Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    StowngSwan ipsec and Screwsoft VPN panic

    Scheduled Pinned Locked Moved IPsec
    13 Posts 5 Posters 6.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Clouseau
      last edited by

      I must ask if this StrongSwan really works at all? I have never had this much huge problems with ipsec in my life than with StrongSwan ipsec in pfSense. This is so below APLHA release level that i just must wonder how in earth this was implemented in pfSense 2.2 ? Really. Racoon was not perfect one and it has it's known limitations. It just worked for years! I undersatnd the nice idea and needs to move to StrongSwan but this was catastrophic move for mobile clients. Sorry a bout bad lanquage: StrongSwan is peace of S H I T! It's waisting all my time on depugging stupid errors which leads to no solution. Documentation sucks etc… Are you really sure about this "StrongSwan"? Did you ever tested this really?

      Fully working ScrewSoft VPN connection stopped totally to work after upgrade 2.2 RELEASE to 2.2.1 RELEASE!

      No getting error:

      Mar 20 10:19:26 	charon: 11[ENC] generating INFORMATIONAL_V1 request 3506100324 [ HASH N(INVAL_ID) ]
      Mar 20 10:19:26 	charon: 11[IKE] no matching CHILD_SA config found
      Mar 20 10:19:26 	charon: 11[IKE] <con5|161> no matching CHILD_SA config found</con5|161>
      

      Now it's time to put out perfect samples how to configure StorngSwan Mobile VPN in pfSense with ScrewSoft VPN client.

      Again - sorry about total frustration to StrongSawan, but now the game is over with StrongSwan :-X

      Q: Does Key Identifier work or is it still broken?

      –--------------------------------------------------------------
      Multible Alix 2D13, APU1,APU2,APU3 - pfSense 2.4.x 64bit
      Multible Vmware vSphere - pfSense 2.4.x 64bit

      pfSense - FreeNAS - OwnCloud

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Can you share your configuration instead of your runt!?

        1 Reply Last reply Reply Quote 0
        • C
          Clouseau
          last edited by

          pfSense and ScrewSoft config:

          Mobile clients:

          IKE Extensions Enabled
          Group Authentication System
          Virtual Address Pool 10.0.222.0/24
          Network List Checked
          DNS Default Domain mydomain.local
          DNS Servers 10.0.0.1,10….
          WINS Servers 10.0.0.X
          Phase2 PFS Group Checked group off

          Ipsec
          Phase 1: Mobile Client
          General information
          Key Exchange version V1
          Interface WAN
          Description Mobile VPN
          Phase 1 proposal (Authentication)
          Authentication method Mutual PSK
          Negotiation mode Aggressive
          My identifier My IP Address
          Phase 1 proposal (Algorithms)
          Encryption algorithm AES 256 bits
          Hash algorithmSHA1
          DH key group1(1024bit)
          Lifetime28400
          Advanced Options
          Disable Rekey uncecked
          Responder Onlyuncecked
          NAT Traversal Force
          Dead Peer Detectionuncecked

          Phase 2: Mobile Client
          Mode Tunnel IPv4
          Local Network
          Type Lan Subnet
          Type: None
          Description MobileAP

          Phase 2 proposal (SA/Key Exchange)
          Protocol ESP
          Encryption algorithms AES 265 bits
          Hash algorithms SHA1
          PFS key group 2(1024 bit)
          Lifetime3600
          Automatically ping host unchecked

          Pre-Shared Keys
          Identifier: 1.1.1.1
          Type: PSK
          Pre-Shared Key looooongandcrypticpassword

          ScrewSoft VPN
          Host IP: WAN public ip
          Auto Configuration disabled
          MTU 1380
          Adress 10.0.222.x

          Client
          NAT Traversal force-rfc
          4500
          15
          IKE Fragmentation enable
          Max packet size 540bytes
          Enable ISAKMP Feilure Notifications
          Name Resolution
          DNS Enable ip-of dns
          Authentication Mutual PSK
          Identification type IP Address 1.1.1.1
          Remote Identify: IP Address
          Credentials: looooongandcrypticpassword

