• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSec established, no Traffic passing.

Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
40 Posts 6 Posters 49.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E Offline
    eazydor
    last edited by May 17, 2010, 4:45 AM

    hey azzido, with which settings?!?

    1 Reply Last reply Reply Quote 0
    • J Offline
      jimp Rebel Alliance Developer Netgate
      last edited by May 17, 2010, 2:08 PM

      If you setup a site-to-site type tunnel, IPsec work. If you setup a mobile style tunnel, it does not work. I confirmed this again last week, but I was on the May 12th snapshot. I should update and try it again today.

      I'm not sure what azzido did, but I'd also be interesting in knowing what method was used.

      I know how to make it work by hand after the connection is established, but it is completely impractical and only useful for verifying tests. (See my post on the ipsec-tools-devel list here: http://sourceforge.net/mailarchive/message.php?msg_name=4BEDB60C.2080501%40pingle.org )

      Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • J Offline
        jimp Rebel Alliance Developer Netgate
        last edited by May 17, 2010, 3:00 PM

        I just tried a mobile tunnel again on today's snapshot and I still can't pass traffic when it connects.

        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • E Offline
          eazydor
          last edited by May 17, 2010, 5:58 PM

          after all, what was/is the problem with roadwarrior support?
          wrong security policies (SPD's)?!?
          I'm would love to know, how azzido got it working, with or without little snitches..

          1 Reply Last reply Reply Quote 0
          • J Offline
            jimp Rebel Alliance Developer Netgate
            last edited by May 17, 2010, 6:11 PM

            When the mobile client connects, it makes SPDs but doesn't properly tie them to the tunnel somehow.

            Flushing the SPDs and adding them back by hand makes it work - though the output of setkey before and after appears identical.

            Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • A Offline
              azzido
              last edited by May 17, 2010, 10:27 PM

              I will post my setup once I get back home. It's basically the same setup that I posted in my previous thread that was not working before. Typing this while on the bus connected via VPN :)

              1 Reply Last reply Reply Quote 0
              • E Offline
                eazydor
                last edited by May 17, 2010, 10:38 PM

                no way, man. congrats to the first benefits of your first class tunnel…

                but you didn't had to flush & re-add the policies by hand? (i guess not, in a bus...)
                i tried with the same config you've posted in another thread, iphone& ipsec i guess, on a 14May/22:45-i386-livecd-snapshot, but without luck..

                would be great if you could help..

                1 Reply Last reply Reply Quote 0
                • A Offline
                  azzido
                  last edited by May 17, 2010, 10:47 PM

                  No, didn't have to do anything fancy this time. It just works. And SPDs are auto generated. The only problem is if iPhone disconnects from 3g it does not automatically re-establish VPN tunnel so you have to connect manually. I think there is a way to force iPhone to automatically establish tunnel when you try to access certain sites.

                  1 Reply Last reply Reply Quote 0
                  • E Offline
                    eazydor
                    last edited by May 17, 2010, 11:00 PM

                    i dont get it. how could this be possible.. you're sure that traffic is passing through the tunnel?
                    jimp couldn't get it to work too, at least without flushing spd's..

                    1 Reply Last reply Reply Quote 0
                    • A Offline
                      azzido
                      last edited by May 17, 2010, 11:11 PM

                      Yep, works like a charm actually. I just need Internet connection with faster uplink now

                      1 Reply Last reply Reply Quote 0
                      • E Offline
                        eazydor
                        last edited by May 17, 2010, 11:48 PM May 17, 2010, 11:22 PM

                        you've separated the ipsec-net from the lan-net this time (ip range)?
                        386 or amd64?
                        nano or live?
                        tell us, make us wise, my friend..

                        what about your network setting's, did you add a new gateway?

                        1 Reply Last reply Reply Quote 0
                        • A Offline
                          azzido
                          last edited by May 18, 2010, 12:02 AM

                          This is IPsec setup on pfSense:

                          VPN -> IPsec -> Mobile clients

                          IKE Extensions
                                  Enable IPsec Mobile Client Support                      yes
                              Extended Authentication (Xauth)
                                  User Authentication                                      system
                                  Group Authentication                                    system
                              Client Configuration (mode-cfg)
                                  Virtual Address Pool
                                      Provide a vitual IP address to clients              yes
                                      Network                                              192.168.103.0 / 24              !!! use subnet that is not currently used
                                  Network List
                                      Provide a list of accessible networks to clients    no
                                  DNS Default Domain
                                      Provide a default domain name to clients            yes
                                      Domain                                              domain.lan                      !!! can be same as pfSense domain
                                  DNS Servers
                                      Provide a DNS server list to clients                yes
                                      DNS Servers                                          208.67.222.222                  !!! openDNS
                                  WINS Servers
                                      Provide a WINS server list to clients                no
                                  Phase2 PFS Group
                                      Provide the Phase2 PFS group to clients              no
                                  Login Banner
                                      Provide a login banner to clients                    no

