IPSec established, no Traffic passing.

eazydor

hey azzido, with which settings?!?

jimp

If you setup a site-to-site type tunnel, IPsec work. If you setup a mobile style tunnel, it does not work. I confirmed this again last week, but I was on the May 12th snapshot. I should update and try it again today.

I'm not sure what azzido did, but I'd also be interesting in knowing what method was used.

I know how to make it work by hand after the connection is established, but it is completely impractical and only useful for verifying tests. (See my post on the ipsec-tools-devel list here: http://sourceforge.net/mailarchive/message.php?msg_name=4BEDB60C.2080501%40pingle.org )

jimp

I just tried a mobile tunnel again on today's snapshot and I still can't pass traffic when it connects.

eazydor

after all, what was/is the problem with roadwarrior support?
wrong security policies (SPD's)?!?
I'm would love to know, how azzido got it working, with or without little snitches..

jimp

When the mobile client connects, it makes SPDs but doesn't properly tie them to the tunnel somehow.

Flushing the SPDs and adding them back by hand makes it work - though the output of setkey before and after appears identical.

azzido

I will post my setup once I get back home. It's basically the same setup that I posted in my previous thread that was not working before. Typing this while on the bus connected via VPN :)

eazydor

no way, man. congrats to the first benefits of your first class tunnel…

but you didn't had to flush & re-add the policies by hand? (i guess not, in a bus...)
i tried with the same config you've posted in another thread, iphone& ipsec i guess, on a 14May/22:45-i386-livecd-snapshot, but without luck..

would be great if you could help..

azzido

No, didn't have to do anything fancy this time. It just works. And SPDs are auto generated. The only problem is if iPhone disconnects from 3g it does not automatically re-establish VPN tunnel so you have to connect manually. I think there is a way to force iPhone to automatically establish tunnel when you try to access certain sites.

eazydor

i dont get it. how could this be possible.. you're sure that traffic is passing through the tunnel?
jimp couldn't get it to work too, at least without flushing spd's..

azzido

Yep, works like a charm actually. I just need Internet connection with faster uplink now

eazydor

you've separated the ipsec-net from the lan-net this time (ip range)?
386 or amd64?
nano or live?
tell us, make us wise, my friend..

what about your network setting's, did you add a new gateway?

azzido

This is IPsec setup on pfSense:

VPN -> IPsec -> Mobile clients

IKE Extensions
Enable IPsec Mobile Client Support yes
Extended Authentication (Xauth)
User Authentication system
Group Authentication system
Client Configuration (mode-cfg)
Virtual Address Pool
Provide a vitual IP address to clients yes
Network 192.168.103.0 / 24 !!! use subnet that is not currently used
Network List
Provide a list of accessible networks to clients no
DNS Default Domain
Provide a default domain name to clients yes
Domain domain.lan !!! can be same as pfSense domain
DNS Servers
Provide a DNS server list to clients yes
DNS Servers 208.67.222.222 !!! openDNS
WINS Servers
Provide a WINS server list to clients no
Phase2 PFS Group
Provide the Phase2 PFS group to clients no
Login Banner
Provide a login banner to clients no

VPN -> IPsec > Tunnels

Enable IPsec yes

VPN -> IPsec -> Tunnels -> Phase 1

General information
Interface WAN
Description iPhone
Phase 1 proposal (Authentication)
Authentication method Mutual PSK + Xauth
Negotiation mode aggressive !!! as per iPhone documentation
My identifier My IP address
Peer identifier Distinguished name !!! enter name of the group
Pre-Shared Key * !!! 63 random alpha-numeric characters (a-z, A-Z, 0-9) from https://www.grc.com/passwords.htm
Encryption algorithm AES / 256 bits !!! that's the first thing iPhone proposes so that's what we use
Hash algorithm SHA1 !!! that's the first thing iPhone proposes so that's what we use
DH key group 2 !!! as per iPhone documentation
Lifetime 28800 !!! leave default
Advanced Options
NAT Traversal Enable
Dead Peer Detection
Enable DPD yes
Delay between requesting peer acknowledgement. 10
No of consecutive failures allowed before disconnect 5

VPN -> IPsec -> Tunnels -> Phase 2

Mode Tunnel
Local Network
Type none
Address leave blank
Phase 2 proposal (SA/Key Exchange)
Protocol ESP
Encryption algorithms AES / 256 bits
Hash algorithms SHA1
PFS key group off
Lifetime 3600
Advanced Options
Automatically ping host -

and here is iPhone setup:

Settings -> General -> Network -> VPN -> Add VPN Configuration -> IPSec

Description descriptive name
Server domain name or IP address of pfSense WAN interface
Account user name (on pfSense box)
Password user password
Use Certificate off
Group Name Peer identifier from pfSense setup
Secret Pre-Shared Key from pfSense setup

User that you specify in iPhone needs to be created on pfSense under System -> User Manager
If you use Alix board disable glxsb under System -> Advanced -> Miscellaneous
Firewall needs to allow incoming UDP connections from WAN on ports 500 and 4500
Firewall needs to allow IPSec traffic; create allow all rule with loggin while testing

Try this and post your /var/etc/racoon.conf in case it does not work.

