PFSense 2.0.1 L2TP over IPsec

[JimmyJumbo]

Hallo,
ich habe auf einem Test System ein PFSense 2.0.1 installiert. Damit möchte ich eine VPN Verbindung(L2TP over IPsec) zum laufen bekommen. Das WAN und LAN habe ich konfiguriert und über das PFSense Interface kann ich den Client, welcher über ein Crossover Kabel mit dem Testsystem verbunden ist, anpingen. Jetzt habe ich die VPN wie in dieser Anleitung http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 eingerichtet. Aber ich kann mich einfach nicht Verbinden =/ Windows 7 sagt immer wieder "Fehler 789".

Hier nochmal alles in Stichpunkten:
- Enstehen soll eine L2TP over IPsec Verbindung
- Es sollen sich Mobile Clients Verbinden(Testweise ein Netbook mit einem Crossover Kabel, später dann Smartphones mit Android und iOS)
- Eingerichtet nach der Oberen Anleitung
- In der Firewall ist alles Freigegeben(siehe untere Screenshots)
- Windows 7 als Client(später auch Mac OS und Linux)

Bilder:

Ergänzung (3. Mai 2012)

May 2 14:57:52 racoon: [Self]: INFO: respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.2[500]
May 2 14:57:52 racoon: INFO: begin Identity Protection mode.
May 2 14:57:52 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
May 2 14:57:52 racoon: INFO: received Vendor ID: RFC 3947
May 2 14:57:52 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 2 14:57:52 racoon: INFO: received Vendor ID: FRAGMENTATION
May 2 14:57:52 racoon: ERROR: invalid DH group 20.
May 2 14:57:52 racoon: ERROR: invalid DH group 19.
May 2 14:57:52 racoon: ERROR: no suitable proposal found.
May 2 14:57:52 racoon: [10.0.0.2] ERROR: failed to get valid proposal.
May 2 14:57:52 racoon: [10.0.0.2] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
May 2 14:57:52 racoon: [10.0.0.2] ERROR: phase1 negotiation failed.
May 2 14:57:53 racoon: [Self]: INFO: respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.2[500]
May 2 14:57:53 racoon: INFO: begin Identity Protection mode.
May 2 14:57:53 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
May 2 14:57:53 racoon: INFO: received Vendor ID: RFC 3947
May 2 14:57:53 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 2 14:57:53 racoon: INFO: received Vendor ID: FRAGMENTATION
May 2 14:57:53 racoon: ERROR: invalid DH group 20.
May 2 14:57:53 racoon: ERROR: invalid DH group 19.
May 2 14:57:53 racoon: ERROR: no suitable proposal found.
May 2 14:57:53 racoon: [10.0.0.2] ERROR: failed to get valid proposal.
May 2 14:57:53 racoon: [10.0.0.2] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
May 2 14:57:53 racoon: [10.0.0.2] ERROR: phase1 negotiation failed.
May 2 14:57:55 racoon: [Self]: INFO: respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.2[500]
May 2 14:57:55 racoon: INFO: begin Identity Protection mode.
May 2 14:57:55 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
May 2 14:57:55 racoon: INFO: received Vendor ID: RFC 3947
May 2 14:57:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 2 14:57:55 racoon: INFO: received Vendor ID: FRAGMENTATION
May 2 14:57:55 racoon: ERROR: invalid DH group 20.
May 2 14:57:55 racoon: ERROR: invalid DH group 19.
May 2 14:57:55 racoon: ERROR: no suitable proposal found.
May 2 14:57:55 racoon: [10.0.0.2] ERROR: failed to get valid proposal.
May 2 14:57:55 racoon: [10.0.0.2] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
May 2 14:57:55 racoon: [10.0.0.2] ERROR: phase1 negotiation failed.
May 2 14:57:59 racoon: [Self]: INFO: respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.2[500]
May 2 14:57:59 racoon: INFO: begin Identity Protection mode.
May 2 14:57:59 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
May 2 14:57:59 racoon: INFO: received Vendor ID: RFC 3947
May 2 14:57:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 2 14:57:59 racoon: INFO: received Vendor ID: FRAGMENTATION
May 2 14:57:59 racoon: ERROR: invalid DH group 20.
May 2 14:57:59 racoon: ERROR: invalid DH group 19.
May 2 14:57:59 racoon: ERROR: no suitable proposal found.
May 2 14:57:59 racoon: [10.0.0.2] ERROR: failed to get valid proposal.
May 2 14:57:59 racoon: [10.0.0.2] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
May 2 14:57:59 racoon: [10.0.0.2] ERROR: phase1 negotiation failed.

Hier ist noch der Log. Vlt. kann damit jemand was anfangen.

