http://pfsense.org/mirror.php?section=tutorials/mobile_ipsec/
-----Original Message----- From: Tim Nelson [mailto:[EMAIL PROTECTED] Sent: Monday, May 07, 2007 11:20 PM To: [email protected] Subject: [pfSense Support] IPSEC Mobile Client I've been banging my head on the wall trying to get remote IPSEC to work with mobile clients and have had very little luck so far. From what I can tell, I've configured things properly on both ends but I receive a strange error message in the IPSEC logs when I try to connect. It states "racoon: ERROR: reject the packet, received unexpecting payload type 0." I have searched the racoon/ipsec-tools mailing list as well as the mailling list for the IPSEC client (Shrewsoft) but have had no luck. All keys are the same on both client and server as well as negotiation modes, encryption/hash algorithms, protocols, and key groups. I am running a fairly uncomplicated pfsense setup. PPPoE ADSL connection on WAN and a LAN with all clients. The error log is as follows: ---BEGIN--- May 8 01:35:35 racoon: ERROR: phase1 negotiation failed due to time up. 620a588cdc6aa64a:3310ab8375e30b1c May 8 01:34:35 racoon: ERROR: reject the packet, received unexpecting payload type 0. May 8 01:34:33 racoon: INFO: received Vendor ID: DPD May 8 01:34:33 racoon: INFO: received broken Microsoft ID: FRAGMENTATION May 8 01:34:33 racoon: INFO: received Vendor ID: CISCO-UNITY May 8 01:34:33 racoon: INFO: begin Aggressive mode. May 8 01:34:33 racoon: INFO: respond new phase 1 negotiation: <pfSense IP>[500]<=><Remote Client IP>[13620] May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2e:38c2%xl0[500] used as isakmp port (fd=22) May 8 01:34:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument May 8 01:34:29 racoon: INFO: 192.168.2.1[500] used as isakmp port (fd=21) May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2d:a338%xl1[500] used as isakmp port (fd=20) May 8 01:34:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument May 8 01:34:29 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=19) May 8 01:34:29 racoon: INFO: ::1[500] used as isakmp port (fd=18) May 8 01:34:29 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=17) May 8 01:34:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument May 8 01:34:29 racoon: INFO: <pfSense IP>[500] used as isakmp port (fd=16) May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2e:38c2%ng0[500] used as isakmp port (fd=15) May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2e:38c2%ng1[500] used as isakmp port (fd=14) May 8 01:34:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument May 8 01:34:29 racoon: INFO: 192.168.2.15[500] used as isakmp port (fd=13) May 8 01:34:29 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) May 8 01:34:29 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) ---END--- Here is my IPSEC excerpt from my config file: ---BEGIN--- <ipsec> <preferredoldsa/> <mobilekey> <ident>[EMAIL PROTECTED]</ident> <pre-shared-key>this-is-a-fake-shared-key<pre-shared-key> </mobilekey> <mobileclients> <enable/> <p1> <mode>aggressive</mode> <myident> <myaddress/> </myident> <encryption-algorithm>3des</encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>5</dhgroup> <lifetime>3600</lifetime> <private-key/> <cert/> <authentication_method>pre_shared_key</authentication_method> </p1> <p2> <protocol>esp</protocol> <encryption-algorithm-option>des</encryption-algorithm-option> <encryption-algorithm-option>3des</encryption-algorithm-option> <encryption-algorithm-option>blowfish</encryption-algorithm-option> <encryption-algorithm-option>cast128</encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <hash-algorithm-option>hmac_md5</hash-algorithm-option> <pfsgroup>2</pfsgroup> <lifetime>3600</lifetime> </p2> </mobileclients> <enable/> </ipsec> ---END--- Any ideas? Help! -- Tim Nelson Technical Consultant Rockbochs Inc. ____________ Virus checked by G DATA AntiVirusKit Version: AVK 17.4497 from 07.05.2007 Virus news: www.antiviruslab.com ____________ Virus checked by G DATA AntiVirusKit Version: AVK 17.4499 from 07.05.2007 Virus news: www.antiviruslab.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