                          VPN -> IPsec > Tunnels

                          Enable IPsec                                                yes

                          VPN -> IPsec -> Tunnels -> Phase 1

                          General information
                                  Interface                                                WAN
                                  Description                                              iPhone
                              Phase 1 proposal (Authentication)
                                  Authentication method                                    Mutual PSK + Xauth
                                  Negotiation mode                                        aggressive                      !!! as per iPhone documentation
                                  My identifier                                            My IP address
                                  Peer identifier                                          Distinguished name              !!! enter name of the group
                                  Pre-Shared Key                                          *                                !!! 63 random alpha-numeric characters (a-z, A-Z, 0-9) from https://www.grc.com/passwords.htm
                                  Encryption algorithm                                    AES / 256 bits                   !!! that's the first thing iPhone proposes so that's what we use
                                  Hash algorithm                                          SHA1                            !!! that's the first thing iPhone proposes so that's what we use
                                  DH key group                                            2                                !!! as per iPhone documentation
                                  Lifetime                                                28800                            !!! leave default
                              Advanced Options
                                  NAT Traversal                                            Enable
                                  Dead Peer Detection
                                      Enable DPD                                          yes
                                      Delay between requesting peer acknowledgement.      10
                                      No of consecutive failures allowed before disconnect 5

                          VPN -> IPsec -> Tunnels -> Phase 2

                          Mode                                                        Tunnel
                              Local Network
                                  Type                                                    none
                                  Address                                                  leave blank
                              Phase 2 proposal (SA/Key Exchange)
                                  Protocol                                                ESP
                                  Encryption algorithms                                    AES / 256 bits
                                  Hash algorithms                                          SHA1
                                  PFS key group                                            off
                                  Lifetime                                                3600
                              Advanced Options
                                  Automatically ping host                                  -

                          and here is iPhone setup:

                          Settings -> General -> Network -> VPN -> Add VPN Configuration -> IPSec

                          Description                              descriptive name
                          Server                                    domain name or IP address of pfSense WAN interface
                          Account                                  user name (on pfSense box)
                          Password                                  user password
                          Use Certificate                          off
                          Group Name                                Peer identifier from pfSense setup
                          Secret                                    Pre-Shared Key from pfSense setup

                          • User that you specify in iPhone needs to be created on pfSense under System -> User Manager

                          • If you use Alix board disable glxsb under System -> Advanced -> Miscellaneous

                          • Firewall needs to allow incoming UDP connections from WAN on ports 500 and 4500

                          • Firewall needs to allow IPSec traffic; create allow all rule with loggin while testing

                          Try this and post your /var/etc/racoon.conf in case it does not work.

                          Good luck

                          1 Reply Last reply Reply Quote 0
                          • E Offline
                            eazydor
                            last edited by May 18, 2010, 12:03 AM

                            awesome, thanks..
                            i give it a try right now..

                            1 Reply Last reply Reply Quote 0
                            • J Offline
                              jimp Rebel Alliance Developer Netgate
                              last edited by May 18, 2010, 12:04 AM

                              Are you using that script mentioned in the other thread that flushes the keys? If so, it's just doing what I did by hand, automatically. And it's not a long-term solution for anyone using IPsec for other uses as well as mobile clients.

                              Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • A Offline
                                azzido
                                last edited by May 18, 2010, 12:09 AM

                                No, I am not doing anything this time. It's all configured thru web interface. SPDs are automatically created by Racoon and they work just fine.

                                pfSense is running on Alix board, iPhone OS is v3.1.3

                                Version  2.0-BETA1 built on Fri May 14 23:44:07 EDT 2010 FreeBSD 8.0-STABLE
                                Platform  nanobsd

                                1 Reply Last reply Reply Quote 0
                                • E Offline
                                  eazydor
                                  last edited by May 18, 2010, 12:23 AM

                                  tried latest snapshot (386-live) and still no traffic.
                                  same config as azzido.

                                  1 Reply Last reply Reply Quote 0
                                  • A Offline
                                    azzido
                                    last edited by May 18, 2010, 12:34 AM

                                    Post your /var/etc/racoon.conf file and I will compare it with mine.

                                    Execute this:

                                    /usr/bin/killall racoon && /usr/local/sbin/setkey -FP && /usr/local/sbin/setkey -F && rm /var/log/ipsec.log && touch /var/log/ipsec.log && /usr/sbin/clog -i -s 511488 /var/log/ipsec.log && /etc/rc.d/syslogd restart && /usr/local/sbin/racoon -dd -f /var/etc/racoon.conf
                                    

                                    and try to establish tunnel. Then post /var/log/ipsec.log maybe we can find something in the log.

                                    1 Reply Last reply Reply Quote 0
                                    • A Offline
                                      azzido
                                      last edited by May 18, 2010, 12:37 AM

                                      Also, are you trying to reach host on the internal network or internet? I had to configure outbound NAT for 192.168.103.0/24 before I could reach internet from iPhone.

                                      1 Reply Last reply Reply Quote 0
                                      • E Offline
                                        eazydor
                                        last edited by May 18, 2010, 12:57 AM

                                        i was trying to reach pfsense's internal lan ip.

