Mobile IPSEC issue

coreyva

First, I'm using 1.2 release and IPSecuritas 3.1 on OS X.
I have not needed to make any mobile connections since updating to 1.2. Previous to the upgrade, all worked well. Now whenever I connect, on the client side all appears well, but no traffic flows. On the server side I get this.

Jun 27 12:04:48 firewall racoon: INFO: respond new phase 1 negotiation: x.x.x.x[500]<=>y.y.y.y[17230]
Jun 27 12:04:48 firewall racoon: INFO: begin Aggressive mode.
Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: RFC 3947
Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jun 27 12:04:48 firewall racoon: INFO: received Vendor ID: DPD
Jun 27 12:04:48 firewall racoon: INFO: ISAKMP-SA established x.x.x.x[500]-y.y.y.y[17230] spi:f2825f2e81234567:123456725af91f57
Jun 27 12:04:48 firewall racoon: INFO: respond new phase 2 negotiation: x.x.x.x[0]<=>y.y.y.y[0]
Jun 27 12:04:48 firewall racoon: INFO: no policy found, try to generate the policy : 10.173.190.198/32[0] 172.31.0.0/24[0] proto=any dir=in
Jun 27 12:04:49 firewall racoon: INFO: IPsec-SA established: ESP/Tunnel y.y.y.y[0]->x.x.x.x[0] spi=221284951(0xd8f2127)
Jun 27 12:04:49 firewall racoon: INFO: IPsec-SA established: ESP/Tunnel x.x.x.x[0]->y.y.y.y[0] spi=24812470(0x17bc126)
Jun 27 12:04:49 firewall racoon: ERROR: such policy does not already exist: "10.173.190.198/32[0] 172.31.0.0/24[0] proto=any dir=in"
Jun 27 12:04:49 firewall racoon: ERROR: such policy does not already exist: "172.31.0.0/24[0] 10.173.190.198/32[0] proto=any dir=out"

I'm using the same policy that previously worked on the client and had not made any changes on pfsense, other than the upgrade. I've been searching the forum and came across this post indicating a problem with 1.2 and mobile IPSEC.
http://forum.pfsense.org/index.php/topic,9332.msg54258.html#msg54258

then I cam across this post saying it works fine. Since this one is older I'd assume that perhaps the issue was unknown at that time?
http://forum.pfsense.org/index.php/topic,9164.msg51804.html#msg51804

If anyone could shed some light as to if there truly is an issue with 1.2 and mobile IPSEC, or if there is something fubar with my config I'd appreciate it. I should add I have 8 other IPSEC rules as a client to several netscreen firewalls that work flawlessly.

Thanks

heiko

you have upgraded to 1.2 release from what?

and one of the ipsec-checkins for 1.21
e.g. http://cvstrac.pfsense.com/chngview?cn=21860

Here you can take a look at the timeline:
http://cvstrac.pfsense.com/timeline

Regards
heiko

coreyva

I've been a user of pfsense for a few years now. The current version was updated from one of the 1.2 RCs. I've just kinda upgraded as the new releases come out. I'll take a look at the 1.21 cvs and let you know how it goes.

heiko

1.21 isn´t available at the moment