Problem connecting with mobile client…
-
I'm having trouble setting up mobile clients with IPsec.
This is the error I get, and I don't know why. The server has a static ip and the client a dynamic o
ne (the client is an old iBook running OS X tiger using the built in VPN client).Phase 1 seems to work, phase 2 seems to work too, as I read on the forum that I could ignore the pol
icy does not exist error. It waits a while after those errors, and then disconnects.Anyone know what's wrong here? Or just how to set up a system where mobile clients can connect to IP
sec (I'm new to VPN in general).Cheers,
ragtag
Feb 13 14:25:50 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 217.118.x.z[500]-89.8.x.z\ [500] spi:b202b433888c5e31:d91d307ec88ff8e0 Feb 13 14:25:49 racoon: INFO: purged ISAKMP-SA spi=b202b433888c5e31:d91d307ec88ff8e0. Feb 13 14:25:49 racoon: INFO: purged IPsec-SA spi=94008622. Feb 13 14:25:49 racoon: INFO: purging ISAKMP-SA spi=b202b433888c5e31:d91d307ec88ff8e0. Feb 13 14:25:49 racoon: INFO: purged IPsec-SA proto_id=ESP spi=254906905. Feb 13 14:25:49 racoon: INFO: generated policy, deleting it. Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "217.1\ 18.x.z/32[1701] 10.253.47.92/32[49682] proto=udp dir=out" Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "10.25\ 3.47.92/32[49682] 217.118.x.z/32[1701] proto=udp dir=in" Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Transport 217.118\ .x.z[0]->89.8.x.z[0] spi=254906905(0xf319219) Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Transport 89.8.x.\ z[0]->217.118.x.z[0] spi=94008622(0x59a752e) Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:CAST peer:AES Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:CAST peer:AES Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:3DES peer:AES Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:3DES peer:AES Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:DES peer:AES Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:DES peer:AES Feb 13 14:24:51 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy\ : 10.253.47.92/32[49682] 217.118.x.z/32[1701] proto=udp dir=in Feb 13 14:24:51 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 217.118.x.\ z[0]<=>89.8.x.z[0] Feb 13 14:24:50 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 217.118.x.z[500]-89.8\ .x.z[500] spi:b202b433888c5e31:d91d307ec88ff8e0 Feb 13 14:24:50 racoon: INFO: received Vendor ID: KAME/racoon Feb 13 14:24:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 13 14:24:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 13 14:24:50 racoon: INFO: received Vendor ID: RFC 3947 Feb 13 14:24:50 racoon: INFO: begin Identity Protection mode. Feb 13 14:24:50 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 217.118.x.\ z[500]<=>89.8.x.z[500]
-
This is just a hunch. Since you didn't specify the release you are running on.
Try disabling PFS on the server and/or the client side for this mobile connection.
PFS == Perfect forward secrecy - Diffie Hellman group 1,2,5, or none.Kind regards,
Seth
-
Sorry, forgot to mention the pfsense version, it's 1.2-RC4 built on Tue Jan 15 23:05:07 EST 2008
PFS key group, if that's what you mean, has been set to off on the server. I'm not sure how you set PFS on the OS X client, it's somewhat limited in options. Tried setting it to 1,2 and 5 as well, but it seemed to have no effect.