                                        racoon.conf:

                                        This file is automatically generated. Do not edit

                                        path pre_shared_key "/var/etc/psk.txt";

                                        path certificate  "/var/etc";

                                        listen
                                        {
                                        adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
                                        isakmp 192.168.1.17 [500];
                                        isakmp_natt 192.168.1.17 [4500];
                                        }

                                        mode_cfg
                                        {
                                        auth_source system;
                                        group_source system;
                                        pool_size 253;
                                        network4 192.168.3.1;
                                        netmask4 255.255.255.0;
                                        dns4 192.168.2.1;
                                        default_domain "workgroup";
                                        }

                                        remote anonymous
                                        {
                                        ph1id 1;
                                        exchange_mode aggressive;
                                        my_identifier address 192.168.1.17;
                                        peers_identifier fqdn "iphone";
                                        ike_frag on;
                                        generate_policy = unique;
                                        initial_contact = off;
                                        nat_traversal = on;

                                        dpd_delay = 10;
                                        dpd_maxfail = 5;
                                        support_proxy on;
                                        proposal_check claim;

                                        proposal
                                        {
                                        authentication_method xauth_psk_server;
                                        encryption_algorithm aes 256;
                                        hash_algorithm sha1;
                                        dh_group 2;
                                        lifetime time 28800 secs;
                                        }
                                        }

                                        sainfo   anonymous
                                        {
                                        remoteid 1;
                                        encryption_algorithm aes 256;
                                        authentication_algorithm hmac_sha1;

                                        lifetime time 3600 secs;
                                        compression_algorithm deflate;
                                        }

                                        ipsec_log:
                                        May 18 00:56:09 pfSense racoon: INFO: respond new phase 1 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]
                                        May 18 00:56:09 pfSense racoon: INFO: begin Aggressive mode.
                                        May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: RFC 3947
                                        May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
                                        May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
                                        May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
                                        May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
                                        May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
                                        May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
                                        May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
                                        May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
                                        May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
                                        May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: CISCO-UNITY
                                        May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: DPD
                                        May 18 00:56:09 pfSense racoon: INFO: Selected NAT-T version: RFC 3947
                                        May 18 00:56:09 pfSense racoon: INFO: Adding remote and local NAT-D payloads.
                                        May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.7[500] with algo #2
                                        May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.17[500] with algo #2
                                        May 18 00:56:09 pfSense racoon: INFO: Adding xauth VID payload.
                                        May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.17[500] with algo #2
                                        May 18 00:56:09 pfSense racoon: INFO: NAT-D payload #0 verified
                                        May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.7[500] with algo #2
                                        May 18 00:56:09 pfSense racoon: INFO: NAT-D payload #1 verified
                                        May 18 00:56:09 pfSense racoon: ERROR: notification INITIAL-CONTACT received in aggressive exchange.
                                        May 18 00:56:09 pfSense racoon: INFO: NAT not detected
                                        May 18 00:56:09 pfSense racoon: INFO: Sending Xauth request
                                        May 18 00:56:09 pfSense racoon: INFO: ISAKMP-SA established 192.168.1.17[500]-192.168.1.7[500] spi:c52ad072fefeec7a:e2d97b50d90eed6b
                                        May 18 00:56:13 pfSense racoon: INFO: Using port 0
                                        May 18 00:56:13 pfSense racoon: INFO: login succeeded for user "sydney"
                                        May 18 00:56:13 pfSense racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
                                        May 18 00:56:13 pfSense racoon: WARNING: Ignored attribute 28683
                                        May 18 00:56:13 pfSense racoon: INFO: respond new phase 2 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]
                                        May 18 00:56:13 pfSense racoon: INFO: no policy found, try to generate the policy : 192.168.3.1/32[0] 0.0.0.0/0[0] proto=any dir=in
                                        May 18 00:56:13 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=184685857(0xb021521)
                                        May 18 00:56:13 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=103635710(0x62d5afe)
                                        May 18 00:56:13 pfSense racoon: ERROR: such policy does not already exist: "192.168.3.1/32[0] 0.0.0.0/0[0] proto=any dir=in"
                                        May 18 00:56:13 pfSense racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.3.1/32[0] proto=any dir=out"
                                        May 18 00:56:14 pfSense racoon: INFO: initiate new phase 2 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]
                                        May 18 00:56:14 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=193249986(0xb84c2c2)
                                        May 18 00:56:14 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=108727917(0x67b0e6d)
                                        May 18 00:56:14 pfSense racoon: INFO: generated policy, deleting it.
                                        May 18 00:56:14 pfSense racoon: INFO: purged IPsec-SA proto_id=ESP spi=103635710.

                                        1 Reply Last reply Reply Quote 0
                                        • A Offline
                                          azzido
                                          last edited by May 18, 2010, 2:00 AM

                                          eazydor, start racoon in debug mode with the command I posted earlier and post log with more info. In your case racoon deletes policies right after they are created so there is something else going on there.

                                          1 Reply Last reply Reply Quote 0
                                          27 out of 40
                                          • First post
                                            27/40
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received