FrotiClient VPN
-
Hello to all,
I'm trying to connect to client's vpn using FrotiClient VPN 4.2.3.271, but I'm unable to go through phase 1.
I used tcpdump on pfSense 2.2.3 to monitor IPSEC traffic and I can see that phase 1 packets are going out and they are getting back (bge2 is my LAN interface and pppoe0 is my WAN interface):
tcpdump -n -vv -i bge2 host xx.xx.xx.xx
tcpdump: listening on bge2, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
11:43:36.556167 IP (tos 0x0, ttl 128, id 13038, offset 0, flags [none], proto UDP (17), length 224)
192.168.1.52.500 > xx.xx.xx.xx.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b0cfbf2c736d43a2->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=00c0)(type=auth value=preshared)(type=hash value=sha2-256)(type=group desc value=modp1536))))
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=8)
(vid: len=16)tcpdump -n -i bge2 host yy.yy.yy.yy or host xx.xx.xx.xx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge2, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
11:51:46.207595 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
11:51:51.199541 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
11:51:56.199731 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
11:52:01.199822 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
11:52:06.215499 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
11:52:11.215851 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I identtcpdump -n -vv -i pppoe0 host xx.xx.xx.xx
tcpdump: listening on pppoe0, link-type NULL (BSD loopback), capture size 65535 bytes
capability mode sandbox enabled
11:43:51.643970 IP (tos 0x0, ttl 60, id 35722, offset 0, flags [none], proto UDP (17), length 184)
xx.xx.xx.xx.500 > yy.yy.yy.yy.13563: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b0cfbf2c736d43a2->b5c075837d496260: phase 1 ? ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=00c0)(type=auth value=preshared)(type=hash value=sha2-256)(type=group desc value=modp1536))))
(vid: len=16)
(vid: len=16)
(vid: len=8)
(vid: len=16)For me it looks like pfSense not passing reply from peer to lan ip address: xx.xx.xx.xx.500 -> 192.168.1.52.500
_VPN Client log error:The peer is not responding to phase 1 ISAKMP requests_
At front I'd like to say that firewall rules are added on wan interface:
IPv4 TCP/UDP*4500 (IPsec NAT-T)none IPsec NAT-T
IPv4 TCP/UDP500 (ISAKMP)*none ISAKMPDoes anybody have an idea what is going on?
Thanks in advance…