FrotiClient VPN



  • Hello to all,

    I'm trying to connect to client's vpn using FrotiClient VPN 4.2.3.271, but I'm unable to go through phase 1.

    I used tcpdump on pfSense 2.2.3 to monitor IPSEC traffic and I can see that phase 1 packets are going out and they are getting back (bge2 is my LAN interface and pppoe0 is my WAN interface):

    tcpdump -n -vv -i bge2 host xx.xx.xx.xx

    tcpdump: listening on bge2, link-type EN10MB (Ethernet), capture size 65535 bytes
    capability mode sandbox enabled
    11:43:36.556167 IP (tos 0x0, ttl 128, id 13038, offset 0, flags [none], proto UDP (17), length 224)
        192.168.1.52.500 > xx.xx.xx.xx.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b0cfbf2c736d43a2->0000000000000000: phase 1 I ident:
        (sa: doi=ipsec situation=identity
            (p: #1 protoid=isakmp transform=1
                (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=00c0)(type=auth value=preshared)(type=hash value=sha2-256)(type=group desc value=modp1536))))
        (vid: len=16)
        (vid: len=16)
        (vid: len=16)
        (vid: len=16)
        (vid: len=8)
        (vid: len=16)

    tcpdump -n -i bge2 host yy.yy.yy.yy or host xx.xx.xx.xx

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on bge2, link-type EN10MB (Ethernet), capture size 65535 bytes
    capability mode sandbox enabled
    11:51:46.207595 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
    11:51:51.199541 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
    11:51:56.199731 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
    11:52:01.199822 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
    11:52:06.215499 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
    11:52:11.215851 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident

    tcpdump -n -vv -i pppoe0 host xx.xx.xx.xx

    tcpdump: listening on pppoe0, link-type NULL (BSD loopback), capture size 65535 bytes
    capability mode sandbox enabled
    11:43:51.643970 IP (tos 0x0, ttl 60, id 35722, offset 0, flags [none], proto UDP (17), length 184)
        xx.xx.xx.xx.500 > yy.yy.yy.yy.13563: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b0cfbf2c736d43a2->b5c075837d496260: phase 1 ? ident:
        (sa: doi=ipsec situation=identity
            (p: #1 protoid=isakmp transform=1
                (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=00c0)(type=auth value=preshared)(type=hash value=sha2-256)(type=group desc value=modp1536))))
        (vid: len=16)
        (vid: len=16)
        (vid: len=8)
        (vid: len=16)

    For me it looks like pfSense not passing reply from peer to lan ip address: xx.xx.xx.xx.500 -> 192.168.1.52.500
    _VPN Client log error:

    The peer is not responding to phase 1 ISAKMP requests_

    At front I'd like to say that firewall rules are added on wan interface:

    IPv4 TCP/UDP*4500 (IPsec NAT-T)none IPsec NAT-T
    IPv4 TCP/UDP
    500 (ISAKMP)*none ISAKMP

    Does anybody have an idea what is going on?

    Thanks in advance…