The pfSense Store

Author Topic: Almost got Cisco VPN client working, but...pfsense SA failure???  (Read 12503 times)

0 Members and 1 Guest are viewing this topic.

Offline limecat

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Almost got Cisco VPN client working, but...pfsense SA failure???
« on: September 30, 2011, 10:17:15 pm »
Im trying to get Cisco VPN client working against pfSense 2.0, and im nearly there-- got password prompt, cisco lock icon clicks, and pfsense sees traffic coming through.  Im even seeing traffic flow to pfsense.

The problem is that no return traffic ever goes.  Under IPsec status, the icon is yellow, and under SAD, the return traffic entry shows no data.  In the IPsec log, I get this:
Code: [Select]
Sep 30 23:10:50 racoon: WARNING: authtype mismatched: my:hmac-md5 peer:hmac-sha
Sep 30 23:10:50 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Sep 30 23:10:50 racoon: ERROR: not matched
........
Sep 30 23:10:50 racoon: ERROR: not matched
Sep 30 23:10:50 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Sep 30 23:10:50 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Sep 30 23:10:50 racoon: [Self]: INFO: IPsec-SA established: ESP 98.175.##.###[500]->98.218.###.##[500] spi=32432442(0x1eee13a)
Sep 30 23:10:50 racoon: [Self]: INFO: IPsec-SA established: ESP 98.175.##.###[500]->98.218.###.##[500] spi=1172355998(0x45e0bb9e)
Sep 30 23:10:54 racoon: ERROR: no configuration found for 98.218.###.##.
Sep 30 23:10:54 racoon: ERROR: failed to begin ipsec sa negotication.
Sep 30 23:10:58 racoon: ERROR: no configuration found for 98.218.###.##.
Sep 30 23:10:58 racoon: ERROR: failed to begin ipsec sa negotication.
Those last two entries repeat, seemingly for every piece of traffic that goes through.

My settings:

Using Mobile IPsec--
Providing a virtual IP and DNS

Phase 1 settings:
Interface:  WAN
Auth Method:  Mutual PSK + Xauth
Negotiation:  Agressive
My identifier:  My IP address
Peer identifier: UDN (user@domain.com)
preshared key: mypks
Policy Generation: on
Proposal checking: obey
Encryption: AES128, with MD5
DH key group 2
Nat Traversal enabled
DPD on, 5 seconds, 5 retries

Phase 2:
Mode: tunnel
Local network: 0.0.0.0/0
Protocol: ESP
Encryption: AES(auto), 3des
Hash: md5
PFS off

Im using the UDN and PKS as the group usernames and passwords.  As I said, I can connect, I just dont get any return traffic.  I have verified that (except for SSH traffic), all ports and protocols on all interfaces and all VPN interfaces are set to "allow".  There are no NAT rules in place, all other settings should be at default.  Additionally, the ShrewSoft VPN client does connect.

Anyone have any thoughts?
« Last Edit: October 02, 2011, 04:49:27 pm by limecat »

Offline limecat

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #1 on: September 30, 2011, 10:36:27 pm »
I got it!!!
Looks like I just needed to reboot my Laptop and / or the pfsense box, it now works wonderfully.

Settings are as posted.  Only other thing I changed was to turn off Dead Peer Detection.

I will keep tinkering and see if I can narrow down which settings are required, and which are tweakable.  It does appear that Phase1 proposal checking must be set to Obey (possibly other settings will work, default will not).  I think policy generation also had to either be on "on", or "unique".

Probably wont finish testing till monday, but in case anyone has been dying to get cisco clients working with pfSense, here you go :)
« Last Edit: September 30, 2011, 10:47:23 pm by limecat »

Offline limecat

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #2 on: October 02, 2011, 04:50:58 pm »
Looks like I spoke too soon.  The key, it seems was rebooting pfsense-- once the first Cisco VPN client has authed, it works.  But after disconnecting from the VPN, no further connection attempts work.  Im not sure if it only applies to the client that connected, or if all further connection attempts would fail.

Is there anyone who has access to the Cisco client who is up for some testing with me?  Please let me know, thanks.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9985
  • Karma: +3/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #3 on: October 17, 2011, 08:40:55 pm »
Did you tried vpnc client package from freebsd instead of IPSec gui config?

Offline limecat

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #4 on: October 19, 2011, 10:19:07 pm »
I can get shrewsoft vpn client to connect just fine, disconnect, reconnect, etc.

The cisco client will ONLY connect if it is the first connection since the previous reboot, however.

It might be a bug with Cisco, except that the Cisco client should not be able to tell whether someone has connected or not on the server end-- something is happening on the server after the first connection that causes Cisco to not work.  It connects, goes through the whole process, claims the tunnel is up, but will refuse to route any traffic.

I am opening a bug on this.

Offline tubular031

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #5 on: November 16, 2011, 07:00:08 pm »
I am interested in how you fix this. I am on 2.0 with mobile client ipsec setup. I can connect with shrew soft no prob. Now I am trying to get the cisco client to work. It will connect but I can not ping or pass traffic.

Offline carril

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #6 on: December 20, 2011, 11:54:50 am »
Im trying to get Cisco VPN client working against pfSense 2.0, and im nearly there-- got password prompt, cisco lock icon clicks, and pfsense sees traffic coming through.  Im even seeing traffic flow to pfsense.