          Phase 1
          Exchange Type: Agressive
          DH Exchange group 2
          Cipher Algorithm aes
          Cipher Key Lenght: 256
          Hash Algorithm sha1
          Key Life Time limit 28400
          Key Life Data limit 0

          Phase 2
          Transform Algorythm: esp-aes
          Key lenght 256
          HMACK: sha1
          PFS Exchange: auto
          Compress: disabled

          Policy
          Policy Generation Level: Unique
          Optain Topology Automatically

          –--------------------------------------------------------------
          Multible Alix 2D13, APU1,APU2,APU3 - pfSense 2.4.x 64bit
          Multible Vmware vSphere - pfSense 2.4.x 64bit

          pfSense - FreeNAS - OwnCloud

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            Identification type IP Address 1.1.1.1

            That is your isse.

            1 Reply Last reply Reply Quote 0
            • A
              AndersG
              last edited by

              FWIW,I used the documentation below and can get as far as logged in:

              http://www.hacktheory.org/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn-updated-pfsense-21-release/

              1 Reply Last reply Reply Quote 0
              • C
                Clouseau
                last edited by

                @ermal:

                Identification type IP Address 1.1.1.1

                That is your isse.

                Yes?
                I have now tryed to use following indentifier methods in Client (ScrewSoft):
                Key Indentifier/Key ID: user1@domain.com (fails in 2.2.1-RELEASE) (Worked 2.1 RELEASE)
                FQDN: userpc.domain.com (fails in 2.2.1-RELEASE) (worked on 2.2 RELEASE)
                UFQDN: user1@domain.com (fails in 2.2.1-RELEASE) (Worked 2.1 RELEASE)
                IP Address: 1.1.1.1 (fails in 2.2.1-RELEASE) (worked on 2.2 RELEASE)

                Ip shown here are not real! All Mobile Ipsec connection stopped to work after upgrade to 2.2.1 version!
                Site to site connections works still OK!

                –--------------------------------------------------------------
                Multible Alix 2D13, APU1,APU2,APU3 - pfSense 2.4.x 64bit
                Multible Vmware vSphere - pfSense 2.4.x 64bit

                pfSense - FreeNAS - OwnCloud

                1 Reply Last reply Reply Quote 0
                • E
                  eri--
                  last edited by

                  Can you show the generated ipsec.conf and ipsec.secrets under/var/etc/ipsec?

                  1 Reply Last reply Reply Quote 0
                  • C
                    Clouseau
                    last edited by

                    Here you have it:

                    ipsec.conf con5 is for mobile clients. These site-to-site vpn's works fine.

                    # This file is automatically generated. Do not edit
                    config setup
                    	uniqueids = yes
                    	charondebug="dmn 1,mgr 1,ike 1,chd 1"
                    
                    conn con2
                    	fragmentation = yes
                    	keyexchange = ikev2
                    	reauth = yes
                    	forceencaps = no
                    	mobike = no
                    	rekey = yes
                    	installpolicy = yes
                    	type = tunnel
                    	dpdaction = restart
                    	dpddelay = 10s
                    	dpdtimeout = 60s
                    	auto = route
                    	left = 123.123.123.123
                    	right = 234.234.234.234
                    	leftid = 123.123.123.123
                    	ikelifetime = 28800s
                    	lifetime = 3600s
                    	ike = aes256-sha1-modp1024!
                    	esp = aes256-sha1-modp1024!
                    	leftauth = psk
                    	rightauth = psk
                    	rightid = 234.234.234.234
                    	rightsubnet = 10.0.1.0/24
                    	leftsubnet = 10.0.0.0/24
                    
