Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: sdwindr1
sdwindr1 Author
User level: Level 1
0 points

Lion vs SL - IPSec RA-VPN

Hello All,


Currently I am running a PFSense Firewall at my house. I have two remote computers that I am working with, one with SL and one with Lion. SL has always worked with IPSec Remote Access VPN, never had a problem. However, Lion hasn't worked from the get go. All I get is connecting, connecting, connecting, no repsonse.


I have also compared the Racoon Config files (/private/etc/racoon/racoon.conf) on both systems. They appear to be identical.


The following are the logs from Lion when trying to connect:

=============================================

10/16/11 10:36:30.710 AM configd: IPSec connecting to server *****.dyndns-at-home.com

10/16/11 10:36:30.712 AM configd: SCNC: start, triggered by SystemUIServer, type IPSec, status 0

10/16/11 10:36:30.776 AM configd: IPSec Phase1 starting.

10/16/11 10:36:30.790 AM racoon: IPSec connecting to server x.x.x.x

10/16/11 10:36:30.790 AM racoon: Connecting.

10/16/11 10:36:30.790 AM racoon: IPSec Phase1 started (Initiated by me).

10/16/11 10:36:30.797 AM racoon: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

10/16/11 10:36:33.798 AM racoon: IKE Packet: transmit success. (Phase1 Retransmit).

10/16/11 10:36:36.799 AM racoon: IKE Packet: transmit success. (Phase1 Retransmit).

10/16/11 10:36:39.801 AM racoon: IKE Packet: transmit success. (Phase1 Retransmit).

10/16/11 10:36:40.777 AM configd: IPSec disconnecting from server x.x.x.x

10/16/11 10:36:40.781 AM racoon: IPSec disconnecting from server x.x.x.x

=============================================


The following are the logs from PFSense during the same connection:

=============================================

Oct 16 10:21:13 racoon: [Self]: INFO: respond new phase 1 negotiation: x.x.x.x[500]<=>x.x.x.x[495]

Oct 16 10:21:13 racoon: INFO: begin Aggressive mode.

Oct 16 10:21:13 racoon: INFO: received Vendor ID: RFC 3947

Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08

Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07

Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06

Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05

Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04

Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03

Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

Oct 16 10:21:13 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

Oct 16 10:21:13 racoon: INFO: received Vendor ID: CISCO-UNITY

Oct 16 10:21:13 racoon: INFO: received Vendor ID: DPD

Oct 16 10:21:13 racoon: [x.x.x.x] INFO: Selected NAT-T version: RFC 3947

Oct 16 10:21:13 racoon: [x.x.x.x] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.

Oct 16 10:21:13 racoon: [x.x.x.x] ERROR: couldn't find the pskey for x.x.x.x.

Oct 16 10:21:13 racoon: [x.x.x.x] ERROR: failed to process ph1 packet (side: 1, status: 2).

Oct 16 10:21:13 racoon: [x.x.x.x] ERROR: phase1 negotiation failed.

=============================================


For Reference, the successful logs on OSX 10.6.7

=============================================

10/16/11 10:02:04 AM racoon[3293] Connecting.

10/16/11 10:02:04 AM racoon[3293] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

10/16/11 10:02:04 AM racoon[3293] IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

10/16/11 10:02:04 AM racoon[3293] IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

10/16/11 10:02:04 AM racoon[3293] IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

10/16/11 10:02:04 AM racoon[3293] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

10/16/11 10:02:07 AM racoon[3293] IKE Packet: transmit success. (Mode-Config message).

10/16/11 10:02:07 AM racoon[3293] IKEv1 XAUTH: success. (XAUTH Status is OK).

10/16/11 10:02:07 AM racoon[3293] IKE Packet: transmit success. (Mode-Config message).

10/16/11 10:02:07 AM racoon[3293] IKEv1 Config: retransmited. (Mode-Config retransmit).

10/16/11 10:02:07 AM racoon[3293] IKE Packet: receive success. (MODE-Config).

10/16/11 10:02:07 AM configd[14] event_callback: Address added. previous interface setting (name: en0, address: x.x.x.x), current interface setting (name: utun0, family: 1001, address: x.x.x.x, subnet: 255.255.255.0, destination: x.x.x.x).

