4. FrotiClient VPN

FrotiClient VPN

  • C

    Hello to all,

    I'm trying to connect to client's vpn using FrotiClient VPN 4.2.3.271, but I'm unable to go through phase 1.

    I used tcpdump on pfSense 2.2.3 to monitor IPSEC traffic and I can see that phase 1 packets are going out and they are getting back (bge2 is my LAN interface and pppoe0 is my WAN interface):

    tcpdump -n -vv -i bge2 host xx.xx.xx.xx

    tcpdump: listening on bge2, link-type EN10MB (Ethernet), capture size 65535 bytes
    capability mode sandbox enabled
    11:43:36.556167 IP (tos 0x0, ttl 128, id 13038, offset 0, flags [none], proto UDP (17), length 224)
        192.168.1.52.500 > xx.xx.xx.xx.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b0cfbf2c736d43a2->0000000000000000: phase 1 I ident:
        (sa: doi=ipsec situation=identity
            (p: #1 protoid=isakmp transform=1
                (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=00c0)(type=auth value=preshared)(type=hash value=sha2-256)(type=group desc value=modp1536))))
        (vid: len=16)
        (vid: len=16)
        (vid: len=16)
        (vid: len=16)
        (vid: len=8)
        (vid: len=16)

    tcpdump -n -i bge2 host yy.yy.yy.yy or host xx.xx.xx.xx

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on bge2, link-type EN10MB (Ethernet), capture size 65535 bytes
    capability mode sandbox enabled
    11:51:46.207595 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
    11:51:51.199541 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
    11:51:56.199731 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
    11:52:01.199822 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
    11:52:06.215499 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident
    11:52:11.215851 IP 192.168.1.52.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident

    tcpdump -n -vv -i pppoe0 host xx.xx.xx.xx

    tcpdump: listening on pppoe0, link-type NULL (BSD loopback), capture size 65535 bytes
    capability mode sandbox enabled
    11:43:51.643970 IP (tos 0x0, ttl 60, id 35722, offset 0, flags [none], proto UDP (17), length 184)
        xx.xx.xx.xx.500 > yy.yy.yy.yy.13563: [udp sum ok] isakmp 1.0 msgid 00000000 cookie b0cfbf2c736d43a2->b5c075837d496260: phase 1 ? ident:
        (sa: doi=ipsec situation=identity
            (p: #1 protoid=isakmp transform=1
                (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=00c0)(type=auth value=preshared)(type=hash value=sha2-256)(type=group desc value=modp1536))))
        (vid: len=16)
        (vid: len=16)
        (vid: len=8)
        (vid: len=16)

    For me it looks like pfSense not passing reply from peer to lan ip address: xx.xx.xx.xx.500 -> 192.168.1.52.500
    _VPN Client log error:

    The peer is not responding to phase 1 ISAKMP requests_

    At front I'd like to say that firewall rules are added on wan interface:

    IPv4 TCP/UDP*4500 (IPsec NAT-T)none IPsec NAT-T
    IPv4 TCP/UDP    500 (ISAKMP)*none ISAKMP

    Does anybody have an idea what is going on?

    Thanks in advance…

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy