[Vpn-help] VPN help with pfsense (freeBSD).

Matthew Grooms mgrooms at shrew.net
Wed Sep 27 18:34:14 CDT 2006


Chris Rees wrote:
> Hi, 
>  
> I am tyring your VPN client with pfsense (m0n0wall remake).  Its a 
> freebsd based firewall setup.  I think I am close to getting it to work 
> but during or after the PSK negotionation and Phase 1 it fails with this 
> in the message log.
> 
...
> Sep 27 13:24:57 racoon: ERROR: Invalid exchange type 6 from 
> 216.160.xxx.xxx[500].
>  

	Exchange type 6 is ISAKMP Transactional Config ( or modecfg ). It 
appears that pfsense either doesn't have an interface for isakmp modecfg 
setup or the version you are using has it disabled. Modecfg is what 
allows for all the dynamic configuration of the client. Support for this 
feature can be enabled by compiling ipsec-tools with the hybrid option.

	But please note, not all versions of ipsec-tools support all the 
options that the client does. The ipsec-tools project is about to branch 
0.7 which will support all the features the client does in a stable 
release branch ( see the notes in the client documentation features list ).

	You should still be able to use the client with pfsense but you will 
need to make sure that ...

1) the pfsense ipsec-tools version supports the generate policy option
2) you disable all the dynamic client configuration feature
3) it uses the hook scripts to punch holes in pf for vpn client traffic

Hope this helps,

-Matthew



More information about the vpn-help mailing list