Identifier problem - pfSense 1.2RC3 (dynIP) <-> pfSense 1.2RC2 (Static IP)

ssheikh

I'm trying to setup an IPSec VPN between home and work.

Home FW = pfSense 1.2 RC3. Dynamic IP.
Work FW = pfSense 1.2 RC2. Static IP.

Have followed this guide: http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec

I can get everything to work if:

Home side / VPN / IPSec / Tunnel / Phase 1 / My Identifier = My IP Address
Work side / IPSec / Pre-shared keys / Identifier = A.B.C.D

where A.B.C.D = DHCP assigned WAN IP on the home FW.

If I change this to:

Home FW / VPN / IPSec / Tunnel / Phase 1 / My Identifier = User FQDN / Home@boo.foo
Work FW / IPSec / Pre-shared keys / Identifier = Home@boo.foo

then I get this error in the IPSec logs of the work firewall:

racoon: ERROR: couldn't find the pskey for A.B.C.D

It seems that in spite of the identifier being set to User FQDN, the identifier that is being sent by the home FW is still the WAN IP address.

At this point if I change the pre-shared key at the work FW to A.B.C.D then I get this error code:

racoon: ERROR: Expecting IP address type in main mode, but User_FQDN.

I'm assuming this is because the Work firewall is expecting the identity to be in the form of IP address but instead what came is USER_FQDN.

So it seems like my home FW is telling the work FW that its sending User_FQDN but instead of sending the correct string it winds up sending the WAN IP address as at string.

What am I doing wrong?

Thanks,

Shahid

ssheikh

Bump to see if anyone has any comments.

My IP changes frequently (even when the firewall is never shutdown) on the dyn IP side which breaks the VPN.

heiko

set the work side to my identifier = my ip adress at the mobile clients page and the home "dyn" side to User FQDN

ssheikh

Sorry I don't follow.

Where on the work/static IP side would you like me to set "my identifier"?

If you want me to set it under the "Mobile Clients" tab then it is already set to "My IP address"

Otherwise, I do not have any tunnels defined on the work/static side to have the option of setting "my identifier" anywhere.

With this scenario if I set the identifier at the home/dynamic IP side to User FQDN and make sure that on the work side the pre-shared key identifier matches that User FQDN then the IPSec connection does not get established and I get this logged:

racoon: ERROR: couldn't find the pskey for A.B.C.D

where A.B.C.D is the IP address of the home/dynamic IP firewall.

With the configuration that you suggested (which is the same as the mobile_ipsec document) what should the identifier for the pre-shared key at the work/static IP side be defined as?

heiko

I think you have anything misconfigured!

Here are some screenshots with an up and running szenario between static and dynamic addresses.

Have fun

ssheikh

Can you show me how your pre-shared key on the static side is configured.

Thanks.

ssheikh

Ok. Got it to work. This configuration does not work in Main Mode. It only works in Agressive mode.

heiko

OK, sorry, yes, mobile clients are working  not in main mode…..