The problem is that no return traffic ever goes.  Under IPsec status, the icon is yellow, and under SAD, the return traffic entry shows no data.  In the IPsec log, I get this:
Code: [Select]
Sep 30 23:10:50 racoon: WARNING: authtype mismatched: my:hmac-md5 peer:hmac-sha
Sep 30 23:10:50 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Sep 30 23:10:50 racoon: ERROR: not matched
........
Sep 30 23:10:50 racoon: ERROR: not matched
Sep 30 23:10:50 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Sep 30 23:10:50 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Sep 30 23:10:50 racoon: [Self]: INFO: IPsec-SA established: ESP 98.175.##.###[500]->98.218.###.##[500] spi=32432442(0x1eee13a)
Sep 30 23:10:50 racoon: [Self]: INFO: IPsec-SA established: ESP 98.175.##.###[500]->98.218.###.##[500] spi=1172355998(0x45e0bb9e)
Sep 30 23:10:54 racoon: ERROR: no configuration found for 98.218.###.##.
Sep 30 23:10:54 racoon: ERROR: failed to begin ipsec sa negotication.
Sep 30 23:10:58 racoon: ERROR: no configuration found for 98.218.###.##.
Sep 30 23:10:58 racoon: ERROR: failed to begin ipsec sa negotication.
Those last two entries repeat, seemingly for every piece of traffic that goes through.

My settings:

Using Mobile IPsec--
Providing a virtual IP and DNS
I followed your steps, and work fine.
Sorry, could you please let me know how to set a new user an pass.


Phase 1 settings:
Interface:  WAN
Auth Method:  Mutual PSK + Xauth
Negotiation:  Agressive
My identifier:  My IP address
Peer identifier: UDN (user@domain.com)
preshared key: mypks
Policy Generation: on
Proposal checking: obey
Encryption: AES128, with MD5
DH key group 2
Nat Traversal enabled
DPD on, 5 seconds, 5 retries

Phase 2:
Mode: tunnel
Local network: 0.0.0.0/0
Protocol: ESP
Encryption: AES(auto), 3des
Hash: md5
PFS off

Im using the UDN and PKS as the group usernames and passwords.  As I said, I can connect, I just dont get any return traffic.  I have verified that (except for SSH traffic), all ports and protocols on all interfaces and all VPN interfaces are set to "allow".  There are no NAT rules in place, all other settings should be at default.  Additionally, the ShrewSoft VPN client does connect.

Anyone have any thoughts?

Offline carril

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #7 on: December 20, 2011, 11:56:29 am »
I followed your steps and works perfectly.
Could you please let me know where to set up a user and pass ?
thanks

Offline limecat

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #8 on: December 26, 2011, 10:01:06 pm »
For the user, or the group?

For the user, create a new user account, and give them IPsec login permissions.

For the group, I think its the peer identifier.

Offline arthurbrownleeiv

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #9 on: December 29, 2011, 05:02:11 pm »
Looks like I spoke too soon.  The key, it seems was rebooting pfsense-- once the first Cisco VPN client has authed, it works.  But after disconnecting from the VPN, no further connection attempts work.  Im not sure if it only applies to the client that connected, or if all further connection attempts would fail.

Is there anyone who has access to the Cisco client who is up for some testing with me?  Please let me know, thanks.

I'm game, as I'm facing the same issue now. This is going to be a big problem for most of our clients, as they all are using the CiscoVPN client.

Offline jarlel

  • Jr. Member
  • **
  • Posts: 64
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #10 on: February 01, 2012, 04:16:13 am »
Hi, did anyone figure out how to set up pfSense so that connecting with a Cisco VPN client works?

Thanks in advance.

Offline boogieshafer

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #11 on: February 08, 2012, 02:26:27 am »

this issue sounds similar to the problems i was seeing with the Shrew client where after resets to the pfsense ipsec process i could get the client to connect once and pass traffic, but subsequent connections would connect but fail to pass traffic

for me the fix for that was, on the pfsense side, try setting the P1 Policy Generation to "unique"

Offline bdwyer

  • Jr. Member
  • **
  • Posts: 29
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #12 on: February 10, 2012, 09:49:28 pm »
I used the "unique" change as well as forcing NAT traversal to overcome similar issues.  On the policy tab on the Shrewsoft VPN client I also adjusted it to unique.  After making these two changes, I can consistently connect from my laptop and iPhone.  I don't know what the downside of forcing NAT traversal is other than ditching the delivery characteristics of TCP, however I think for high latency links, NAT-T might actually be necessary.
CCNP, MCITP

Intel Atom N550 - 2gb DDR3
Jetway NC9C-550-LF
Antec ISK 300-150
HP ProCurve 1810-24
Cisco 1841 & 2821, Cisco 3550 x3

Offline vrayanchu

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #13 on: April 06, 2012, 07:09:02 am »
Hi,

I am getting the same issue with cisco client, I am able to authenticate the pfsense box but not able to access local lan. I am using client version 5.0.06... ,

Please any one can suggest to me.

Thanks,
vrayanchu

Offline valnar

  • Sr. Member
  • ****
  • Posts: 301
  • Karma: +0/-0
    • View Profile
Re: Almost got Cisco VPN client working, but...pfsense SA failure???
« Reply #14 on: August 01, 2012, 07:32:32 am »
Anybody figure this out?  Running the latest pfSense 2.01 and I login with my Cisco VPN client, but get the "can't access or ping anything on the Local LAN" issue.

Was this patch rolled into 2.01 or something later?
http://redmine.pfsense.org/issues/1970
« Last Edit: August 01, 2012, 07:44:23 am by valnar »