Problems with IPSec mobile clients authentication



  • I've got pfSense 2.1 set up for IPSec mobile clients, which use ShrewSoft VPN Client. User authentication is via Radius server (running on SBS 2011), and until a few days ago everything worked fine. I added 2 new users to the VPN group (which Radius uses), and while they could establish connection, they weren't able to access network resources (with MS Network Monitor on one of the servers I could see them try to establish RDP connection, but then nothing). At this point, other users didn't have any problems yet.

    While I investigated why these two users couldn't access the LAN, I restarted Racoon, and since I've done that, no user can access the LAN. ShrewSoft authenticates without problems, but no traffic goes through tunnel. IPsec logs are filled with the following:

    Jan 14 14:32:34 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
    Jan 14 14:32:34 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange

    I found a topic describing the same problem, but no resolution. I also tried authenticating with a local user (instead of Radius) that was in a group with "User - VPN - IPsec xauth Dialin" privilege, but the same problem happened (if user isn't a member of this group, ShrewSoft client reports "user authentication error" and doesn't establish the connection).

    Any ideas what more could I try to get this to work again?

    OpenVPN isn't a solution, since it requires administrative privileges on Windows to set routes.



  • Installing ShrewSoft VPN Client again seems to have solved the problem. No idea what happened.


Log in to reply