Re: [pfSense Support] IPSEC Mobile Client

Mon, 07 May 2007 14:50:59 -0700

That tutorial is aimed at a site to site link although I used it as a basis to configure my pfSense box... 

--Tim

Holger Bauer wrote:
http://pfsense.org/mirror.php?section=tutorials/mobile_ipsec/ 
-----Original Message-----
From: Tim Nelson [mailto:[EMAIL PROTECTED] Sent: Monday, May 07, 2007 11:20 PM 
To: [email protected]
Subject: [pfSense Support] IPSEC Mobile Client

I've been banging my head on the wall trying to get remote IPSEC to work
with mobile clients and have had very little luck so far. From what I
can tell, I've configured things properly on both ends but I receive a
strange error message in the IPSEC logs when I try to connect. It states
"racoon: ERROR: reject the packet, received unexpecting payload type 0."

I have searched the racoon/ipsec-tools mailing list as well as the
mailling list for the IPSEC client (Shrewsoft) but have had no luck. All
keys are the same on both client and server as well as negotiation
modes, encryption/hash algorithms, protocols, and key groups. I am
running a fairly uncomplicated pfsense setup. PPPoE ADSL connection on
WAN and a LAN with all clients. The error log is as follows:

---BEGIN---
May 8 01:35:35 racoon: ERROR: phase1 negotiation failed due to time up. 620a588cdc6aa64a:3310ab8375e30b1c May 8 01:34:35 racoon: ERROR: reject the packet, received unexpecting payload type 0. 
May 8 01:34:33     racoon: INFO: received Vendor ID: DPD
May 8 01:34:33     racoon: INFO: received broken Microsoft ID:
FRAGMENTATION
May 8 01:34:33     racoon: INFO: received Vendor ID: CISCO-UNITY
May 8 01:34:33     racoon: INFO: begin Aggressive mode.
May 8 01:34:33 racoon: INFO: respond new phase 1 negotiation: <pfSense IP>[500]<=><Remote Client IP>[13620] May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2e:38c2%xl0[500] used as isakmp port (fd=22) May 8 01:34:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument May 8 01:34:29 racoon: INFO: 192.168.2.1[500] used as isakmp port (fd=21) May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2d:a338%xl1[500] used as isakmp port (fd=20) May 8 01:34:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument 
May 8 01:34:29     racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=19)
May 8 01:34:29     racoon: INFO: ::1[500] used as isakmp port (fd=18)
May 8 01:34:29 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=17) May 8 01:34:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument May 8 01:34:29 racoon: INFO: <pfSense IP>[500] used as isakmp port (fd=16) May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2e:38c2%ng0[500] used as isakmp port (fd=15) May 8 01:34:29 racoon: INFO: fe80::210:4bff:fe2e:38c2%ng1[500] used as isakmp port (fd=14) May 8 01:34:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument May 8 01:34:29 racoon: INFO: 192.168.2.15[500] used as isakmp port (fd=13) May 8 01:34:29 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) May 8 01:34:29 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 
---END---

Here is my IPSEC excerpt from my config file:
---BEGIN---
<ipsec>
    <preferredoldsa/>
    <mobilekey>
                <ident>[EMAIL PROTECTED]</ident>
<pre-shared-key>this-is-a-fake-shared-key<pre-shared-key> 
    </mobilekey>
    <mobileclients>
        <enable/>
        <p1>
            <mode>aggressive</mode>
            <myident>
                <myaddress/>
            </myident>
            <encryption-algorithm>3des</encryption-algorithm>
            <hash-algorithm>sha1</hash-algorithm>
            <dhgroup>5</dhgroup>
            <lifetime>3600</lifetime>
            <private-key/>
            <cert/>
<authentication_method>pre_shared_key</authentication_method> 
        </p1>
        <p2>
            <protocol>esp</protocol>
<encryption-algorithm-option>des</encryption-algorithm-option> <encryption-algorithm-option>3des</encryption-algorithm-option> <encryption-algorithm-option>blowfish</encryption-algorithm-option> <encryption-algorithm-option>cast128</encryption-algorithm-option> 
            <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
            <hash-algorithm-option>hmac_md5</hash-algorithm-option>
            <pfsgroup>2</pfsgroup>
            <lifetime>3600</lifetime>
        </p2>
    </mobileclients>
    <enable/>
</ipsec>
---END---

Any ideas? Help!

--
Tim Nelson
Technical Consultant
Rockbochs Inc.


____________
Virus checked by G DATA AntiVirusKit
Version: AVK 17.4497 from 07.05.2007
Virus news: www.antiviruslab.com


____________
Virus checked by G DATA AntiVirusKit
Version: AVK 17.4499 from 07.05.2007
Virus news: www.antiviruslab.com



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to