Lion vs SL - IPSec RA-VPN
Hello All,
Currently I am running a PFSense Firewall at my house. I have two remote computers that I am working with, one with SL and one with Lion. SL has always worked with IPSec Remote Access VPN, never had a problem. However, Lion hasn't worked from the get go. All I get is connecting, connecting, connecting, no repsonse.
I have also compared the Racoon Config files (/private/etc/racoon/racoon.conf) on both systems. They appear to be identical.
The following are the logs from Lion when trying to connect:
=============================================
10/16/11 10:36:30.710 AM configd: IPSec connecting to server *****.dyndns-at-home.com
10/16/11 10:36:30.712 AM configd: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
10/16/11 10:36:30.776 AM configd: IPSec Phase1 starting.
10/16/11 10:36:30.790 AM racoon: IPSec connecting to server x.x.x.x
10/16/11 10:36:30.790 AM racoon: Connecting.
10/16/11 10:36:30.790 AM racoon: IPSec Phase1 started (Initiated by me).
10/16/11 10:36:30.797 AM racoon: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
10/16/11 10:36:33.798 AM racoon: IKE Packet: transmit success. (Phase1 Retransmit).
10/16/11 10:36:36.799 AM racoon: IKE Packet: transmit success. (Phase1 Retransmit).
10/16/11 10:36:39.801 AM racoon: IKE Packet: transmit success. (Phase1 Retransmit).
10/16/11 10:36:40.777 AM configd: IPSec disconnecting from server x.x.x.x
10/16/11 10:36:40.781 AM racoon: IPSec disconnecting from server x.x.x.x
=============================================
The following are the logs from PFSense during the same connection:
=============================================
Oct 16 10:21:13 racoon: [Self]: INFO: respond new phase 1 negotiation: x.x.x.x[500]<=>x.x.x.x[495]
Oct 16 10:21:13 racoon: INFO: begin Aggressive mode.
Oct 16 10:21:13 racoon: INFO: received Vendor ID: RFC 3947
Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Oct 16 10:21:13 racoon: INFO: received Vendor ID: CISCO-UNITY
Oct 16 10:21:13 racoon: INFO: received Vendor ID: DPD
Oct 16 10:21:13 racoon: [x.x.x.x] INFO: Selected NAT-T version: RFC 3947
Oct 16 10:21:13 racoon: [x.x.x.x] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Oct 16 10:21:13 racoon: [x.x.x.x] ERROR: couldn't find the pskey for x.x.x.x.
Oct 16 10:21:13 racoon: [x.x.x.x] ERROR: failed to process ph1 packet (side: 1, status: 2).
Oct 16 10:21:13 racoon: [x.x.x.x] ERROR: phase1 negotiation failed.
=============================================
For Reference, the successful logs on OSX 10.6.7
=============================================
10/16/11 10:02:04 AM racoon[3293] Connecting.
10/16/11 10:02:04 AM racoon[3293] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
10/16/11 10:02:04 AM racoon[3293] IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
10/16/11 10:02:04 AM racoon[3293] IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
10/16/11 10:02:04 AM racoon[3293] IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
10/16/11 10:02:04 AM racoon[3293] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
10/16/11 10:02:07 AM racoon[3293] IKE Packet: transmit success. (Mode-Config message).
10/16/11 10:02:07 AM racoon[3293] IKEv1 XAUTH: success. (XAUTH Status is OK).
10/16/11 10:02:07 AM racoon[3293] IKE Packet: transmit success. (Mode-Config message).
10/16/11 10:02:07 AM racoon[3293] IKEv1 Config: retransmited. (Mode-Config retransmit).
10/16/11 10:02:07 AM racoon[3293] IKE Packet: receive success. (MODE-Config).
10/16/11 10:02:07 AM configd[14] event_callback: Address added. previous interface setting (name: en0, address: x.x.x.x), current interface setting (name: utun0, family: 1001, address: x.x.x.x, subnet: 255.255.255.0, destination: x.x.x.x).
10/16/11 10:02:07 AM racoon[3293] IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
10/16/11 10:02:07 AM kernel utun_ctl_connect: creating interface utun0
10/16/11 10:02:07 AM configd[14] network configuration changed.
10/16/11 10:02:07 AM racoon[3293] IKE Packet: receive success. (Initiator, Quick-Mode message 2).
10/16/11 10:02:07 AM racoon[3293] IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
10/16/11 10:02:07 AM racoon[3293] IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
=============================================
For Reference, the successful logs on PFSense
=============================================
Oct 16 10:25:15 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Oct 16 10:25:15 racoon: INFO: received Vendor ID: CISCO-UNITY
Oct 16 10:25:15 racoon: INFO: received Vendor ID: DPD
Oct 16 10:25:15 racoon: [x.x.x.x] INFO: Selected NAT-T version: RFC 3947
Oct 16 10:25:15 racoon: INFO: Adding remote and local NAT-D payloads.
Oct 16 10:25:15 racoon: [x.x.x.x] INFO: Hashing x.x.x.x[294] with algo #1
Oct 16 10:25:15 racoon: [Self]: [x.x.x.x] INFO: Hashing x.x.x.x[500] with algo #1
Oct 16 10:25:15 racoon: INFO: Adding xauth VID payload.
Oct 16 10:25:15 racoon: [Self]: INFO: NAT-T: ports changed to: x.x.x.x[31656]<->x.x.x.x[4500]
Oct 16 10:25:15 racoon: [Self]: [x.x.x.x] INFO: Hashing x.x.x.x[4500] with algo #1
Oct 16 10:25:15 racoon: INFO: NAT-D payload #0 verified
Oct 16 10:25:15 racoon: [x.x.x.x] INFO: Hashing x.x.x.x[31656] with algo #1
Oct 16 10:25:15 racoon: INFO: NAT-D payload #1 doesn't match
Oct 16 10:25:15 racoon: [x.x.x.x] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Oct 16 10:25:15 racoon: INFO: NAT detected: PEER
Oct 16 10:25:15 racoon: INFO: Sending Xauth request
Oct 16 10:25:15 racoon: [Self]: INFO: ISAKMP-SA established x.x.x.x[4500]-x.x.x.x[31656] spi:9e7a28932fdcaf3d:5916dbd4d0a7ad1e
Oct 16 10:25:21 racoon: INFO: Using port 0
Oct 16 10:25:21 racoon: INFO: login succeeded for user "*****"
Oct 16 10:25:21 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Oct 16 10:25:21 racoon: WARNING: Ignored attribute 28683
Oct 16 10:25:21 racoon: [Self]: INFO: respond new phase 2 negotiation: x.x.x.x[4500]<=>x.x.x.x[31656]
Oct 16 10:25:21 racoon: INFO: no policy found, try to generate the policy : x.x.x.x[0] x.x.x.x[0] proto=any dir=in
Oct 16 10:25:21 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Oct 16 10:25:21 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES
Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES
Oct 16 10:25:21 racoon: [Self]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=33546230(0x1ffdff6)
Oct 16 10:25:21 racoon: [Self]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=135418854(0x81253e6)
=============================================
Thank you to anyone that can shed light on this... I'm pulling my hair out.
James
Macbook Pro Core Duo, Mac OS X (10.5.1)