Ipsec Mobile clients with Mutual PSK + xauth

jimp · Sep 1, 2010, 12:51 PM

I haven't tried it myself, but I'm guessing this is the real problem:

Sep 1 14:41:03    racoon: [Mobile Clients]: ERROR: invalied encryption algorithm=0.

What do you have selected for encryption options in phase 2?

armsby · Sep 1, 2010, 1:05 PM

encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;

but if that was the error they I dont see why it works with Mutual PSK, the only thing that is changes is from Mutual PSK to Mutual PSK + xauth

and they ofcause use the Peer identifier and Pre-Shared Key in Phase1 instead of the ones under VPN: IPsec: Keys

phase1 config under Mutual PSK:
remote anonymous
{
ph1id 3;
exchange_mode aggressive;
my_identifier address 10.0.10.1;

ike_frag on;
generate_policy = on;
initial_contact = on;
nat_traversal = on;

dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check obey;
passive on;

proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}

phase2 mutual PSK
sainfo anonymous
{
remoteid 3;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;

lifetime time 3600 secs;
compression_algorithm deflate;
}

phase1 with Mutual PSK + xauth
remote anonymous
{
ph1id 3;
exchange_mode aggressive;
my_identifier address 10.0.10.1;

ike_frag on;
generate_policy = unique;
initial_contact = off;
nat_traversal = on;

dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;

proposal
{
authentication_method xauth_psk_server;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}

phase2 Mutual PSK + xauth
sainfo subnet 10.0.80.0/24 any anonymous
{
remoteid 3;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;

lifetime time 3600 secs;
compression_algorithm deflate;
}

jimp · Sep 1, 2010, 2:32 PM

Try changing the Proposal Checking drop-down. In mutual PSK, the default is obey, in MPSK+xauth, the default is claim.

Try the different values there, see if any work for you.

armsby · Sep 1, 2010, 5:00 PM

I have now tried all 4 but none of the works,

claim and obey gave the same result

but strict and exact gave rejected authmethod

jimp · Sep 2, 2010, 12:35 PM

You might try leaving that at the default then.

What VPN client are you using to connect, and how exactly is it configured?

armsby · Sep 2, 2010, 1:03 PM

for VPN client I am using vpnc from a machine running ubuntu 10.04

gateway is set to 10.0.10.1
group: test
user: vpn
Encryption method: Secure (default)
NAT-T enable

IP setting automatic (VPN)

jimp · Sep 2, 2010, 1:05 PM

Is there a way to see what configuration file it writes out, so we can see exactly what options it's trying to use?

armsby · Sep 7, 2010, 5:47 AM

if it racoon.conf I hasted the 2 earlier if not what configuration file would you like

cmb · Sep 7, 2010, 7:37 PM

@armsby:

if it racoon.conf I hasted the 2 earlier if not what configuration file would you like

The client config

armsby · Sep 8, 2010, 5:59 AM

The only difference in my config between the 2 are Username=

[main]
Description=ipsec
Host=10.0.10.1
AuthType=1
GroupName=test
GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=vpn
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=
DHGroup=2
ForceKeepAlives=0
enc_GroupPwd=
UserPassword=
enc_UserPassword=
NTDomain=
EnableMSLogon=0
MSLogonType=0
TunnelingMode=0
TcpTunnelingPort=10000
PeerTimeout=0
EnableLocalLAN=1
SendCertChain=0
VerifyCertDN=
EnableSplitDNS=1
SingleDES=0
SPPhonebook=
X-NM-Use-NAT-T=1
X-NM-Routes=10.0.70.0/24