Matthew Grooms wrote:
I assure you, the client works fine. I use FreeBSD 6.2, NetBSD 3.1 and
several versions of Linux to test with on a regular basis. The 2.0
version also works with Cisco, Juniper, Zywal and a bunch of other
devices.
What version of pfsense do you have installed? I will will build a
pfsense gateway tonight and see what I can do to track down the problem.
I installed the pfsense beta2 in a test environment and am able to
connect using the shrew soft beta2 client. Below is a quick overview of
the configuration.
I enabled the IPSEC and Mobile client options with the following
settings ...
--- phase1 ---
exchange - aggressive
my identifier - fqdn "vpngw.shrew.net"
encryption algo - 3des
DH key group - 5
Lifetime - 28800 seconds
Authentication method - pre-shared key
protocol - esp
--- phase2 ---
encryption algos - 3des, blowfish, cast128, AES
hash algos - sha1, md5
pfs group - off
lifetime - 3600
Next I added a pre-shared key ...
Identifier - "client.shrew.net"
PSK value - "supersecret"
Then I created a site configuration in the client for the pfsense
gateway that had a WAN interface of 10.1.1.14/24 and a LAN interface of
10.1.2.14/24. I have attached the exported .vpn file which can be
imported by the 2.0 Client. The only parameters that would need to be
modified for someone else's pfsense setup would be the ip address of the
gateway and the policy configuration which specifies the distant networks.
At this point I could connect to the pfsense gateway and attempt to ping
a node in the 10.1.2.0/24 network. Phase1 completed successfully and
Phase2 was negotiated with a policy generated to support the ipsec
tunnel. Unfortunately, no firewall rules were added automatically for
the remote peer as I had hoped, so the inbound traffic was being blocked
when passing from the enc0 device to the private network.
I added a quick and dirty rule in the firewall ipsec section to pass all
traffic in from the enc0 interface to the private network and the
packets started to pass without any problem. This is ugly, but I'm not
sure what the official party line is at pfsense on how inbound rules
should be handled for mobile ipsec clients. Racoon has support for
up/down scripts that could probably be modified to manage rules in a pf
anchor. Maybe someone else can chime in on the currently preferred
methodology.
-Matthew
n:network-ike-port:500
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:1
n:client-splitdns-used:0
n:client-splitdns-auto:1
n:phase1-dhgroup:5
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-list-auto:0
s:network-host:10.1.1.14
s:client-auto-mode:pull
s:client-iface:direct
s:network-natt-mode:disable
s:network-frag-mode:enable
s:auth-method:mutual-psk
s:ident-client-type:fqdn
s:ident-server-type:fqdn
s:ident-client-data:client.shrew.net
s:ident-server-data:vpngw.shrew.net
s:auth-mutual-psk:supersecret
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
s:policy-list-include:10.1.2.0 / 255.255.255.0
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
