Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem connecting with mobile client…

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ragtag
      last edited by

      I'm having trouble setting up mobile clients with IPsec.

      This is the error I get, and I don't know why. The server has a static ip and the client a dynamic o
      ne (the client is an old iBook running OS X tiger using the built in VPN client).

      Phase 1 seems to work, phase 2 seems to work too, as I read on the forum that I could ignore the pol
      icy does not exist error. It waits a while after those errors, and then disconnects.

      Anyone know what's wrong here? Or just how to set up a system where mobile clients can connect to IP
      sec (I'm new to VPN in general).

      Cheers,

      ragtag

      
      Feb 13 14:25:50 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 217.118.x.z[500]-89.8.x.z\
      [500] spi:b202b433888c5e31:d91d307ec88ff8e0
      Feb 13 14:25:49 racoon: INFO: purged ISAKMP-SA spi=b202b433888c5e31:d91d307ec88ff8e0.
      Feb 13 14:25:49 racoon: INFO: purged IPsec-SA spi=94008622.
      Feb 13 14:25:49 racoon: INFO: purging ISAKMP-SA spi=b202b433888c5e31:d91d307ec88ff8e0.
      Feb 13 14:25:49 racoon: INFO: purged IPsec-SA proto_id=ESP spi=254906905.
      Feb 13 14:25:49 racoon: INFO: generated policy, deleting it.
      Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "217.1\
      18.x.z/32[1701] 10.253.47.92/32[49682] proto=udp dir=out"
      Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "10.25\
      3.47.92/32[49682] 217.118.x.z/32[1701] proto=udp dir=in"
      Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Transport 217.118\
      .x.z[0]->89.8.x.z[0] spi=254906905(0xf319219)
      Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Transport 89.8.x.\
      z[0]->217.118.x.z[0] spi=94008622(0x59a752e)
      Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:CAST peer:AES
      Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:CAST peer:AES
      Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
      Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
      Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
      Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
      Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:DES peer:AES
      Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:DES peer:AES
      Feb 13 14:24:51 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy\
       : 10.253.47.92/32[49682] 217.118.x.z/32[1701] proto=udp dir=in
      Feb 13 14:24:51 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 217.118.x.\
      z[0]<=>89.8.x.z[0]
      Feb 13 14:24:50 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 217.118.x.z[500]-89.8\
      .x.z[500] spi:b202b433888c5e31:d91d307ec88ff8e0
      Feb 13 14:24:50 racoon: INFO: received Vendor ID: KAME/racoon
      Feb 13 14:24:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Feb 13 14:24:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Feb 13 14:24:50 racoon: INFO: received Vendor ID: RFC 3947
      Feb 13 14:24:50 racoon: INFO: begin Identity Protection mode.
      Feb 13 14:24:50 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 217.118.x.\
      z[500]<=>89.8.x.z[500]
      
      
      1 Reply Last reply Reply Quote 0
      • D
        databeestje
        last edited by

        This is just a hunch. Since you didn't specify the release you are running on.

        Try disabling PFS on the server and/or the client side for this mobile connection.
        PFS == Perfect forward secrecy - Diffie Hellman group 1,2,5, or none.

        Kind regards,

        Seth

        1 Reply Last reply Reply Quote 0
        • R
          ragtag
          last edited by

          Sorry, forgot to mention the pfsense version, it's 1.2-RC4 built on Tue Jan 15 23:05:07 EST 2008

          PFS key group, if that's what you mean, has been set to off on the server. I'm not sure how you set PFS on the OS X client, it's somewhat limited in options. Tried setting it to 1,2 and 5 as well, but it seemed to have no effect.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.