PfSense 2.2.4 IPSec RoadWarrior VPN Setup HELP!



  • Hello everyone!  I am excited to be a part of the community and look forward to contributing.  Right now I am in need of some help. I am trying to setup a Road Warrior IPSec VPN. No matter what setup I try I always come back to the same problem.  I connect and attempt to bring up a tunnel and get a invalid message error in Shrewsoft Client and then get disconnected.  I have tried internally and externally.  I have a Firewall rule for IPSec allowing any/any/any.

    I have been banging my head against a wall trying to figure this out, reading forum posts here and at strongswan.  I just can't seem to find a solution.  Something that does strike me as interesting is that the PSK for the user I created is listed differently in the GUI vs the ipsec.secrets file.

    Here is some logs and my config with IP's changed to protect the guilty.  Hopefully someone can help.

    config loaded for site 'Test-VPN'
    attached to key daemon …
    peer configured
    iskamp proposal configured
    esp proposal configured
    client configured
    local id configured
    remote id configured
    pre-shared key configured
    bringing up tunnel ...
    invalid message from gateway
    tunnel disabled
    detached from key daemon

    Sep 5 17:01:19 charon: 06[NET] <13> received packet: from 192.168.8.240[500] to My External IP[500] (442 bytes)
    Sep 5 17:01:19 charon: 06[ENC] <13> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]
    Sep 5 17:01:19 charon: 06[IKE] <13> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Sep 5 17:01:19 charon: 06[IKE] <13> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Sep 5 17:01:19 charon: 06[IKE] <13> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Sep 5 17:01:19 charon: 06[IKE] <13> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Sep 5 17:01:19 charon: 06[IKE] <13> received NAT-T (RFC 3947) vendor ID
    Sep 5 17:01:19 charon: 06[IKE] <13> received NAT-T (RFC 3947) vendor ID
    Sep 5 17:01:19 charon: 06[IKE] <13> received FRAGMENTATION vendor ID
    Sep 5 17:01:19 charon: 06[IKE] <13> received FRAGMENTATION vendor ID
    Sep 5 17:01:19 charon: 06[ENC] <13> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
    Sep 5 17:01:19 charon: 06[ENC] <13> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
    Sep 5 17:01:19 charon: 06[ENC] <13> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
    Sep 5 17:01:19 charon: 06[IKE] <13> received Cisco Unity vendor ID
    Sep 5 17:01:19 charon: 06[IKE] <13> received Cisco Unity vendor ID
    Sep 5 17:01:19 charon: 06[IKE] <13> 10.254.8.240 is initiating a Aggressive Mode IKE_SA
    Sep 5 17:01:19 charon: 06[IKE] <13> 10.254.8.240 is initiating a Aggressive Mode IKE_SA
    Sep 5 17:01:19 charon: 06[CFG] <13> looking for pre-shared key peer configs matching My External IP…192.168.8.240[vpnuser@pfsense.local]
    Sep 5 17:01:19 charon: 06[CFG] <13> selected peer config "con1"
    Sep 5 17:01:19 charon: 06[ENC] <con1|13>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
    Sep 5 17:01:19 charon: 06[NET] <con1|13>sending packet: from My External IP[500] to 192.168.8.240[500] (454 bytes)
    Sep 5 17:01:23 charon: 06[IKE] <con1|13>sending retransmit 1 of response message ID 0, seq 1
    Sep 5 17:01:23 charon: 06[IKE] <con1|13>sending retransmit 1 of response message ID 0, seq 1
    Sep 5 17:01:23 charon: 06[NET] <con1|13>sending packet: from My External IP[500] to 192.168.8.240[500] (454 bytes)
    Sep 5 17:01:30 charon: 06[IKE] <con1|13>sending retransmit 2 of response message ID 0, seq 1
    Sep 5 17:01:30 charon: 06[IKE] <con1|13>sending retransmit 2 of response message ID 0, seq 1
    Sep 5 17:01:30 charon: 06[NET] <con1|13>sending packet: from My External IP[500] to 192.168.8.240[500] (454 bytes)
    Sep 5 17:01:43 charon: 09[IKE] <con1|13>sending retransmit 3 of response message ID 0, seq 1
    Sep 5 17:01:43 charon: 09[IKE] <con1|13>sending retransmit 3 of response message ID 0, seq 1
    Sep 5 17:01:43 charon: 09[NET] <con1|13>sending packet: from My External IP[500] to 192.168.8.240[500] (454 bytes)
    Sep 5 17:01:49 charon: 11[JOB] <con1|13>deleting half open IKE_SA after timeout

    This file is automatically generated. Do not edit

    config setup
    uniqueids = yes
    charondebug="dmn 4,mgr 4,ike 4,chd 4,job 4,cfg 4,knl 4,net 4,asn 4,enc 4,imc 4,imv 4,pts 4,tls 4,esp 4,lib 4"

    conn bypasslan
    leftsubnet = 192.168.0.0/30
    rightsubnet = 192.168.0.0/30
    authby = never
    type = passthrough
    auto = route

    conn con1
    fragmentation = yes
    keyexchange = ikev1
    reauth = yes
    forceencaps = yes
    mobike = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = none
    auto = add
    left = My External IP
    right = %any
    leftid = userfqdn:vpnuser@pfsense.local
    ikelifetime = 86400s
    lifetime = 28800s
    rightsourceip = 192.168.10.0/24
    ike = aes256-sha1-modp1024!
    esp = 3des-sha1-modp1024!
    leftauth = psk
    rightauth = psk
    aggressive = yes
    leftsubnet = 192.168.0.0/30</con1|13></con1|13></con1|13></con1|13></con1|13></con1|13></con1|13></con1|13></con1|13></con1|13></con1|13></con1|13>



  • Well either I have made a glaringly obvious error or everyone else is just as puzzled as me.  Either way a lil feedback would be at least encouraging.



  • I had the exact same problem, and it turned out there was a problem with my automatic NAT rules. I use dual Wan and the traffic was routed out on wrong interface.

    I also missed the firewall rules to allow NAT-T and ISAKMP.



  • Try setting Negotiation mode to main, peer identifier to any and removing any 'identifier' fields from the shrewsoft client. Had an identical issue recently but with a different client.



  • Are you use fixed ip? because I update to 2.2.4 and roadwarrior stops work.
    I use dynamic dns and change name conf to ip address. ex: (my identifier): dynamic dns: myfirewall.anydns.org - change to: my identifier: ipaddress: (no need nothing here). In client put the dynamic dns..
    Works for me!


Log in to reply