Re: [pfSense Support] IPSEC Mobile Client

Mon, 21 May 2007 15:48:29 -0700 

Tim Nelson wrote:
Unfortunately, I am not having the same success as you with this! I've configured my pfSense box and my Shrewsoft VPN client exactly as you have presented, changing only the required items(IPs..) and still no luck. Although, now I have different entries in my logs! They are: 

May 22 02:31:17     last message repeated 2 times

May 22 02:30:57     racoon: ERROR: Invalid exchange type 6 from 
xx.xxx.xxx.45[13620].
May 22 02:30:57     racoon: INFO: ISAKMP-SA established 
xx.xxx.xxx.41[500]-xx.xxx.xxx.45[13620] 
spi:414a323fc562af9b:a0f2118df4c4c50a

May 22 02:30:57     racoon: INFO: received Vendor ID: DPD

May 22 02:30:57     racoon: INFO: received broken Microsoft ID: 
FRAGMENTATION

May 22 02:30:57     racoon: INFO: received Vendor ID: CISCO-UNITY
May 22 02:30:57     racoon: INFO: begin Aggressive mode.

May 22 02:30:57     racoon: INFO: respond new phase 1 negotiation: 
xx.xxx.xxx.41[500]<=>xx.xxx.xxx.45[13620]






Did you import the file I attached into the VPN Access Manager as a 
starting point for your site configuration or did you create one from 
scratch? It would appear that the Client is trying to use mode config ( 
exchange type 6 ) to auto-configure one or more parameters. The file I 
had attached disabled all the mode config functionality to prevent this 
from happening.



Here is a message that I posted on the Shrew Soft mailing list that 
describes what options need to be disabled to prevent mode config from 
being used. It basically says to disable the login banner and any 
setting that says automatic ;)


http://lists.shrew.net/pipermail/vpn-help/2006-October/000610.html


The Shrew Soft Client tracks ipsec tools development so it works best 
with later versions. As the client is flexible, it tends to be a bit of 
a chore to get it working with a fully manual configuration. The idea is 
to have all possible settings centrally administered by the VPN Gateway. 
If you are curious about how things would normally work, you can check 
out the Client Documentation section titled "Using the VPN Client".


http://www.shrew.net/vpn/help-2.0.0/vpnhelp.htm


The pfsense web interface doesn't support all the whiz bang features 
that are made possible by the mode config and extended / hybrid 
authentication protocol extensions. After I get 2.0 out the door, I may 
have time to look at the pfSense code and see what I can do to help out 
in this regard.


If you still have problems, let me know.

-Matthew

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





























					Reply via email to