Bug #3047
closed
IPSEC remote access broken in 2.03
0%
Description
In pfSense 2.0 through 2.02, my configuration for remote IPSEC access (like my iPhone) worked fine. IPSEC with Mobile client setup and firewall rule allowing all traffic to pass-through worked fine. The same config in 2.03 does not work. There is authentication and the VPN is established, but no traffic works. Going back to 2.02 with the same config works fine.
Files
Updated by Jim Pingle almost 11 years ago
- Status changed from New to Feedback
- Priority changed from High to Normal
There is not nearly enough information here for a valid bug report. Include details about your exact config (every option you have set), how the clients are configured, a copy of your /var/etc/racoon.conf and so on. It's better to review/discuss all of that on a forum post before opening a ticket. If you have already done so, include a link to the forum post here.
Updated by Robert Holmes almost 11 years ago
- File config-pfsense1.home.local-20130616122815.xml config-pfsense1.home.local-20130616122815.xml added
Forum link is here: http://forum.pfsense.org/index.php/topic,62209.msg341320.html
I didn't get any feedback so I opened a ticket.
I used best practices and followed the WIKI to setup the VPN, so it should be easy to duplicate, but I've uploaded a sanitized config as well. Config is a working version on 2.02. A simple update to 2.03 will make that portion fail. (Since the VPN technically does work, it might be a firewall bug.)
Updated by Jim Pingle almost 11 years ago
Still not enough information. Most importantly we need the IPsec log entries (I forgot to mention that previously) from when it was broken.
Updated by Robert Holmes almost 11 years ago
- File IPSEC_log.txt IPSEC_log.txt added
You should have enough to re-create it on a pfSense box, but attached is the info you requested. Also, when the VPN connects the SAD tab shows data in the iPhone-to-pfSense direction, but not the return direction.
Updated by Jim Pingle almost 11 years ago
I used your exact IPsec config (aside from fixing the lifetimes to match the documented suggested values), and I am able to connect and reach items on the LAN behind my test VM running 2.0.3 (amd64) from an Android client.
Updated by Robert Holmes almost 11 years ago
I don't understand why it doesn't work for me in 2.03 - no config changes whatsoever between 2.02 and 2.03. I also just set up a Cisco VPN client (classic IPSEC) on a Windows XP virtual and have the same issue. Bytes sent from the Windows client, none received back. Both the VPN client stats and the pfSense stats mirror the same problem.
Updated by Jim Pingle almost 11 years ago
Cisco VPN client is known to be broken when connecting to pfSense (and it's a violation of their license to do so using the Windows Cisco client), use a known-good client such as Shrew Soft, or the Android/iOS client for testing.
Updated by Micha Ch almost 11 years ago
same Problem since PFSense 2.0.2 with Android 4.1.2, 4.2, iOS 4/5.
Downgrade back to 2.0.1 and everything is fine with the same configuration.
I'll upload config after made a fresh instance with IPSEC only.
Updated by Micha Ch almost 11 years ago
@Jun 24 16:00:18 racoon: ERROR: failed to begin ipsec sa negotication.@
Jun 24 16:00:18 racoon: ERROR: no configuration found for xx.xx.xx.xx.
Jun 24 16:00:06 racoon: [Self]: INFO: IPsec-SA established: ESP xx.xx.xx.xx[500]->xx.xx.xx.xx[500] spi=713412756(0x2a85d094)
Jun 24 16:00:06 racoon: [Self]: INFO: IPsec-SA established: ESP xx.xx.xx.xx[500]->xx.xx.xx.xx[500] spi=222768405(0xd472d15)
Jun 24 16:00:05 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Jun 24 16:00:05 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 24 16:00:05 racoon: INFO: Update the generated policy : 192.168.xx.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Jun 24 16:00:05 racoon: [Self]: INFO: respond new phase 2 negotiation: xx.xx.xx.xx[4500]<=>xx.xx.xx.77xx3270]
Jun 24 16:00:04 racoon: ERROR: Cannot open "/etc/motd"
Jun 24 16:00:04 racoon: INFO: login succeeded for user "xx"
Jun 24 16:00:04 racoon: INFO: Using port 0
Jun 24 16:00:03 racoon: [Self]: INFO: ISAKMP-SA established xx.xx.xx.xx[4500]-xx.xx.xx.xx[3270] spi:786bc0xxd6ae4e0b:29c6e89xx800bcd9
Jun 24 16:00:03 racoon: INFO: Sending Xauth request
Jun 24 16:00:03 racoon: INFO: NAT detected: ME PEER
Jun 24 16:00:03 racoon: INFO: NAT-D payload #1 doesn't match
Jun 24 16:00:03 racoon: INFO: NAT-D payload #0 doesn't match
Jun 24 16:00:03 racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 24 16:00:03 racoon: [xx.xx.xx.xx] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Jun 24 16:00:03 racoon: [Self]: INFO: NAT-T: ports changed to: xx.xx.xx.xx[3270]<->xx.xx.xx.xx[4500]
Jun 24 16:00:03 racoon: INFO: Adding xauth VID payload.
Jun 24 16:00:03 racoon: [Self]: [xx.xx.xx.xx] INFO: Hashing xx.xx.xx.xx[500] with algo #2 (NAT-T forced)
Jun 24 16:00:03 racoon: [xx.xx.xx.xx] INFO: Hashing xx.xx.xx.xx[13575] with algo #2 (NAT-T forced)
Jun 24 16:00:03 racoon: INFO: Adding remote and local NAT-D payloads.
Jun 24 16:00:03 racoon: ERROR: invalied encryption algorithm=0.
Jun 24 16:00:03 racoon: ERROR: invalied encryption algorithm=0.
Jun 24 16:00:03 racoon: ERROR: invalied encryption algorithm=0.
Jun 24 16:00:03 racoon: ERROR: invalied encryption algorithm=0.
Jun 24 16:00:03 racoon: [xx.xx.xx.xx] INFO: Selected NAT-T version: RFC 3947
Jun 24 16:00:03 racoon: INFO: received Vendor ID: DPD
Jun 24 16:00:03 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jun 24 16:00:03 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Jun 24 16:00:03 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 24 16:00:03 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 24 16:00:03 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 24 16:00:03 racoon: INFO: received Vendor ID: RFC 3947
Jun 24 16:00:03 racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 24 16:00:03 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jun 24 16:00:03 racoon: INFO: begin Aggressive mode.
Jun 24 16:00:03 racoon: [Self]: INFO: respond new phase 1 negotiation: xx.xx.xx.xx[500]<=>xx.xx.xx.xx[13575]
Updated by Robert Holmes almost 11 years ago
Not sure if it matters, but I am on an ALIX device. I have since moved back to 2.02 because I cannot afford the downtime. I will see how 2.1 works when I move to it. Thanks.
Updated by Micha Ch almost 11 years ago
We're using VMWare PFSense. Upgraded to 2.1 but still no luck with mobile vpn.
Updated by Chris Buechler almost 10 years ago
- Status changed from Feedback to Closed
Mobile IPsec works fine in general in 2.1x versions. 2.2 changes out ipsec-tools which will change everything any edge cases in this thread might see, so no point in keeping this.