                    conn con4000
                    	reqid = 2
                    	fragmentation = yes
                    	keyexchange = ikev1
                    	reauth = yes
                    	forceencaps = no
                    	mobike = no
                    	rekey = yes
                    	installpolicy = yes
                    	type = tunnel
                    	dpdaction = restart
                    	dpddelay = 10s
                    	dpdtimeout = 110s
                    	auto = route
                    	left = 123.123.123.123
                    	right = 223.223.223.223
                    	leftid = 123.123.123.123
                    	ikelifetime = 28800s
                    	lifetime = 3600s
                    	ike = aes256-sha1-modp1024!
                    	esp = aes256-sha1-modp1024!
                    	leftauth = psk
                    	rightauth = psk
                    	rightid = 223.223.223.223
                    	aggressive = no
                    	rightsubnet = 10.0.4.0/24
                    	leftsubnet = 10.0.0.0/24
                    
                    conn con5
                    	reqid = 3
                    	fragmentation = yes
                    	keyexchange = ikev1
                    	reauth = yes
                    	forceencaps = yes
                    	mobike = no
                    	rekey = yes
                    	installpolicy = yes
                    	type = tunnel
                    	dpdaction = none
                    	auto = add
                    	left = 123.123.123.123
                    	right = %any
                    	leftid = 123.123.123.123
                    	ikelifetime = 28800s
                    	lifetime = 3600s
                    	rightsourceip = 10.0.222.0/24
                    	ike = aes256-sha1-modp1024!
                    	esp = aes256-sha1!
                    	leftauth = psk
                    	rightauth = psk
                    	aggressive = yes
                    	leftsubnet = 10.0.0.0/24
                    
                    conn con1
                    	reqid = 4
                    	fragmentation = yes
                    	keyexchange = ikev2
                    	reauth = yes
                    	forceencaps = no
                    	mobike = no
                    	rekey = yes
                    	installpolicy = yes
                    	type = tunnel
                    	dpdaction = restart
                    	dpddelay = 10s
                    	dpdtimeout = 60s
                    	auto = route
                    	left = 123.123.123.123
                    	right = site1.company.net
                    	leftid = 123.123.123.123
                    	ikelifetime = 28800s
                    	lifetime = 3600s
                    	ike = aes256-sha1-modp1024!
                    	esp = aes256-sha1-modp1024!
                    	leftauth = psk
                    	rightauth = psk
                    	rightid = @site1.company.net
                    	rightsubnet = 10.0.3.0/24
                    	leftsubnet = 10.0.0.0/24
                    

                    ipsec.secrets (secrets an id's edited)

                    %any 234.234.234.234 : PSK 4pO2FZZUlUMjACCFDGwMlZQTg==
                    %any 223.223.223.223 : PSK 5dD2RGZUlUMjAwDEDEMlZQTg==
                    %any site1.company.net : PSK 0sX2FmZHHFFUMk9PMlZQTjJPMTUh
                    %any 1.1.1.1 : PSK 0sRGVtTCFFVvM3FGRTYXNzV09yZA==
                    

                    Must ask, but what about reqid = 3 and reqid = 4 pointing to wrong id or does this have any order specific role?

                    –--------------------------------------------------------------
                    Multible Alix 2D13, APU1,APU2,APU3 - pfSense 2.4.x 64bit
                    Multible Vmware vSphere - pfSense 2.4.x 64bit

                    pfSense - FreeNAS - OwnCloud

                    1 Reply Last reply Reply Quote 0
                    • C
                      Clouseau
                      last edited by

                      I tested all possible identification methods and got following results: Just in case all I changed was Identification type and has the same extream simple PSK: 1111111111 (just for this test)
                      Identification Type login test:

                      Key Identifier
                      Clouseau

                      Mar 26 08:48:28 	charon: 04[IKE] <con3|15> no shared key found for '123.123.123.123'[123.123.123.123] - 'Clouseau'[184.230.716.10]
                      
