Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFsense 2.2.6 - Mobile IPSEC VPN No longer works

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      apu2015
      last edited by

      I have just upgraded my PFsense box to Version 2.2.6 from Version 2.1 and the mobile VPN's to my regular VPN clients no longer work

      Site to Site VPN's still continue to work OK

      I have researched the problem and it seems a number of other users are having similar problems, however I have yet to come across a soloution which works for me

      I would be intrested in hearing from users who have 2.2.6 installed and have succesfully managed to get a Mobile VPN working

      I have however installed a trial version of Shewsoft, and by chance, been able to get this to connect, however, only with settings which seem incorrect, maybe this will help in tracing a possible pfsense problem in this release ??

      PFsense Config as follows
      –--------------------------------------------------------------------------
      Phase 1
      General information
      Key Exchange – V1
      Internet Protocol – Ipv4
      Interface – WAN
      Description –
      Phase 1 proposal (Authentication)
      Authentication method – Mutual PSK
      Negotiation mode – Aggressive
      My Identifier – My IP address  [Here is the possible problem]
      Phase 1 proposal (Algorithms)
      Encryption algorithm – 3DES
      Has algorithm – SHA1
      DH Key group – 2 (1024)
      Lifetime – 86400
      Advanced Options
      –--------------------------------------------------------------------------
      Phase 2
      Mode – Tunnel IPv4
      Local Network - LAN Subnet
      Phase 2 proposal (SA/Key Exchange)
      Protocol – ESP
      Encryption algorithm – 3DES (only)
      Hash algorithms – SHA1 (only)
      PFS key group – 2 (1024)
      Lifetime – 3600

      Mobile clients
      Extended Authentication (Xauth)
      User Authentication  - Local Database
      Group Authentication – system
      Client Configuration (mode-cfg)
      Virtual Address Pool – 192.168.200.0/24

      Pre-Shared Keys
      Identifier – example@gmail.com
      Type – PSK
      Pre-Shared Key - 9YzKmjXDKcnBnVKvWR2m

      Shewsoft - Exported VPN as follows

      n:version:4
      n:network-ike-port:500
      n:network-mtu-size:1500
      n:client-addr-auto:1
      n:network-natt-port:4500
      n:network-natt-rate:15
      n:network-frag-size:540
      n:network-dpd-enable:1
      n:client-banner-enable:1
      n:network-notify-enable:1
      n:client-dns-used:1
      n:client-dns-auto:1
      n:client-dns-suffix-auto:1
      n:client-splitdns-used:1
      n:client-splitdns-auto:1
      n:client-wins-used:0
      n:client-wins-auto:0
      n:phase1-dhgroup:2
      n:phase1-life-secs:86400
      n:phase1-life-kbytes:0
      n:vendor-chkpt-enable:0
      n:phase2-life-secs:3600
      n:phase2-life-kbytes:0
      n:policy-nailed:0
      n:policy-list-auto:1
      s:network-host:[Public IP Address of Host]
      s:client-auto-mode:pull
      s:client-iface:virtual
      s:network-natt-mode:enable
      s:network-frag-mode:enable
      s:auth-method:mutual-psk
      s:ident-client-type:ufqdn
      s:ident-server-type:address
      s:ident-client-data:example@outlook.com
      s:ident-server-data:172.16.0.10 [Here is the possible problem]
      b:auth-mutual-psk:[Encrypted PSK from above]
      s:phase1-exchange:aggressive
      s:phase1-cipher:3des
      s:phase1-hash:sha1
      s:phase2-transform:esp-3des
      s:phase2-hmac:sha1
      s:ipcomp-transform:disabled
      n:phase2-pfsgroup:2
      s:policy-level:auto

      –----------------------
      The VPN only works if s:ident-server-data: is set to the INTERNAL IP Address, rather than the "Public IP Address of Host" which is what I belive PFSense returns with the above config

      In Summary
      PFsense is set to [My Identifier – My IP address] - Ie Return its PUBLIC IP Address as the remote identifier
      Shewsoft will only work if the remote identifier is set to the Hosts internal IP Address.

      Comments / Suggestions please

      Thank you

      1 Reply Last reply Reply Quote 0
      • N
        newmember
        last edited by

        I deleted my 'Mobile Client'  under Tunnels, then went to 'Mobile Clients' tab and saw that "Create Phase 1" option was available.
        I re-created Phase and Phase 2 and the vpn worked again.

        Cheers

        VPN: IPsec: Edit Phase 1: Mobile Client

        Key Exchange version  V1
        Internet Protocol      Ipv4
        Interface  WAN
        Description Mobile Client

        Authentication method  Mutual PSK
        Negotiation mode  Aggressive
        My identifier  My IP Address

        Encryption algorithm  AES 256
        Hash algorithm    SHA1
        DH key group  2
        Lifetime  28800

        NAT Traversal  Force
        Dead Peer Detection  Enable  /  10  /  5

        VPN: IPsec: Edit Phase 2: Mobile Client

        Local Network  DMZ  (mine is DMZ but yours might be LAN)
        Protocol  ESP

        Encryption algorithms  AES 256 (only)
        Hash algorithms    SHA1
        PFS key group  2
        Lifetime  3600

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.