[pfSense Support] IPSEC Mobile Client

Mon, 07 May 2007 14:20:26 -0700

I've been banging my head on the wall trying to get remote IPSEC to work with mobile clients and have had very little luck so far. From what I can tell, I've configured things properly on both ends but I receive a strange error message in the IPSEC logs when I try to connect. It states "racoon: ERROR: reject the packet, received unexpecting payload type 0." I have searched the racoon/ipsec-tools mailing list as well as the mailling list for the IPSEC client (Shrewsoft) but have had no luck. All keys are the same on both client and server as well as negotiation modes, encryption/hash algorithms, protocols, and key groups. I am running a fairly uncomplicated pfsense setup. PPPoE ADSL connection on WAN and a LAN with all clients. The error log is as follows: 

---BEGIN---
May 8 01:35:35 racoon: ERROR: phase1 negotiation failed due to time up. 620a588cdc6aa64a:3310ab8375e30b1c May 8 01:34:35 racoon: ERROR: reject the packet, received unexpecting payload type 0. 
May 8 01:34:33     racoon: INFO: received Vendor ID: DPD
May 8 01:34:33     racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 8 01:34:33     racoon: INFO: received Vendor ID: CISCO-UNITY
May 8 01:34:33     racoon: INFO: begin Aggressive mode.
May 8 01:34:33 racoon: INFO: respond new phase 1 negotiation: <pfSense IP>[500]<=><Remote Client IP>[13620] May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2e:38c2%xl0[500] used as isakmp port (fd=22) May 8 01:34:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument May 8 01:34:29 racoon: INFO: 192.168.2.1[500] used as isakmp port (fd=21) May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2d:a338%xl1[500] used as isakmp port (fd=20) May 8 01:34:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument 
May 8 01:34:29     racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=19)
May 8 01:34:29     racoon: INFO: ::1[500] used as isakmp port (fd=18)
May 8 01:34:29 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=17) May 8 01:34:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument May 8 01:34:29 racoon: INFO: <pfSense IP>[500] used as isakmp port (fd=16) May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2e:38c2%ng0[500] used as isakmp port (fd=15) May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2e:38c2%ng1[500] used as isakmp port (fd=14) May 8 01:34:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument May 8 01:34:29 racoon: INFO: 192.168.2.15[500] used as isakmp port (fd=13) May 8 01:34:29 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) May 8 01:34:29 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 
---END---

Here is my IPSEC excerpt from my config file:
---BEGIN---
<ipsec>
   <preferredoldsa/>
   <mobilekey>
               <ident>[EMAIL PROTECTED]</ident>
               <pre-shared-key>this-is-a-fake-shared-key<pre-shared-key>
   </mobilekey>
   <mobileclients>
       <enable/>
       <p1>
           <mode>aggressive</mode>
           <myident>
               <myaddress/>
           </myident>
           <encryption-algorithm>3des</encryption-algorithm>
           <hash-algorithm>sha1</hash-algorithm>
           <dhgroup>5</dhgroup>
           <lifetime>3600</lifetime>
           <private-key/>
           <cert/>
           <authentication_method>pre_shared_key</authentication_method>
       </p1>
       <p2>
           <protocol>esp</protocol>
           <encryption-algorithm-option>des</encryption-algorithm-option>
           <encryption-algorithm-option>3des</encryption-algorithm-option>
<encryption-algorithm-option>blowfish</encryption-algorithm-option> <encryption-algorithm-option>cast128</encryption-algorithm-option> 
           <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
           <hash-algorithm-option>hmac_md5</hash-algorithm-option>
           <pfsgroup>2</pfsgroup>
           <lifetime>3600</lifetime>
       </p2>
   </mobileclients>
   <enable/>
</ipsec>
---END---

Any ideas? Help!

--
Tim Nelson
Technical Consultant
Rockbochs Inc.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to