Good luck

eazydor

awesome, thanks..
i give it a try right now..

jimp

Are you using that script mentioned in the other thread that flushes the keys? If so, it's just doing what I did by hand, automatically. And it's not a long-term solution for anyone using IPsec for other uses as well as mobile clients.

azzido

No, I am not doing anything this time. It's all configured thru web interface. SPDs are automatically created by Racoon and they work just fine.

pfSense is running on Alix board, iPhone OS is v3.1.3

Version 2.0-BETA1 built on Fri May 14 23:44:07 EDT 2010 FreeBSD 8.0-STABLE
Platform nanobsd

eazydor

tried latest snapshot (386-live) and still no traffic.
same config as azzido.

azzido

Post your /var/etc/racoon.conf file and I will compare it with mine.

Execute this:

/usr/bin/killall racoon && /usr/local/sbin/setkey -FP && /usr/local/sbin/setkey -F && rm /var/log/ipsec.log && touch /var/log/ipsec.log && /usr/sbin/clog -i -s 511488 /var/log/ipsec.log && /etc/rc.d/syslogd restart && /usr/local/sbin/racoon -dd -f /var/etc/racoon.conf

and try to establish tunnel. Then post /var/log/ipsec.log maybe we can find something in the log.

azzido

Also, are you trying to reach host on the internal network or internet? I had to configure outbound NAT for 192.168.103.0/24 before I could reach internet from iPhone.

eazydor

i was trying to reach pfsense's internal lan ip.

racoon.conf:

This file is automatically generated. Do not edit

path pre_shared_key "/var/etc/psk.txt";

path certificate "/var/etc";

listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp 192.168.1.17 [500];
isakmp_natt 192.168.1.17 [4500];
}

mode_cfg
{
auth_source system;
group_source system;
pool_size 253;
network4 192.168.3.1;
netmask4 255.255.255.0;
dns4 192.168.2.1;
default_domain "workgroup";
}

remote anonymous
{
ph1id 1;
exchange_mode aggressive;
my_identifier address 192.168.1.17;
peers_identifier fqdn "iphone";
ike_frag on;
generate_policy = unique;
initial_contact = off;
nat_traversal = on;

dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;

proposal
{
authentication_method xauth_psk_server;
encryption_algorithm aes 256;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}

sainfo anonymous
{
remoteid 1;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;

lifetime time 3600 secs;
compression_algorithm deflate;
}

ipsec_log:
May 18 00:56:09 pfSense racoon: INFO: respond new phase 1 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]
May 18 00:56:09 pfSense racoon: INFO: begin Aggressive mode.
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: RFC 3947
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: CISCO-UNITY
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: DPD
May 18 00:56:09 pfSense racoon: INFO: Selected NAT-T version: RFC 3947
May 18 00:56:09 pfSense racoon: INFO: Adding remote and local NAT-D payloads.
May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.7[500] with algo #2
May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.17[500] with algo #2
May 18 00:56:09 pfSense racoon: INFO: Adding xauth VID payload.
May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.17[500] with algo #2
May 18 00:56:09 pfSense racoon: INFO: NAT-D payload #0 verified
May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.7[500] with algo #2
May 18 00:56:09 pfSense racoon: INFO: NAT-D payload #1 verified
May 18 00:56:09 pfSense racoon: ERROR: notification INITIAL-CONTACT received in aggressive exchange.
May 18 00:56:09 pfSense racoon: INFO: NAT not detected
May 18 00:56:09 pfSense racoon: INFO: Sending Xauth request
May 18 00:56:09 pfSense racoon: INFO: ISAKMP-SA established 192.168.1.17[500]-192.168.1.7[500] spi:c52ad072fefeec7a:e2d97b50d90eed6b
May 18 00:56:13 pfSense racoon: INFO: Using port 0
May 18 00:56:13 pfSense racoon: INFO: login succeeded for user "sydney"
May 18 00:56:13 pfSense racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
May 18 00:56:13 pfSense racoon: WARNING: Ignored attribute 28683
May 18 00:56:13 pfSense racoon: INFO: respond new phase 2 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]
May 18 00:56:13 pfSense racoon: INFO: no policy found, try to generate the policy : 192.168.3.1/32[0] 0.0.0.0/0[0] proto=any dir=in
May 18 00:56:13 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=184685857(0xb021521)
May 18 00:56:13 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=103635710(0x62d5afe)
May 18 00:56:13 pfSense racoon: ERROR: such policy does not already exist: "192.168.3.1/32[0] 0.0.0.0/0[0] proto=any dir=in"
May 18 00:56:13 pfSense racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.3.1/32[0] proto=any dir=out"
May 18 00:56:14 pfSense racoon: INFO: initiate new phase 2 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]
May 18 00:56:14 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=193249986(0xb84c2c2)
May 18 00:56:14 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=108727917(0x67b0e6d)
May 18 00:56:14 pfSense racoon: INFO: generated policy, deleting it.
May 18 00:56:14 pfSense racoon: INFO: purged IPsec-SA proto_id=ESP spi=103635710.

azzido

eazydor, start racoon in debug mode with the command I posted earlier and post log with more info. In your case racoon deletes policies right after they are created so there is something else going on there.