Ipsec mobile clients in 2.0 not working?

alexandrnew

Hi!
I updated the router to version 2.0. I had set up mobile clients. after the update - does not work. tried to make the new system 2.0 - does not work either. Packages go from the clients and do not go from pfsense.

my worked config on 1.2.3
<ipsec><preferredoldsa><mobileclients><enable><p1><mode>aggressive</mode>
<myident><ufqdn>mob@it.local</ufqdn></myident>
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>3600</lifetime>
<private-key><cert><authentication_method>pre_shared_key</authentication_method></cert></private-key></p1>
<p2><protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>3600</lifetime></p2>
<dpddelay></dpddelay></enable></mobileclients>
<mobilekey><ident>client@1</ident>
<pre-shared-key>sThwd</pre-shared-key></mobilekey>
<mobilekey><ident>client@2</ident>
<pre-shared-key>hgfYDa</pre-shared-key></mobilekey>
<enable><preferoldsa></preferoldsa></enable></preferredoldsa></ipsec>

jimp

Try changing the proposal checking to "obey"

Are the clients other routers, or software clients?

2.0 Mobile IPsec works for me, but I've only been using it with Android and iOS clients lately.

alexandrnew

@jimp:

Try changing the proposal checking to "obey"
Are the clients other routers, or software clients?
2.0 Mobile IPsec works for me, but I've only been using it with Android and iOS clients lately.

try - not working
other clients - routers

jimp

Probably you're hitting this then:

http://redmine.pfsense.org/issues/1351

You can convert your "mobile" clients to real tunnels using dyndns hostnames as their peer addresses, rather than relying on mobile tunnels.

It works fine that way.

alexandrnew

clients no have real ip…and i have more than 400 clients

jimp

Not sure what to tell you then - that isn't a standard type of deployment, and anyone else hitting it moved on to real tunnels or OpenVPN. It's on the list to be fixed, but as far as I'm aware there aren't any real leads on a fix yet.

alexandrnew

no any ideas?
my configuration working 1.2.3 and the client

ipsec-mobileclients-1.2.3_2.jpg

psk.jpg_thumb
ipsec-mobileclients-1.2.3.jpg
ipsec-mobileclients-1.2.3.jpg_thumb

alexandrnew

client dlink 804

client-dlink804-1.jpg_thumb

client-dlink804-2.jpg_thumb

client-dlink804-3.jpg_thumb

jimp

We have an idea - it's a known issue - but no leads on a fix.

We have all the info we need already from others, but the info we really need (if you want to provide more) is the contents of:

/var/etc/racoon.conf
/var/etc/spd.conf

And the output of:
setkey -D
setkey -DP

And the IPs involved at the connection at the time, plus the ipsec log details (it's probably just saying it can't locate an SA, even though it looks like one exists)

alexandrnew

from 1.2.3 or 2.0 ?

jimp

2.0

alexandrnew

in files:
ipsec log in debug mode & /var/etc/racoon.conf & /var/etc/spd.conf & setkey -D & setkey -DP
files: 1.2.3 - worked
pfsense - only updated
pfsense updated + disable nat-t

in all variants - client settings not changed

[1.2.3 -worked.txt](/public/imported_attachments/1/1.2.3 -worked.txt)
[pfsense - updated.txt](/public/imported_attachments/1/pfsense - updated.txt)
[disable nat-t on pfsense.txt](/public/imported_attachments/1/disable nat-t on pfsense.txt)

alexandrnew

jimp, I can send you the username \ password in PM for the client and pfsense

alexandrnew

up

jimp

It's already a known issue and the solution will not be fast. Just keep an eye on the ticket for any updates.

alexandrnew

@jimp:

Just keep an eye on the ticket for any updates.

tell me where to watch for updates? or them will be seen in the pfsese?

jimp

On the ticket. If any progress is made, someone will update that ticket.

limecat

jimp, can you clarify whether this is likely to be the same issue as this:
http://forum.pfsense.org/index.php/topic,41631.0.html

and if so, would the same information you asked for here be relevant? I would really like to help however possible to see this resolved.

Thanks.

alexandrnew

in 2.0.1 not working & nat-t not working…

boogieshafer

i was having problems with 2.0 and 2.1 for shrew ipsec clients where the initial connection would work fine, later subsequent connections would seem to connect but would fail to pass data

i tried disabling NAT-T and DPD as suggested elsewhere in this forum, but the ultimate fix was to setup the pfsense and shrew client per typical "road warrior" configs

e.g. http://dekapitein.vorkbaard.nl/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors

with the EXCEPTION of setting the P1 Proposal Generation to "Unique" instead of "Default"

[that setting change is noted in the redmine link mentioned in this thread, but its in a slightly different context of multiple clients coming from the same nat network]

anyway, since making that change, i havent seen the problem where later reconnects fail, and no need to disable NAT-T and DPD

maybe that setting will work for you