PFsense 2.2.6 - Mobile IPSEC VPN No longer works



  • I have just upgraded my PFsense box to Version 2.2.6 from Version 2.1 and the mobile VPN's to my regular VPN clients no longer work

    Site to Site VPN's still continue to work OK

    I have researched the problem and it seems a number of other users are having similar problems, however I have yet to come across a soloution which works for me

    I would be intrested in hearing from users who have 2.2.6 installed and have succesfully managed to get a Mobile VPN working

    I have however installed a trial version of Shewsoft, and by chance, been able to get this to connect, however, only with settings which seem incorrect, maybe this will help in tracing a possible pfsense problem in this release ??

    PFsense Config as follows
    –--------------------------------------------------------------------------
    Phase 1
    General information
    Key Exchange – V1
    Internet Protocol – Ipv4
    Interface – WAN
    Description –
    Phase 1 proposal (Authentication)
    Authentication method – Mutual PSK
    Negotiation mode – Aggressive
    My Identifier – My IP address  [Here is the possible problem]
    Phase 1 proposal (Algorithms)
    Encryption algorithm – 3DES
    Has algorithm – SHA1
    DH Key group – 2 (1024)
    Lifetime – 86400
    Advanced Options
    –--------------------------------------------------------------------------
    Phase 2
    Mode – Tunnel IPv4
    Local Network - LAN Subnet
    Phase 2 proposal (SA/Key Exchange)
    Protocol – ESP
    Encryption algorithm – 3DES (only)
    Hash algorithms – SHA1 (only)
    PFS key group – 2 (1024)
    Lifetime – 3600

    Mobile clients
    Extended Authentication (Xauth)
    User Authentication  - Local Database
    Group Authentication – system
    Client Configuration (mode-cfg)
    Virtual Address Pool – 192.168.200.0/24

    Pre-Shared Keys
    Identifier – example@gmail.com
    Type – PSK
    Pre-Shared Key - 9YzKmjXDKcnBnVKvWR2m

    Shewsoft - Exported VPN as follows

    n:version:4
    n:network-ike-port:500
    n:network-mtu-size:1500
    n:client-addr-auto:1
    n:network-natt-port:4500
    n:network-natt-rate:15
    n:network-frag-size:540
    n:network-dpd-enable:1
    n:client-banner-enable:1
    n:network-notify-enable:1
    n:client-dns-used:1
    n:client-dns-auto:1
    n:client-dns-suffix-auto:1
    n:client-splitdns-used:1
    n:client-splitdns-auto:1
    n:client-wins-used:0
    n:client-wins-auto:0
    n:phase1-dhgroup:2
    n:phase1-life-secs:86400
    n:phase1-life-kbytes:0
    n:vendor-chkpt-enable:0
    n:phase2-life-secs:3600
    n:phase2-life-kbytes:0
    n:policy-nailed:0
    n:policy-list-auto:1
    s:network-host:[Public IP Address of Host]
    s:client-auto-mode:pull
    s:client-iface:virtual
    s:network-natt-mode:enable
    s:network-frag-mode:enable
    s:auth-method:mutual-psk
    s:ident-client-type:ufqdn
    s:ident-server-type:address
    s:ident-client-data:example@outlook.com
    s:ident-server-data:172.16.0.10 [Here is the possible problem]
    b:auth-mutual-psk:[Encrypted PSK from above]
    s:phase1-exchange:aggressive
    s:phase1-cipher:3des
    s:phase1-hash:sha1
    s:phase2-transform:esp-3des
    s:phase2-hmac:sha1
    s:ipcomp-transform:disabled
    n:phase2-pfsgroup:2
    s:policy-level:auto

    –----------------------
    The VPN only works if s:ident-server-data: is set to the INTERNAL IP Address, rather than the "Public IP Address of Host" which is what I belive PFSense returns with the above config

    In Summary
    PFsense is set to [My Identifier – My IP address] - Ie Return its PUBLIC IP Address as the remote identifier
    Shewsoft will only work if the remote identifier is set to the Hosts internal IP Address.

    Comments / Suggestions please

    Thank you



  • I deleted my 'Mobile Client'  under Tunnels, then went to 'Mobile Clients' tab and saw that "Create Phase 1" option was available.
    I re-created Phase and Phase 2 and the vpn worked again.

    Cheers

    VPN: IPsec: Edit Phase 1: Mobile Client

    Key Exchange version  V1
    Internet Protocol      Ipv4
    Interface  WAN
    Description Mobile Client

    Authentication method  Mutual PSK
    Negotiation mode  Aggressive
    My identifier  My IP Address

    Encryption algorithm  AES 256
    Hash algorithm    SHA1
    DH key group  2
    Lifetime  28800

    NAT Traversal  Force
    Dead Peer Detection  Enable  /  10  /  5

    VPN: IPsec: Edit Phase 2: Mobile Client

    Local Network  DMZ  (mine is DMZ but yours might be LAN)
    Protocol  ESP

    Encryption algorithms  AES 256 (only)
    Hash algorithms    SHA1
    PFS key group  2
    Lifetime  3600


Log in to reply