07:54:31 racoon: [Self]: INFO: IPsec-SA established: ESP <public-ip-pfsense>[500]->192.168.40.200[500] spi=845928547(0x326bd863)
Nov 19 07:54:56 racoon: INFO: deleting a generated policy.
Nov 19 07:54:56 racoon: INFO: purged IPsec-SA proto_id=ESP spi=845928547.
Nov 19 07:54:56 racoon: [Self]: INFO: ISAKMP-SA expired <public-ip-pfsense>[4500]-192.168.40.200[4500] spi:fc487bf6ac1d1128:c7e9f86830bcf993
Nov 19 07:54:56 racoon: [Self]: INFO: ISAKMP-SA deleted <public-ip-pfsense>[4500]-192.168.40.200[4500] spi:fc487bf6ac1d1128:c7e9f86830bcf993
Nov 19 07:54:56 racoon: INFO: Released port 0From outside the network: I don´t get any sys log on this
I also made a portscan with nmap from a linux machine and it says: 500 open/filtered and 4500 open/filtered</public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense></public-ip-pfsense>
-
OpenVPN not working… IPsec not working... PPTP not working... No help, no metter. I downgraded to 1.2.3 and it works perfectly...