Problem connecting with mobile client…

ragtag

I'm having trouble setting up mobile clients with IPsec.

This is the error I get, and I don't know why. The server has a static ip and the client a dynamic o
ne (the client is an old iBook running OS X tiger using the built in VPN client).

Phase 1 seems to work, phase 2 seems to work too, as I read on the forum that I could ignore the pol
icy does not exist error. It waits a while after those errors, and then disconnects.

Anyone know what's wrong here? Or just how to set up a system where mobile clients can connect to IP
sec (I'm new to VPN in general).

Cheers,

ragtag

Feb 13 14:25:50 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 217.118.x.z[500]-89.8.x.z\
[500] spi:b202b433888c5e31:d91d307ec88ff8e0
Feb 13 14:25:49 racoon: INFO: purged ISAKMP-SA spi=b202b433888c5e31:d91d307ec88ff8e0.
Feb 13 14:25:49 racoon: INFO: purged IPsec-SA spi=94008622.
Feb 13 14:25:49 racoon: INFO: purging ISAKMP-SA spi=b202b433888c5e31:d91d307ec88ff8e0.
Feb 13 14:25:49 racoon: INFO: purged IPsec-SA proto_id=ESP spi=254906905.
Feb 13 14:25:49 racoon: INFO: generated policy, deleting it.
Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "217.1\
18.x.z/32[1701] 10.253.47.92/32[49682] proto=udp dir=out"
Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "10.25\
3.47.92/32[49682] 217.118.x.z/32[1701] proto=udp dir=in"
Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Transport 217.118\
.x.z[0]->89.8.x.z[0] spi=254906905(0xf319219)
Feb 13 14:24:52 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Transport 89.8.x.\
z[0]->217.118.x.z[0] spi=94008622(0x59a752e)
Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:CAST peer:AES
Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:CAST peer:AES
Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:DES peer:AES
Feb 13 14:24:51 racoon: WARNING: trns_id mismatched: my:DES peer:AES
Feb 13 14:24:51 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy\
 : 10.253.47.92/32[49682] 217.118.x.z/32[1701] proto=udp dir=in
Feb 13 14:24:51 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 217.118.x.\
z[0]<=>89.8.x.z[0]
Feb 13 14:24:50 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 217.118.x.z[500]-89.8\
.x.z[500] spi:b202b433888c5e31:d91d307ec88ff8e0
Feb 13 14:24:50 racoon: INFO: received Vendor ID: KAME/racoon
Feb 13 14:24:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 13 14:24:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 13 14:24:50 racoon: INFO: received Vendor ID: RFC 3947
Feb 13 14:24:50 racoon: INFO: begin Identity Protection mode.
Feb 13 14:24:50 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 217.118.x.\
z[500]<=>89.8.x.z[500]

databeestje

This is just a hunch. Since you didn't specify the release you are running on.

Try disabling PFS on the server and/or the client side for this mobile connection.
PFS == Perfect forward secrecy - Diffie Hellman group 1,2,5, or none.

Kind regards,

Seth

ragtag

Sorry, forgot to mention the pfsense version, it's 1.2-RC4 built on Tue Jan 15 23:05:07 EST 2008

PFS key group, if that's what you mean, has been set to off on the server. I'm not sure how you set PFS on the OS X client, it's somewhat limited in options. Tried setting it to 1,2 and 5 as well, but it seemed to have no effect.