                      IP Address
                      184.230.716.10
                      Mar 26 08:53:52 	charon: 15[IKE] INFORMATIONAL_V1 request with message ID 4222051488 processing failed
                      Mar 26 08:53:52 	charon: 15[IKE] <con3|19> INFORMATIONAL_V1 request with message ID 4222051488 processing failed
                      Mar 26 08:53:52 	charon: 15[IKE] ignore malformed INFORMATIONAL request
                      Mar 26 08:53:52 	charon: 15[IKE] <con3|19> ignore malformed INFORMATIONAL request
                      Mar 26 08:53:52 	charon: 15[IKE] message parsing failed
                      Mar 26 08:53:52 	charon: 15[IKE] <con3|19> message parsing failed
                      Mar 26 08:53:52 	charon: 15[ENC] could not decrypt payloads
                      Mar 26 08:53:52 	charon: 15[ENC] invalid HASH_V1 payload length, decryption failed?
                      Mar 26 08:53:52 	charon: 15[NET] received packet: from 184.230.716.10[4500] to 123.123.123.123[4500] (92 bytes)
                      Mar 26 08:53:52 	charon: 11[IKE] AGGRESSIVE request with message ID 0 processing failed
                      Mar 26 08:53:52 	charon: 11[IKE] <con3|19> AGGRESSIVE request with message ID 0 processing failed
                      Mar 26 08:53:52 	charon: 11[NET] sending packet: from 123.123.123.123[500] to 184.230.716.10[500] (76 bytes)
                      Mar 26 08:53:52 	charon: 11[ENC] generating INFORMATIONAL_V1 request 3721960054 [ HASH N(PLD_MAL) ]
                      Mar 26 08:53:52 	charon: 11[IKE] message parsing failed
                      Mar 26 08:53:52 	charon: 11[IKE] <con3|19> message parsing failed
                      Mar 26 08:53:52 	charon: 11[ENC] could not decrypt payloads
                      Mar 26 08:53:52 	charon: 11[ENC] invalid HASH_V1 payload length, decryption failed?
                      Mar 26 08:53:52 	charon: 11[NET] received packet: from 184.230.716.10[4500] to 123.123.123.123[4500] (108 bytes)
                      Mar 26 08:53:52 	charon: 11[NET] sending packet: from 123.123.123.123[500] to 184.230.716.10[500] (432 bytes)
                      Mar 26 08:53:52 	charon: 11[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
                      Mar 26 08:53:52 	charon: 11[CFG] selected peer config "con3"
                      Mar 26 08:53:52 	charon: 11[CFG] looking for pre-shared key peer configs matching 123.123.123.123...184.230.716.10[184.230.716.10]</con3|19></con3|19></con3|19></con3|19></con3|19></con3|15>
                      

                      UFQDN
                      testuser.domain.com

                      Mar 26 09:00:32 	charon: 11[CFG] loaded IKE secret for %any testuser.domain.com
                      
                      Mar 26 09:01:35 	charon: 02[IKE] <con3|21> no shared key found for '123.123.123.123'[123.123.123.123] - 'testuser.domain.com'[184.230.716.10]</con3|21>
                      

