Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile IPSEC issue

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreyva
      last edited by

      First, I'm using 1.2 release and IPSecuritas 3.1 on OS X.
      I have not needed to make any mobile connections since updating to 1.2. Previous to the upgrade, all worked well. Now whenever I connect, on the client side all appears well, but no traffic flows. On the server side I get this.

      
      Jun 27 12:04:48 firewall racoon: INFO: respond new phase 1 negotiation: x.x.x.x[500]<=>y.y.y.y[17230]
      Jun 27 12:04:48 firewall racoon: INFO: begin Aggressive mode.
      Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: RFC 3947
      Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
      Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
      Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
      Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
      Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
      Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
      Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: DPD
      Jun 27 12:04:48 firewall racoon: INFO: ISAKMP-SA established x.x.x.x[500]-y.y.y.y[17230] spi:f2825f2e81234567:123456725af91f57
      Jun 27 12:04:48 firewall racoon: INFO: respond new phase 2 negotiation: x.x.x.x[0]<=>y.y.y.y[0]
      Jun 27 12:04:48 firewall racoon: INFO: no policy found, try to generate the policy : 10.173.190.198/32[0] 172.31.0.0/24[0] proto=any dir=in
      Jun 27 12:04:49 firewall racoon: INFO: IPsec-SA established: ESP/Tunnel y.y.y.y[0]->x.x.x.x[0] spi=221284951(0xd8f2127)
      Jun 27 12:04:49 firewall racoon: INFO: IPsec-SA established: ESP/Tunnel x.x.x.x[0]->y.y.y.y[0] spi=24812470(0x17bc126)
      Jun 27 12:04:49 firewall racoon: ERROR: such policy does not already exist: "10.173.190.198/32[0] 172.31.0.0/24[0] proto=any dir=in"
      Jun 27 12:04:49 firewall racoon: ERROR: such policy does not already exist: "172.31.0.0/24[0] 10.173.190.198/32[0] proto=any dir=out"
      
      

      I'm using the same policy that previously worked on the client and had not made any changes on pfsense, other than the upgrade. I've been searching the forum and came across this post indicating a problem with 1.2 and mobile IPSEC.
      http://forum.pfsense.org/index.php/topic,9332.msg54258.html#msg54258

      then I cam across this post saying it works fine. Since this one is older I'd assume that perhaps the issue was unknown at that time?
      http://forum.pfsense.org/index.php/topic,9164.msg51804.html#msg51804

      If anyone could shed some light as to if there truly is an issue with 1.2 and mobile IPSEC, or if there is something fubar with my config I'd appreciate it. I should add I have 8 other IPSEC rules as a client to several netscreen firewalls that work flawlessly.

      Thanks

      1 Reply Last reply Reply Quote 0
      • H
        heiko
        last edited by

        you have upgraded to 1.2 release from what?

        and one of the ipsec-checkins for 1.21
        e.g. http://cvstrac.pfsense.com/chngview?cn=21860

        Here you can take a look at the timeline:
        http://cvstrac.pfsense.com/timeline

        Regards
        heiko

        1 Reply Last reply Reply Quote 0
        • C
          coreyva
          last edited by

          I've been a user of pfsense for a few years now. The current version was updated from one of the 1.2 RCs. I've just kinda upgraded as the new releases come out. I'll take a look at the 1.21 cvs and let you know how it goes.

          1 Reply Last reply Reply Quote 0
          • H
            heiko
            last edited by

            1.21 isn´t available at the moment

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.