Ipsec Mobile clients with Mutual PSK + xauth

jimp

IIRC, with Mutual PSK+xauth, the PSK is more like the "group" key in Cisco terms. It's a PSK shared by all clients.

armsby

ok,

Mutual PSK works fine

but if I configure a group using that PSK, I cannot complete phase2 do to this is what I get:

Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: respond new phase 1 negotiation: 10.0.10.1[500]<=>10.0.20.12[500]
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: begin Aggressive mode.
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: CISCO-UNITY
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: RFC 3947
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: DPD
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Selected NAT-T version: RFC 3947
Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: invalied encryption algorithm=0.
Sep 1 14:41:03 last message repeated 3 times
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Adding remote and local NAT-D payloads.
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Hashing 10.0.20.12[500] with algo #2
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Hashing 10.0.10.1[500] with algo #2
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Adding xauth VID payload.
Sep 1 14:41:03 racoon: [Mobile Clients]: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: CISCO-UNITY
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Hashing 10.0.10.1[500] with algo #2
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: NAT-D payload #0 verified
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Hashing 10.0.20.12[500] with algo #2
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: NAT-D payload #1 verified
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: NAT not detected
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Sending Xauth request
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: ISAKMP-SA established 10.0.10.1[500]-10.0.20.12[500] spi:5a3ce113229cac40:cf7a589d4b727706
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Using port 0
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: login succeeded for user "******"
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: respond new phase 2 negotiation: 10.0.10.1[500]<=>10.0.20.12[500]
Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: failed to pre-process packet.
Sep 1 14:41:05 racoon: [Mobile Clients]: INFO: respond new phase 2 negotiation: 10.0.10.1[500]<=>10.0.20.12[500]
Sep 1 14:41:05 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
Sep 1 14:41:05 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
Sep 1 14:41:05 racoon: [Mobile Clients]: ERROR: failed to pre-process packet.
Sep 1 14:41:09 racoon: [Mobile Clients]: INFO: respond new phase 2 negotiation: 10.0.10.1[500]<=>10.0.20.12[500]
Sep 1 14:41:09 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
Sep 1 14:41:09 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
Sep 1 14:41:09 racoon: [Mobile Clients]: ERROR: failed to pre-process packet.
Sep 1 14:41:13 racoon: [Mobile Clients]: ERROR: fatal INVALID-MESSAGE-ID notify messsage, phase1 should be deleted.
Sep 1 14:41:13 racoon: [Mobile Clients]: INFO: ISAKMP-SA expired 10.0.10.1[500]-10.0.20.12[500] spi:5a3ce113229cac40:cf7a589d4b727706
Sep 1 14:41:14 racoon: [Mobile Clients]: INFO: ISAKMP-SA deleted 10.0.10.1[500]-10.0.20.12[500] spi:5a3ce113229cac40:cf7a589d4b727706
Sep 1 14:41:14 racoon: [Mobile Clients]: INFO: Released port 0

jimp

I haven't tried it myself, but I'm guessing this is the real problem:

Sep 1 14:41:03    racoon: [Mobile Clients]: ERROR: invalied encryption algorithm=0.

What do you have selected for encryption options in phase 2?

armsby

encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;

but if that was the error they I dont see why it works with Mutual PSK, the only thing that is changes is from Mutual PSK to Mutual PSK + xauth

and they ofcause use the Peer identifier and Pre-Shared Key in Phase1 instead of the ones under VPN: IPsec: Keys

phase1 config under Mutual PSK:
remote anonymous
{
        ph1id 3;
        exchange_mode aggressive;
        my_identifier address 10.0.10.1;

ike_frag on;
        generate_policy = on;
        initial_contact = on;
        nat_traversal = on;

dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check obey;
        passive on;

proposal
        {
                authentication_method pre_shared_key;
                encryption_algorithm 3des;
                hash_algorithm sha1;
                dh_group 2;
                lifetime time 28800 secs;
        }
}

phase2 mutual PSK
sainfo  anonymous
{
        remoteid 3;
        encryption_algorithm aes 256;
        authentication_algorithm hmac_sha1;

lifetime time 3600 secs;
        compression_algorithm deflate;
}

phase1 with Mutual PSK + xauth
remote anonymous
{
        ph1id 3;
        exchange_mode aggressive;
        my_identifier address 10.0.10.1;

ike_frag on;
        generate_policy = unique;
        initial_contact = off;
        nat_traversal = on;

dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check claim;

proposal
        {
                authentication_method xauth_psk_server;
                encryption_algorithm 3des;
                hash_algorithm sha1;
                dh_group 2;
                lifetime time 28800 secs;
        }
}

phase2 Mutual PSK + xauth
sainfo subnet 10.0.80.0/24 any anonymous
{
        remoteid 3;
        encryption_algorithm aes 256;
        authentication_algorithm hmac_sha1;

lifetime time 3600 secs;
        compression_algorithm deflate;
}

jimp

Try changing the Proposal Checking drop-down. In mutual PSK, the default is obey, in MPSK+xauth, the default is claim.

Try the different values there, see if any work for you.

armsby

I have now tried all 4 but none of the works,

claim and obey gave the same result

but strict and exact gave rejected authmethod

jimp

You might try leaving that at the default then.

What VPN client are you using to connect, and how exactly is it configured?

armsby

for VPN client I am using vpnc from a machine running ubuntu 10.04

gateway is set to 10.0.10.1
group: test
user: vpn
Encryption method: Secure (default)
NAT-T enable

IP setting automatic (VPN)

jimp

Is there a way to see what configuration file it writes out, so we can see exactly what options it's trying to use?

armsby

if it racoon.conf I hasted the 2 earlier if not what configuration file would you like

cmb

@armsby:

if it racoon.conf I hasted the 2 earlier if not what configuration file would you like

The client config

armsby

The only difference in my config between the 2 are Username=

[main]
Description=ipsec
Host=10.0.10.1
AuthType=1
GroupName=test
GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=vpn
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=
DHGroup=2
ForceKeepAlives=0
enc_GroupPwd=
UserPassword=
enc_UserPassword=
NTDomain=
EnableMSLogon=0
MSLogonType=0
TunnelingMode=0
TcpTunnelingPort=10000
PeerTimeout=0
EnableLocalLAN=1
SendCertChain=0
VerifyCertDN=
EnableSplitDNS=1
SingleDES=0
SPPhonebook=
X-NM-Use-NAT-T=1
X-NM-Routes=10.0.70.0/24