Problem connecting with mobile client…



  • I'm having trouble setting up mobile clients with IPsec.

    This is the error I get, and I don't know why. The server has a static ip and the client a dynamic o
    ne (the client is an old iBook running OS X tiger using the built in VPN client).

    Phase 1 seems to work, phase 2 seems to work too, as I read on the forum that I could ignore the pol
    icy does not exist error. It waits a while after those errors, and then disconnects.

    Anyone know what's wrong here? Or just how to set up a system where mobile clients can connect to IP
    sec (I'm new to VPN in general).

    Cheers,

    ragtag

    
    Feb 13 14:25:50 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 217.118.x.z[500]-89.8.x.z\
    [500] spi:b202b433888c5e31:d91d307ec88ff8e0
    Feb 13 14:25:49 racoon: INFO: purged ISAKMP-SA spi=b202b433888c5e31:d91d307ec88ff8e0.
    Feb 13 14:25:49 racoon: INFO: purged IPsec-SA spi=94008622.
    Feb 13 14:25:49 racoon: INFO: purging ISAKMP-SA spi=b202b433888c5e31:d91d307ec88ff8e0.
    Feb 13 14:25:49 racoon: INFO: purged IPsec-SA proto_id=ESP spi=254906905.
    Feb 13 14:25:49 racoon: INFO: generated policy, deleting it.
    Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "217.1\
    18.x.z/32[1701] 10.253.47.92/32[49682] proto=udp dir=out"
    Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "10.25\
    3.47.92/32[49682] 217.118.x.z/32[1701] proto=udp dir=in"
    Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Transport 217.118\
    .x.z[0]->89.8.x.z[0] spi=254906905(0xf319219)
    Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Transport 89.8.x.\
    z[0]->217.118.x.z[0] spi=94008622(0x59a752e)
    Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:CAST peer:AES
    Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:CAST peer:AES
    Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
    Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
    Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
    Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
    Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:DES peer:AES
    Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:DES peer:AES
    Feb 13 14:24:51 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy\
     : 10.253.47.92/32[49682] 217.118.x.z/32[1701] proto=udp dir=in
    Feb 13 14:24:51 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 217.118.x.\
    z[0]<=>89.8.x.z[0]
    Feb 13 14:24:50 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 217.118.x.z[500]-89.8\
    .x.z[500] spi:b202b433888c5e31:d91d307ec88ff8e0
    Feb 13 14:24:50 racoon: INFO: received Vendor ID: KAME/racoon
    Feb 13 14:24:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Feb 13 14:24:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Feb 13 14:24:50 racoon: INFO: received Vendor ID: RFC 3947
    Feb 13 14:24:50 racoon: INFO: begin Identity Protection mode.
    Feb 13 14:24:50 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 217.118.x.\
    z[500]<=>89.8.x.z[500]
    
    


  • This is just a hunch. Since you didn't specify the release you are running on.

    Try disabling PFS on the server and/or the client side for this mobile connection.
    PFS == Perfect forward secrecy - Diffie Hellman group 1,2,5, or none.

    Kind regards,

    Seth



  • Sorry, forgot to mention the pfsense version, it's 1.2-RC4 built on Tue Jan 15 23:05:07 EST 2008

    PFS key group, if that's what you mean, has been set to off on the server. I'm not sure how you set PFS on the OS X client, it's somewhat limited in options. Tried setting it to 1,2 and 5 as well, but it seemed to have no effect.


Locked