                      FQDN
                      userpc.domain.com

                      Mar 26 09:04:20 	charon: 10[CFG] loaded IKE secret for %any userpc.domain.com
                      
                      Mar 26 09:05:28 	charon: 13[NET] sending packet: from 123.123.123.123[4500] to 84.230.716.10[4500] (76 bytes)
                      Mar 26 09:05:28 	charon: 13[ENC] generating INFORMATIONAL_V1 request 481338346 [ HASH N(INVAL_HASH) ]
                      Mar 26 09:05:28 	charon: 13[IKE] integrity check failed
                      Mar 26 09:05:28 	charon: 13[IKE] <con3|28> integrity check failed
                      Mar 26 09:05:28 	charon: 13[ENC] received HASH payload does not match
                      Mar 26 09:05:28 	charon: 13[ENC] parsed QUICK_MODE request 605194061 [ HASH SA No ID ID ]
                      Mar 26 09:05:28 	charon: 13[NET] received packet: from 84.230.716.10[4500] to 123.123.123.123[4500] (172 bytes)
                      Mar 26 09:05:26 	charon: 13[IKE] received retransmit of request with ID 2829101117, but no response to retransmit
                      Mar 26 09:05:26 	charon: 13[IKE] <con3|28> received retransmit of request with ID 2829101117, but no response to retransmit
                      Mar 26 09:05:26 	charon: 13[NET] received packet: from 84.230.716.10[4500] to 123.123.123.123[4500] (172 bytes)
                      Mar 26 09:05:23 	charon: 13[IKE] QUICK_MODE request with message ID 605194061 processing failed
                      Mar 26 09:05:23 	charon: 13[IKE] <con3|28> QUICK_MODE request with message ID 605194061 processing failed
                      Mar 26 09:05:23 	charon: 13[NET] sending packet: from 123.123.123.123[4500] to 84.230.716.10[4500] (76 bytes)
                      Mar 26 09:05:23 	charon: 13[ENC] generating INFORMATIONAL_V1 request 3303993014 [ HASH N(INVAL_HASH) ]
                      Mar 26 09:05:23 	charon: 13[IKE] integrity check failed
                      Mar 26 09:05:23 	charon: 13[IKE] <con3|28> integrity check failed
                      Mar 26 09:05:23 	charon: 13[ENC] received HASH payload does not match
                      Mar 26 09:05:23 	charon: 13[ENC] parsed QUICK_MODE request 605194061 [ HASH SA No ID ID ]
                      Mar 26 09:05:23 	charon: 13[NET] received packet: from 84.230.716.10[4500] to 123.123.123.123[4500] (172 bytes)
                      Mar 26 09:05:21 	charon: 13[NET] sending packet: from 123.123.123.123[4500] to 84.230.716.10[4500] (76 bytes)
                      Mar 26 09:05:21 	charon: 13[ENC] generating INFORMATIONAL_V1 request 1830118519 [ HASH N(INVAL_ID) ]
                      Mar 26 09:05:21 	charon: 13[IKE] no matching CHILD_SA config found
                      Mar 26 09:05:21 	charon: 13[IKE] <con3|28> no matching CHILD_SA config found
                      Mar 26 09:05:21 	charon: 13[ENC] parsed QUICK_MODE request 2829101117 [ HASH SA No ID ID ]
                      Mar 26 09:05:21 	charon: 13[NET] received packet: from 84.230.716.10[4500] to 123.123.123.123[4500] (172 bytes)
                      Mar 26 09:05:19 	charon: 13[NET] sending packet: from 123.123.123.123[500] to 194.157.17.174[500] (92 bytes)
                      Mar 26 09:05:19 	charon: 13[ENC] generating INFORMATIONAL_V1 request 951485560 [ HASH N(DPD_ACK) ]
                      Mar 26 09:05:19 	charon: 13[ENC] parsed INFORMATIONAL_V1 request 3850305277 [ HASH N(DPD) ]
                      Mar 26 09:05:19 	charon: 13[NET] received packet: from 194.157.17.174[500] to 123.123.123.123[500] (92 bytes)
                      Mar 26 09:05:18 	charon: 13[NET] sending packet: from 123.123.123.123[4500] to 84.230.716.10[4500] (76 bytes)
                      Mar 26 09:05:18 	charon: 13[ENC] generating INFORMATIONAL_V1 request 3893754789 [ HASH N(INVAL_ID) ]
                      Mar 26 09:05:18 	charon: 13[IKE] no matching CHILD_SA config found
                      Mar 26 09:05:18 	charon: 13[IKE] <con3|28> no matching CHILD_SA config found
                      Mar 26 09:05:18 	charon: 13[ENC] parsed QUICK_MODE request 605194061 [ HASH SA No ID ID ]
                      Mar 26 09:05:18 	charon: 13[NET] received packet: from 84.230.716.10[4500] to 123.123.123.123[4500] (172 bytes)
                      Mar 26 09:05:15 	charon: 11[ENC] parsed INFORMATIONAL_V1 request 882939610 [ HASH N(INITIAL_CONTACT) ]
                      Mar 26 09:05:15 	charon: 11[NET] received packet: from 84.230.716.10[4500] to 123.123.123.123[4500] (92 bytes)
                      Mar 26 09:05:15 	charon: 07[IKE] remote host is behind NAT
                      Mar 26 09:05:15 	charon: 07[IKE] <con3|28> remote host is behind NAT
                      Mar 26 09:05:15 	charon: 07[IKE] maximum IKE_SA lifetime 28454s
                      Mar 26 09:05:15 	charon: 07[IKE] <con3|28> maximum IKE_SA lifetime 28454s
                      Mar 26 09:05:15 	charon: 07[IKE] scheduling reauthentication in 27914s
                      Mar 26 09:05:15 	charon: 07[IKE] <con3|28> scheduling reauthentication in 27914s
                      Mar 26 09:05:15 	charon: 07[IKE] IKE_SA con3[28] established between 123.123.123.123[123.123.123.123]...84.230.716.10[userpc.domain.com]
                      Mar 26 09:05:15 	charon: 07[IKE] <con3|28> IKE_SA con3[28] established between 123.123.123.123[123.123.123.123]...84.230.716.10[userpc.domain.com]
                      Mar 26 09:05:15 	charon: 07[ENC] parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
                      Mar 26 09:05:15 	charon: 07[NET] received packet: from 84.230.716.10[4500] to 123.123.123.123[4500] (108 bytes)
                      Mar 26 09:05:15 	charon: 07[NET] sending packet: from 123.123.123.123[500] to 84.230.716.10[500] (432 bytes)
                      Mar 26 09:05:15 	charon: 07[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
                      Mar 26 09:05:15 	charon: 07[CFG] selected peer config "con3"
                      Mar 26 09:05:15 	charon: 07[CFG] looking for pre-shared key peer configs matching 123.123.123.123...84.230.716.10[userpc.domain.com]</con3|28></con3|28></con3|28></con3|28></con3|28></con3|28></con3|28></con3|28></con3|28></con3|28>
                      