10/16/11 10:02:07 AM racoon[3293] IKE Packet: transmit success. (Initiator, Quick-Mode message 1).

10/16/11 10:02:07 AM kernel utun_ctl_connect: creating interface utun0

10/16/11 10:02:07 AM configd[14] network configuration changed.

10/16/11 10:02:07 AM racoon[3293] IKE Packet: receive success. (Initiator, Quick-Mode message 2).

10/16/11 10:02:07 AM racoon[3293] IKE Packet: transmit success. (Initiator, Quick-Mode message 3).

10/16/11 10:02:07 AM racoon[3293] IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).

=============================================


For Reference, the successful logs on PFSense

=============================================

Oct 16 10:25:15 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

Oct 16 10:25:15 racoon: INFO: received Vendor ID: CISCO-UNITY

Oct 16 10:25:15 racoon: INFO: received Vendor ID: DPD

Oct 16 10:25:15 racoon: [x.x.x.x] INFO: Selected NAT-T version: RFC 3947

Oct 16 10:25:15 racoon: INFO: Adding remote and local NAT-D payloads.

Oct 16 10:25:15 racoon: [x.x.x.x] INFO: Hashing x.x.x.x[294] with algo #1

Oct 16 10:25:15 racoon: [Self]: [x.x.x.x] INFO: Hashing x.x.x.x[500] with algo #1

Oct 16 10:25:15 racoon: INFO: Adding xauth VID payload.

Oct 16 10:25:15 racoon: [Self]: INFO: NAT-T: ports changed to: x.x.x.x[31656]<->x.x.x.x[4500]

Oct 16 10:25:15 racoon: [Self]: [x.x.x.x] INFO: Hashing x.x.x.x[4500] with algo #1

Oct 16 10:25:15 racoon: INFO: NAT-D payload #0 verified

Oct 16 10:25:15 racoon: [x.x.x.x] INFO: Hashing x.x.x.x[31656] with algo #1

Oct 16 10:25:15 racoon: INFO: NAT-D payload #1 doesn't match

Oct 16 10:25:15 racoon: [x.x.x.x] ERROR: notification INITIAL-CONTACT received in aggressive exchange.

Oct 16 10:25:15 racoon: INFO: NAT detected: PEER

Oct 16 10:25:15 racoon: INFO: Sending Xauth request

Oct 16 10:25:15 racoon: [Self]: INFO: ISAKMP-SA established x.x.x.x[4500]-x.x.x.x[31656] spi:9e7a28932fdcaf3d:5916dbd4d0a7ad1e

Oct 16 10:25:21 racoon: INFO: Using port 0

Oct 16 10:25:21 racoon: INFO: login succeeded for user "*****"

Oct 16 10:25:21 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY

Oct 16 10:25:21 racoon: WARNING: Ignored attribute 28683

Oct 16 10:25:21 racoon: [Self]: INFO: respond new phase 2 negotiation: x.x.x.x[4500]<=>x.x.x.x[31656]

Oct 16 10:25:21 racoon: INFO: no policy found, try to generate the policy : x.x.x.x[0] x.x.x.x[0] proto=any dir=in

Oct 16 10:25:21 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel

Oct 16 10:25:21 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:3DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES

Oct 16 10:25:21 racoon: WARNING: trns_id mismatched: my:DES peer:AES

Oct 16 10:25:21 racoon: [Self]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=33546230(0x1ffdff6)

Oct 16 10:25:21 racoon: [Self]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=135418854(0x81253e6)

=============================================


Thank you to anyone that can shed light on this... I'm pulling my hair out.


James

Macbook Pro Core Duo, Mac OS X (10.5.1)

Posted on Oct 16, 2011 9:08 AM

Reply
Question marked as Best reply
User profile for user: sdwindr1
sdwindr1 Author
User level: Level 1
0 points

Posted on Oct 16, 2011 10:47 AM

So after fiddling with this on and off for 2 weeks... The moment I post this i see a typo in my PresharedKey... This is now solved **facepalm**

View in context
1 reply

Lion vs SL - IPSec RA-VPN

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up