Ipsec Mobile clients with Mutual PSK + xauth

jimp

I haven't tried it myself, but I'm guessing this is the real problem:

Sep 1 14:41:03    racoon: [Mobile Clients]: ERROR: invalied encryption algorithm=0.

What do you have selected for encryption options in phase 2?

armsby

encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;

but if that was the error they I dont see why it works with Mutual PSK, the only thing that is changes is from Mutual PSK to Mutual PSK + xauth

and they ofcause use the Peer identifier and Pre-Shared Key in Phase1 instead of the ones under VPN: IPsec: Keys

phase1 config under Mutual PSK:
remote anonymous
{
        ph1id 3;
        exchange_mode aggressive;
        my_identifier address 10.0.10.1;

ike_frag on;
        generate_policy = on;
        initial_contact = on;
        nat_traversal = on;

dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check obey;
        passive on;

proposal
        {
                authentication_method pre_shared_key;
                encryption_algorithm 3des;
                hash_algorithm sha1;
                dh_group 2;
                lifetime time 28800 secs;
        }
}

phase2 mutual PSK
sainfo  anonymous
{
        remoteid 3;
        encryption_algorithm aes 256;
        authentication_algorithm hmac_sha1;

lifetime time 3600 secs;
        compression_algorithm deflate;
}

phase1 with Mutual PSK + xauth
remote anonymous
{
        ph1id 3;
        exchange_mode aggressive;
        my_identifier address 10.0.10.1;

ike_frag on;
        generate_policy = unique;
        initial_contact = off;
        nat_traversal = on;

dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check claim;

proposal
        {
                authentication_method xauth_psk_server;
                encryption_algorithm 3des;
                hash_algorithm sha1;
                dh_group 2;
                lifetime time 28800 secs;
        }
}

phase2 Mutual PSK + xauth
sainfo subnet 10.0.80.0/24 any anonymous
{
        remoteid 3;
        encryption_algorithm aes 256;
        authentication_algorithm hmac_sha1;

lifetime time 3600 secs;
        compression_algorithm deflate;
}

jimp

Try changing the Proposal Checking drop-down. In mutual PSK, the default is obey, in MPSK+xauth, the default is claim.

Try the different values there, see if any work for you.

armsby

I have now tried all 4 but none of the works,

claim and obey gave the same result

but strict and exact gave rejected authmethod

jimp

You might try leaving that at the default then.

What VPN client are you using to connect, and how exactly is it configured?

armsby

for VPN client I am using vpnc from a machine running ubuntu 10.04

gateway is set to 10.0.10.1
group: test
user: vpn
Encryption method: Secure (default)
NAT-T enable

IP setting automatic (VPN)

jimp

Is there a way to see what configuration file it writes out, so we can see exactly what options it's trying to use?

armsby

if it racoon.conf I hasted the 2 earlier if not what configuration file would you like

cmb

@armsby:

if it racoon.conf I hasted the 2 earlier if not what configuration file would you like

The client config

armsby

The only difference in my config between the 2 are Username=

[main]
Description=ipsec
Host=10.0.10.1
AuthType=1
GroupName=test
GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=vpn
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=
DHGroup=2
ForceKeepAlives=0
enc_GroupPwd=
UserPassword=
enc_UserPassword=
NTDomain=
EnableMSLogon=0
MSLogonType=0
TunnelingMode=0
TcpTunnelingPort=10000
PeerTimeout=0
EnableLocalLAN=1
SendCertChain=0
VerifyCertDN=
EnableSplitDNS=1
SingleDES=0
SPPhonebook=
X-NM-Use-NAT-T=1
X-NM-Routes=10.0.70.0/24