Client to Site IPSec Almost Working…
-
I'm trying to shift my PSK Client to Site VPN to an RSA Client to Site. I've learned a few things along the way that others may find helpful, but I'm still stuck on one thing…
What I've Learned
-
Phase 1 Negotiation Mode needs to be main
-
My Identifier and Peer Identifier should be ASN.1 Distinguished Name, but the Distinguished Name field should be left blank.
-
The Common Name in My Certificate should be set to the external host name or external IP address of your VPN endpoint (e.g. the public IP of your pfSense)
-
NAT Traversal needs to be Force
-
The user cert used on the client should be a pem file, not a crt.
My tunnel seems to come up, but as soon as it does, it complains about a sub-net mismatch
-
racoon: ERROR: failed to get sainfo.
-
racoon: [...] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
So, what sub-nets are mismatching?
-
My virtual IP address pool provided to clients is a /24
-
My local network is also a /24
-
The two are non-overlapping.
-
It's either looking at one or more different sub-nets or it's erroneously seeing a mismatch. Well, I sure don't see a mis-match.
-
My client is an Android tablet, and I am using the default Android VPN client. Maybe there's a bug?
-
And here's the weird part…when I do this as a PSK, it all works fine. Same sub-nets. Makes me wonder if it's a bug.
-