Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile client issue

    Scheduled Pinned Locked Moved IPsec
    20 Posts 3 Posters 7.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      clxinfo
      last edited by

      I've configured my server pfsense 1.2 in mobile client server and another pfsense 1.2 box an ipsec tunnel to the mobile client server and i'm unable to esthablished a connection to the server i've opened the port for esp and 500 udp but nothin in my log tell then the phase 1 start to negociate do someone have a how to or an answer to that issue

      PLEASE

      1 Reply Last reply Reply Quote 0
      • H
        heiko
        last edited by

        If you have enabled the "Mobile Client" option in 1.2 all needed rule are opened behind the scenes. You doesn´t need extra rules for ESP and UDP 500.  1.2 with mobile ipsec runs fine, so please double check your config or post it here so we can take a look deeper…

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by

          Correct, you don't need firewallrules for this. pfSense does that behind the scenes when the services are enabled. Please show us the logs of both systems and the ipsec settings of both endpoints. Also if some kind of nat or whatever is onvolved the networktopology would be interesting too (static, dynamic IPs, and so on).

          1 Reply Last reply Reply Quote 0
          • C
            clxinfo
            last edited by

            Thanks guys for the fast reply there is my config

            On the mobile client :

            Interface  WAN
            LAN
            Select the interface for the local endpoint of this tunnel.
            Local subnet

            Remote subnet  192.168.16.0/24
            Remote gateway  70.50.XX.XX

            Phase 1
            aggressive

            FQDN : pflachute.XXX.XXX
            3DES
            SHA1
            DH Key group = 2
            Lifetim = 28800
            Pre-shared key

            Phase 2

            ESP

            Rijndael (AES)

            SHA1

            PFS key group  off
            Lifetime  86400

            Keep alive 70.50.XX.XX

            On the server

            Phase 1 proposal (Authentication)

            aggressive

            My IP address   
            3DES
            SHA1 
            DH key group  1 2

            Lifetime  28800

            Phase 2
            Protocol  ESP
            Encryption algorithms

            3DES
            Blowfish
            CAST128
            Rijndael (AES)
            Rijndael 256

            Hash algorithms  SHA1 , MD5

            PFS key group  off
            Lifetime  86400

            Thanks

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              did you create an identifier at the server end (the one with the static IP and the mobile client setting)?

              1 Reply Last reply Reply Quote 0
              • C
                clxinfo
                last edited by

                Yes the identifier was created
                pflachute.xx.xx with the shared key but still doesn't work

                1 Reply Last reply Reply Quote 0
                • H
                  heiko
                  last edited by

                  keep alive public address?

                  1 Reply Last reply Reply Quote 0
                  • C
                    clxinfo
                    last edited by

                    yes this is the public adress

                    1 Reply Last reply Reply Quote 0
                    • H
                      heiko
                      last edited by

                      no,  please choose the local gateway of the other endpoint, wan would make dpd in the future

                      1 Reply Last reply Reply Quote 0
                      • C
                        clxinfo
                        last edited by

                        I change the ip but i'm still not able to make a connection between those two but i got this error message

                        racoon: INFO: unsupported PF_KEY message REGISTER on the server side

                        1 Reply Last reply Reply Quote 0
                        • C
                          clxinfo
                          last edited by

                          Guys it's working thanks a  lot for your help the pfsense distribution is one of the beast Thanks to all of you

                          1 Reply Last reply Reply Quote 0
                          • C
                            clxinfo
                            last edited by

                            still an issue i'm not able to ping the other network do i need to add a rules ??

                            1 Reply Last reply Reply Quote 0
                            • C
                              clxinfo
                              last edited by

                              racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.16.0/24[0] 10.128.0.0/24[0] proto=any dir=out"
                              Apr 28 17:04:56 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "10.128.0.0/24[0] 192.168.16.0/24[0] proto=any dir=in"
                              Apr 28 17:04:56 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 70.XX.XX.XX[0]->70.55.XX.XX[0] spi=56305369(0x35b26d9)
                              Apr 28 17:04:56 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 70.55.x.x[0]->70.50.x.x[0] spi=72385284(0x4508304)
                              Apr 28 17:04:56 racoon: WARNING: trns_id mismatched: my:CAST peer:AES
                              Apr 28 17:04:56 racoon: WARNING: trns_id mismatched: my:CAST peer:AES
                              Apr 28 17:04:56 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
                              Apr 28 17:04:56 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
                              Apr 28 17:04:56 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
                              Apr 28 17:04:56 racoon: WARNING: trns_id mismatched: my:3DES peer:AES

                              1 Reply Last reply Reply Quote 0
                              • H
                                heiko
                                last edited by

                                what should i say, you have mismatched setting in your config, please check your settings

                                1 Reply Last reply Reply Quote 0
                                • C
                                  clxinfo
                                  last edited by

                                  Thanks it's working now but only in one side the mobile client to the server but not in the othen way

                                  Thank

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    clxinfo
                                    last edited by

                                    If i look in the overview tab on the server i don't see any route  but i see in the SAD then the tunnel seems to work

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      hoba
                                      last edited by

                                      firewall>rules, ipsec tab. Allow incoming traffic through the tunnel on both ends.

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        clxinfo
                                        last edited by

                                        Thanks now i get this message on the server side
                                        Apr 28 20:07:32 racoon: INFO: phase2 sa deleted 70.50.xx.xx-70.55.xx.xx
                                        Apr 28 20:07:31 racoon: INFO: phase2 sa expired 70.50.xx.xx-70.55.xx.xx
                                        Apr 28 20:06:33 racoon: INFO: phase2 sa deleted 70.50.xx.xx-70.55.xx.xx
                                        Apr 28 20:06:32 racoon: INFO: phase2 sa expired 70.50.xx.xx-70.55.xx.xx

                                        and this one on the client

                                        Apr 28 17:45:01 racoon: [st-eu]: INFO: IPsec-SA established: ESP/Tunnel 70.55.xx.xx[0]->70.50.xx.xx[0] spi=48887461(0x2e9f6a5)
                                        Apr 28 17:45:01 racoon: [st-eu]: INFO: IPsec-SA established: ESP/Tunnel 70.50.xx.xx[0]->70.55.xx.xx[0] spi=83266683(0x4f68c7b)
                                        Apr 28 17:45:01 racoon: [st-eu]: INFO: initiate new phase 2 negotiation: 70.55.xx.xx[500]<=>70.50.xx.xx[500]
                                        Apr 28 17:45:00 racoon: [st-eu]: INFO: ISAKMP-SA established 70.55.xx.xx[500]-70.50.xx.xx[500] spi:9af974fdb63f4873:9334dc4883323fb3
                                        Apr 28 17:45:00 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.

                                        Thats pretty weird sionce 10 min ago it was working

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          hoba
                                          last edited by

                                          Why is the time on both of the systems that way out of sync? Try to use shorter lifetimes for both phases. In fact, try something like 3600 for both and see if that works better.

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            clxinfo
                                            last edited by

                                            Thanks now everything is working well

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.