Mobile client issue



  • I've configured my server pfsense 1.2 in mobile client server and another pfsense 1.2 box an ipsec tunnel to the mobile client server and i'm unable to esthablished a connection to the server i've opened the port for esp and 500 udp but nothin in my log tell then the phase 1 start to negociate do someone have a how to or an answer to that issue

    PLEASE



  • If you have enabled the "Mobile Client" option in 1.2 all needed rule are opened behind the scenes. You doesn´t need extra rules for ESP and UDP 500.  1.2 with mobile ipsec runs fine, so please double check your config or post it here so we can take a look deeper…



  • Correct, you don't need firewallrules for this. pfSense does that behind the scenes when the services are enabled. Please show us the logs of both systems and the ipsec settings of both endpoints. Also if some kind of nat or whatever is onvolved the networktopology would be interesting too (static, dynamic IPs, and so on).



  • Thanks guys for the fast reply there is my config

    On the mobile client :

    Interface  WAN
    LAN
    Select the interface for the local endpoint of this tunnel.
    Local subnet

    Remote subnet  192.168.16.0/24
    Remote gateway  70.50.XX.XX

    Phase 1
    aggressive

    FQDN : pflachute.XXX.XXX
    3DES
    SHA1
    DH Key group = 2
    Lifetim = 28800
    Pre-shared key

    Phase 2

    ESP

    Rijndael (AES)

    SHA1

    PFS key group  off
    Lifetime  86400

    Keep alive 70.50.XX.XX

    On the server

    Phase 1 proposal (Authentication)

    aggressive

    My IP address   
    3DES
    SHA1 
    DH key group  1 2

    Lifetime  28800

    Phase 2
    Protocol  ESP
    Encryption algorithms

    3DES
    Blowfish
    CAST128
    Rijndael (AES)
    Rijndael 256

    Hash algorithms  SHA1 , MD5

    PFS key group  off
    Lifetime  86400

    Thanks



  • did you create an identifier at the server end (the one with the static IP and the mobile client setting)?



  • Yes the identifier was created
    pflachute.xx.xx with the shared key but still doesn't work



  • keep alive public address?



  • yes this is the public adress



  • no,  please choose the local gateway of the other endpoint, wan would make dpd in the future



  • I change the ip but i'm still not able to make a connection between those two but i got this error message

    racoon: INFO: unsupported PF_KEY message REGISTER on the server side



  • Guys it's working thanks a  lot for your help the pfsense distribution is one of the beast Thanks to all of you



  • still an issue i'm not able to ping the other network do i need to add a rules ??



  • racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.16.0/24[0] 10.128.0.0/24[0] proto=any dir=out"
    Apr 28 17:04:56 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "10.128.0.0/24[0] 192.168.16.0/24[0] proto=any dir=in"
    Apr 28 17:04:56 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 70.XX.XX.XX[0]->70.55.XX.XX[0] spi=56305369(0x35b26d9)
    Apr 28 17:04:56 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 70.55.x.x[0]->70.50.x.x[0] spi=72385284(0x4508304)
    Apr 28 17:04:56 racoon: WARNING: trns_id mismatched: my:CAST peer:AES
    Apr 28 17:04:56 racoon: WARNING: trns_id mismatched: my:CAST peer:AES
    Apr 28 17:04:56 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
    Apr 28 17:04:56 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
    Apr 28 17:04:56 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
    Apr 28 17:04:56 racoon: WARNING: trns_id mismatched: my:3DES peer:AES



  • what should i say, you have mismatched setting in your config, please check your settings



  • Thanks it's working now but only in one side the mobile client to the server but not in the othen way

    Thank



  • If i look in the overview tab on the server i don't see any route  but i see in the SAD then the tunnel seems to work



  • firewall>rules, ipsec tab. Allow incoming traffic through the tunnel on both ends.



  • Thanks now i get this message on the server side
    Apr 28 20:07:32 racoon: INFO: phase2 sa deleted 70.50.xx.xx-70.55.xx.xx
    Apr 28 20:07:31 racoon: INFO: phase2 sa expired 70.50.xx.xx-70.55.xx.xx
    Apr 28 20:06:33 racoon: INFO: phase2 sa deleted 70.50.xx.xx-70.55.xx.xx
    Apr 28 20:06:32 racoon: INFO: phase2 sa expired 70.50.xx.xx-70.55.xx.xx

    and this one on the client

    Apr 28 17:45:01 racoon: [st-eu]: INFO: IPsec-SA established: ESP/Tunnel 70.55.xx.xx[0]->70.50.xx.xx[0] spi=48887461(0x2e9f6a5)
    Apr 28 17:45:01 racoon: [st-eu]: INFO: IPsec-SA established: ESP/Tunnel 70.50.xx.xx[0]->70.55.xx.xx[0] spi=83266683(0x4f68c7b)
    Apr 28 17:45:01 racoon: [st-eu]: INFO: initiate new phase 2 negotiation: 70.55.xx.xx[500]<=>70.50.xx.xx[500]
    Apr 28 17:45:00 racoon: [st-eu]: INFO: ISAKMP-SA established 70.55.xx.xx[500]-70.50.xx.xx[500] spi:9af974fdb63f4873:9334dc4883323fb3
    Apr 28 17:45:00 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.

    Thats pretty weird sionce 10 min ago it was working



  • Why is the time on both of the systems that way out of sync? Try to use shorter lifetimes for both phases. In fact, try something like 3600 for both and see if that works better.



  • Thanks now everything is working well


Locked