                      Looks like FQDN passes Phase 1 but Phase 2 has now issues.
                      => Changed on ScrewSoft Phase 2 setting all possible to Auto value - That did not help at all. Checked all values manually to match Phase 2 - same result. Tunnel is enabled but Phase 2 SA fails.

                      Have no idea whats really going on - this has been working since 1.x version, but now totally stopped to work in latest release.

                      –--------------------------------------------------------------
                      Multible Alix 2D13, APU1,APU2,APU3 - pfSense 2.4.x 64bit
                      Multible Vmware vSphere - pfSense 2.4.x 64bit

                      pfSense - FreeNAS - OwnCloud

                      1 Reply Last reply Reply Quote 0
                      • C
                        Clouseau
                        last edited by

                        Mobile IPSec still dead…

                        –--------------------------------------------------------------
                        Multible Alix 2D13, APU1,APU2,APU3 - pfSense 2.4.x 64bit
                        Multible Vmware vSphere - pfSense 2.4.x 64bit

                        pfSense - FreeNAS - OwnCloud

                        1 Reply Last reply Reply Quote 0
                        • P
                          petruha5
                          last edited by

                          I confirm the problem.
                          After upgrading to 2.1.5 to 2.2.2 (racoon -> strongswan) have a problem with authorization of mobile clients connected from Windows  platforms using ShrewSoft VPN client on Windows those with login and password stored in the Pre-Shared Keys. Normally the tunnel rises only customers whose ID and pre-shared key is described in the first phase.

