Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FrotiClient VPN

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      c.zaborowski
      last edited by

      Hello to all,

      I'm trying to connect to client's vpn using FrotiClient VPN 4.2.3.271, but I'm unable to go through phase 1.

      I used tcpdump on pfSense 2.2.3 to monitor IPSEC traffic and I can see that phase 1 packets are going out and they are getting back (bge2 is my LAN interface and pppoe0 is my WAN interface):

      tcpdump -n -vv -i bge2 host xx.xx.xx.xx

      tcpdump: listening on bge2, link-type EN10MB (Ethernet), capture size 65535 bytes
      capability mode sandbox enabled
      11:43:36.556167 IP (tos 0x0, ttl 128, id 13038, offset 0, flags [none], proto UDP (17), length 224)
          192.168.1.52.500 > xx.xx.xx.xx.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b0cfbf2c736d43a2->0000000000000000: phase 1 I ident:
          (sa: doi=ipsec situation=identity
              (p: #1 protoid=isakmp transform=1
                  (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=00c0)(type=auth value=preshared)(type=hash value=sha2-256)(type=group desc value=modp1536))))
          (vid: len=16)
          (vid: len=16)
          (vid: len=16)
          (vid: len=16)
          (vid: len=8)
          (vid: len=16)

      tcpdump -n -i bge2 host yy.yy.yy.yy or host xx.xx.xx.xx

      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on bge2, link-type EN10MB (Ethernet), capture size 65535 bytes
      capability mode sandbox enabled
      11:51:46.207595 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
      11:51:51.199541 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
      11:51:56.199731 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
      11:52:01.199822 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
      11:52:06.215499 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
      11:52:11.215851 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident

      tcpdump -n -vv -i pppoe0 host xx.xx.xx.xx

      tcpdump: listening on pppoe0, link-type NULL (BSD loopback), capture size 65535 bytes
      capability mode sandbox enabled
      11:43:51.643970 IP (tos 0x0, ttl 60, id 35722, offset 0, flags [none], proto UDP (17), length 184)
          xx.xx.xx.xx.500 > yy.yy.yy.yy.13563: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b0cfbf2c736d43a2->b5c075837d496260: phase 1 ? ident:
          (sa: doi=ipsec situation=identity
              (p: #1 protoid=isakmp transform=1
                  (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=00c0)(type=auth value=preshared)(type=hash value=sha2-256)(type=group desc value=modp1536))))
          (vid: len=16)
          (vid: len=16)
          (vid: len=8)
          (vid: len=16)

      For me it looks like pfSense not passing reply from peer to lan ip address: xx.xx.xx.xx.500 -> 192.168.1.52.500
      _VPN Client log error:

      The peer is not responding to phase 1 ISAKMP requests_

      At front I'd like to say that firewall rules are added on wan interface:

      IPv4 TCP/UDP*4500 (IPsec NAT-T)none IPsec NAT-T
      IPv4 TCP/UDP      500 (ISAKMP)*none ISAKMP

      Does anybody have an idea what is going on?

      Thanks in advance…

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.