 

[rIQ]

You can connect a number of devices to pfSense 2.0 using IPsec, most notably Android (Phones and Tablets) and iOS (iPhone, iPad, iPod Touch, etc) devices but anything that is capable of IPsec will typically work.

wo steht hier Windows 7?

http://dekapitein.vorkbaard.nl/tech...ling-in-pfsense-2-0-release-for-road-warriorshttp://tu-dresden.de/die_tu_dresden...l2tp_ipsec_vpn/howto_l2tp_ipsec_vpn_windows_7

 

[JimmyJumbo]

Ich bin davon ausgegangen das das dann auch für Windows 7 funktioniert

Bin ein Noob in PFsense =/
Ich teste die Anleitung mal aus Danke schonmal

Ergänzung (3. Mai 2012)

So, ich hab jetzt alles eingestellt nach der Anleitung. Auch die Firewall(obwohl drin steht das man das nicht braucht). Jetzt bekomm ich keinerlei Logs im "IPsec" Bereich und in den Logs der Firewall wird Port 500 und 137 von 10.0.0.2(meinem Client) geblockt o.0

Am Client erscheint immernoch Fehler 789

Ergänzung (3. Mai 2012)

Neues Update:
Ich hab von "aggresive" auf "main" umgestellt, die Firewall komplett ausgeschaltet am pfsense und Nat-T auf disabled gestellt. Nur bekomm ich bei IPsec folgenden Log:

May 3 16:02:18 racoon: INFO: unsupported PF_KEY message REGISTER
May 3 16:05:06 racoon: INFO: unsupported PF_KEY message REGISTER
May 3 16:05:20 racoon: [Self]: INFO: respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.2[500]
May 3 16:05:20 racoon: INFO: begin Identity Protection mode.
May 3 16:05:20 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
May 3 16:05:20 racoon: INFO: received Vendor ID: RFC 3947
May 3 16:05:20 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 3 16:05:20 racoon: INFO: received Vendor ID: FRAGMENTATION
May 3 16:05:20 racoon: ERROR: invalid DH group 20.
May 3 16:05:20 racoon: ERROR: invalid DH group 19.
May 3 16:05:20 racoon: ERROR: no suitable proposal found.
May 3 16:05:20 racoon: [10.0.0.2] ERROR: failed to get valid proposal.
May 3 16:05:20 racoon: [10.0.0.2] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
May 3 16:05:20 racoon: [10.0.0.2] ERROR: phase1 negotiation failed.
May 3 16:05:21 racoon: [Self]: INFO: respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.2[500]
May 3 16:05:21 racoon: INFO: begin Identity Protection mode.
May 3 16:05:21 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
May 3 16:05:21 racoon: INFO: received Vendor ID: RFC 3947
May 3 16:05:21 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 3 16:05:21 racoon: INFO: received Vendor ID: FRAGMENTATION
May 3 16:05:21 racoon: ERROR: invalid DH group 20.
May 3 16:05:21 racoon: ERROR: invalid DH group 19.
May 3 16:05:21 racoon: ERROR: no suitable proposal found.
May 3 16:05:21 racoon: [10.0.0.2] ERROR: failed to get valid proposal.
May 3 16:05:21 racoon: [10.0.0.2] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
May 3 16:05:21 racoon: [10.0.0.2] ERROR: phase1 negotiation failed.
May 3 16:05:23 racoon: [Self]: INFO: respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.2[500]
May 3 16:05:23 racoon: INFO: begin Identity Protection mode.
May 3 16:05:23 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
May 3 16:05:23 racoon: INFO: received Vendor ID: RFC 3947
May 3 16:05:23 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 3 16:05:23 racoon: INFO: received Vendor ID: FRAGMENTATION
May 3 16:05:23 racoon: ERROR: invalid DH group 20.
May 3 16:05:23 racoon: ERROR: invalid DH group 19.
May 3 16:05:23 racoon: ERROR: no suitable proposal found.
May 3 16:05:23 racoon: [10.0.0.2] ERROR: failed to get valid proposal.
May 3 16:05:23 racoon: [10.0.0.2] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
May 3 16:05:23 racoon: [10.0.0.2] ERROR: phase1 negotiation failed.
May 3 16:05:27 racoon: [Self]: INFO: respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.2[500]
May 3 16:05:27 racoon: INFO: begin Identity Protection mode.
May 3 16:05:27 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
May 3 16:05:27 racoon: INFO: received Vendor ID: RFC 3947
May 3 16:05:27 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 3 16:05:27 racoon: INFO: received Vendor ID: FRAGMENTATION
May 3 16:05:27 racoon: ERROR: invalid DH group 20.
May 3 16:05:27 racoon: ERROR: invalid DH group 19.
May 3 16:05:27 racoon: ERROR: no suitable proposal found.
May 3 16:05:27 racoon: [10.0.0.2] ERROR: failed to get valid proposal.
May 3 16:05:27 racoon: [10.0.0.2] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
May 3 16:05:27 racoon: [10.0.0.2] ERROR: phase1 negotiation failed.

 

[rIQ]

gehst du mit dem Windows-integriertem Client dran oder verwendest du ShrewVPN ?

 

[JimmyJumbo]

Ich muss es mit dem Windows Internen Client einrichten.