                          My configuration:
                          Phase1 General Information:
                          Internet Protocol: IPv4
                          Interface: WAN
                          Description:

                          Phase1 proposal (Authentication):
                          Authentication method: “Mutual PSK + Xauth”
                          Negotiation mode: aggressive
                          My identifier: “My IP address”
                          Peer Identifier: “Distinguished name”: “user1”
                          Pre-Shared Key: “superpass”
                          Encryption algorithm: “AES-256”
                          Hash algorithm: “SHA1”
                          DH Group: “2(1024 bit)”
                          Lifetime: “28800”

                          Advanced Options:
                          NAT Traversal: “AUTO”
                          Dead Peer Detection: “Enabled”
                          –-------------------------------------------------
                          ipsec.secrets:

                          x.x.x.x user1 : PSK 0sMjU0NTG2NzE=
                          %any Directorat : PSK 0sRnJjPKV0SDdCMiRh
                          %any Users : PSK 0sUJJVCZTgKcGhlcEBL

                          , where x.x.x.x "white" WAN IP of my router Pfsense

                          1 Reply Last reply Reply Quote 0
                          • B
                            bel574
                            last edited by

                            @Clouseau:

                            I must ask if this StrongSwan really works at all? I have never had this much huge problems with ipsec in my life than with StrongSwan ipsec in pfSense.

                            Fully working ScrewSoft VPN connection stopped totally to work after upgrade 2.2 RELEASE to 2.2.1 RELEASE!

                            No getting error:

                            Mar 20 10:19:26 	charon: 11[ENC] generating INFORMATIONAL_V1 request 3506100324 [ HASH N(INVAL_ID) ]
                            Mar 20 10:19:26 	charon: 11[IKE] no matching CHILD_SA config found
                            Mar 20 10:19:26 	charon: 11[IKE] <con5|161> no matching CHILD_SA config found</con5|161>
                            

                            Has it ever been solved?  I decided to switch from Zywall  USG 50 to pfSense (2.3.2-RELEASE-p1)  and so far was very impressed with it. There are some rough edges but at the moment I am mostly concerned with not working VPN. The Shrew client worked (and still works) great for 3 years with USG 50 (very reliable and decent device with only one drawback - 60/70 Mbps throughput). I quickly configured  pfSense and already spent several hours just banging my head on the table - I am getting the same error quoted above.

                            What is hurting the most is that at the same time using the same set of settings (except for different FQDN) USG 50 continues to work with this particular remote PC running the Shrew client. At this point I begin to wonder if the implementation of IPsec in pfSense is mature enough to be used in small business environment (unfortunately,  that alone would be enough to stop using pfSense).

                            What would you say ?

                            Thanks!

                            1 Reply Last reply Reply Quote 0
                            • B
                              bel574
                              last edited by

                              For those who still have problem with Shrew VPN client and pfSense Mobile Client:  to make it work try the following settings in the Shrew client:

                              a) General -> Auto Configuration -> ike config pull

                              b) Phase 2 ( this is what  gives you the grief or at least what is being discussed in this topic) -> esp-aes / 256 / md5 / pfs - group 2 (can be any if set properly on both ends)

                              and everything should work.

                              If it does not, run Shrew VPN Trace ( a utility coming with the Shrew VPN) , change the debug log verbosity, you will get a log. Examine both logs (Shrew's one and pfSense's IPsec log and things should be more or less clear, you will see what is wrong).

                              That's beyond me  why when I set up a site to site tunnel in Shrew  I can easily do that with manual configuration  and phase 2 settings mentioned in multiple pfSense tutorials: eso-aes / 256 / sha 1  But for  the mobile client pfSense requires  esp-aes / 256 / md5 - that is utterly strange.

                              Over last 2 days I read a lot of posts on this forum and other places regarding Shrew VPN related problems. I guess it speaks  a volume. Anyway, I am glad that eventually I made it work.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.