Upgrade from 2.2.6 to 2.3 broke mobile IPSec [fixed]



  • I had IPSec Setup and working great with 2.2.6 with the cisco vpn client and shrew soft now cisco vpn client says the error code 411 The remote peer does not support the vpn client protocol.

    Shrew soft connects but will not pass traffic

    Anybody had this issue.



  • Shrew soft also fails the security association



  • That isn't related to either of the two known issues, configs like that work in general. What do you have in your IPsec logs?



  • Apr 17 10:45:22 charon 14[KNL] creating rekey job for CHILD_SA ESP/0xcb0d144c/71.xx.xx.xx
    Apr 17 10:45:16 charon 14[IKE] <con5|19>deleting IKE_SA con5[19] between 71.xx.xx.xx[71.xx.xx.xx]…71.xx.xx.xx[admin]
    Apr 17 10:45:16 charon 14[IKE] <con5|19>received DELETE for IKE_SA con5[19]
    Apr 17 10:45:16 charon 14[ENC] <con5|19>parsed INFORMATIONAL_V1 request 2396139029 [ HASH D ]
    Apr 17 10:45:16 charon 14[NET] <con5|19>received packet: from 71.XX.XX.XX[49483] to 71.XX.XXX.XXX[4500] (92 bytes)
    Apr 17 10:45:16 charon 12[NET] <con5|19>sending packet: from 71.xx.xx.xx[4500] to 71.xx.xx.xx[49483] (76 bytes)
    Apr 17 10:45:16 charon 12[ENC] <con5|19>generating TRANSACTION request 576097578 [ HASH CPRQ(X_USER X_PWD) ]
    Apr 17 10:45:16 charon 12[IKE] <con5|19>remote host is behind NAT
    Apr 17 10:45:16 charon 12[IKE] <con5|19>local host is behind NAT, sending keep alives
    Apr 17 10:45:16 charon 12[IKE] <con5|19>received Cisco Unity vendor ID
    Apr 17 10:45:16 charon 12[ENC] <con5|19>received unknown vendor ID: bb:18:f6:5a:1e:16:2e:db:cf:1b:12:72:5f:94:0c:3e
    Apr 17 10:45:16 charon 12[ENC] <con5|19>parsed AGGRESSIVE request 0 [ HASH N(INITIAL_CONTACT) NAT-D NAT-D V V ]
    Apr 17 10:45:16 charon 12[NET] <con5|19>received packet: from 71.xx.xx.xx[49483] to 71.xx.xx.xx[4500] (172 bytes)
    Apr 17 10:45:16 charon 12[NET] <con5|19>sending packet: from 71.xx.xx.xx[500] to 71.xx.xx.xx[49482] (416 bytes)
    Apr 17 10:45:16 charon 12[ENC] <con5|19>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
    Apr 17 10:45:16 charon 12[CFG] <19> selected peer config "con5"
    Apr 17 10:45:16 charon 12[CFG] <19> looking for XAuthInitPSK peer configs matching 71.xx.xx.xx…71.xx.xx.xx[admin]
    Apr 17 10:45:16 charon 12[IKE] <19> 71.xx.xx.xx is initiating a Aggressive Mode IKE_SA
    Apr 17 10:45:16 charon 12[IKE] <19> received Cisco Unity vendor ID
    Apr 17 10:45:16 charon 12[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Apr 17 10:45:16 charon 12[IKE] <19> received FRAGMENTATION vendor ID
    Apr 17 10:45:16 charon 12[IKE] <19> received DPD vendor ID
    Apr 17 10:45:16 charon 12[IKE] <19> received XAuth vendor ID
    Apr 17 10:45:16 charon 12[ENC] <19> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
    Apr 17 10:45:16 charon 12[NET] <19> received packet: from 71.xx.xx.xx[49482] to 71.xx.xx.xx[500] (865 bytes)</con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19></con5|19>



  • You probably need to enable Unity, VPN>IPsec, Advanced tab.



  • Unity it is not checked



  • @jswope:

    Unity it is not checked

    Yes that's probably why, enable it. Then stop and start (not restart) strongswan under Status>Services to be sure it's definitely applied.



  • That was it. It was because in 2.2.6 is is disabled if it is checked. lol

    Thanks a lot
    8)



  • Good, glad to hear. We changed the default for the Unity plugin because it's better for most people if it's disabled, but the minority who need it have to enable it. I added a more clear note on that to the 2.3 section of the upgrade guide.

    That's not something you'll have to worry about again going forward as that default won't change again and your config has it enabled.



  • Thanks makes total sense. thanks for your help


Log in to reply