[Vpn-help] VPN help with pfsense (freeBSD).
Matthew Grooms
mgrooms at shrew.net
Wed Sep 27 18:34:14 CDT 2006
Chris Rees wrote:
> Hi,
>
> I am tyring your VPN client with pfsense (m0n0wall remake). Its a
> freebsd based firewall setup. I think I am close to getting it to work
> but during or after the PSK negotionation and Phase 1 it fails with this
> in the message log.
>
...
> Sep 27 13:24:57 racoon: ERROR: Invalid exchange type 6 from
> 216.160.xxx.xxx[500].
>
Exchange type 6 is ISAKMP Transactional Config ( or modecfg ). It
appears that pfsense either doesn't have an interface for isakmp modecfg
setup or the version you are using has it disabled. Modecfg is what
allows for all the dynamic configuration of the client. Support for this
feature can be enabled by compiling ipsec-tools with the hybrid option.
But please note, not all versions of ipsec-tools support all the
options that the client does. The ipsec-tools project is about to branch
0.7 which will support all the features the client does in a stable
release branch ( see the notes in the client documentation features list ).
You should still be able to use the client with pfsense but you will
need to make sure that ...
1) the pfsense ipsec-tools version supports the generate policy option
2) you disable all the dynamic client configuration feature
3) it uses the hook scripts to punch holes in pf for vpn client traffic
Hope this helps,
-Matthew
More information about the vpn-help
mailing list