IOS + RSA + xauth

Friberg

Hi,

I've recently tried to setup VPN for out iOS-devices on pfsense.
The IPsec + psk works just fine, but I want to be able to use "VPN on-demand" in the iOS. That means I need to use RSA (certificates) to be able to establish a VPN on-demand connection.

I have attached my racoon.conf and the output of a failed connection attempt (running command racoon -d -v -F -f /var/etc/racoon.conf in the shell)
If more files are needed for you to see the problem, please do not hesitate to ask for them.

I'm on deep water here, since I've never tried certificate authentication before.

Thanks for all your help!

Regards
/Robin
racoon.conf.txt
racoon.log.txt

BjornB

Hi Robin, how did you get the ipsec to work on the ios? Any special step to get it to work? Im having major issues to get it to work (see my thread) and would love any help i can get.
/Björn

Friberg

Well, I don't know if this is what you're looking for, but this is my previous setup to get IPsec psk + xauth to work with iOS.

Phase 1:

Interface: WAN
Authentication method: Mutual PSK + Xauth
negotiation mode: aggressive
My identifier: My IP address
Peer identifier: User distinguished name (write something like vpn@site, this will be used as Group-name on iOS)
Pre-Shared Key: SomEthing0S3cret

Think I left the rest as default.

Phase 2:
Mode: Tunnel
Local Network: LAN subnet

rest default i think. Maybe Encryption, just AES 256, same on Phase 1 in that case.
Hash algorithms: SHA1

Mobile clients:
Virtual Address Pool, check provide and type in an unused subnet that the IPsec VPN-users will use.
I also have provided DNS-settings and checked "Network List" and "Save Xauth Password".

Also, FW Rules provided for IPsec Interface. Allow everything.

I'm not sure if you need to forward any specific ports, as I haven't tried my pfsense behind a firewall, just directly connected to internet.

Good luck!

And hope anyone else may help me with my problem.. :)
Would be nice to have VPN On-Demand working on the iPhone/iPad.

twaldorf

I'm working on the same problem - and (think) half way there…

What I've done until now:

Created one self signed CA in System - Cert Manager
Created one self signed User Certificate in System - User Manager - Users - Certificates

Now download .crt and .key for both certificates.

Install openssl on your windows machine.

Use openssl to convert .crt and .key to .p12 (command is: openssl pkcs12 -export -in pfSense.crt -inkey pfSense.key -out pfSense.p12)

Import .p12 certificates to Windows (CA into "Trusted Root Certificate Authorities" and user certificate to "Own Certificates") - make both exportable.

Install Apple iPhone Configuration Utility (http://support.apple.com/kb/DL1466?viewlocale=en_US)

Add an configuration profile:
1. section "common"
2. section "certificates" (Import CA and user certificate)
3. section "VPN"

Export configuration profile and upload it to any webspace

Open the configuration file with iPhone (Safari).

Now the VPN profile is on your iPhone with certificate and VPN on demand.

BUT: I was not able to connect to pfSense with it, because I don't know the Phase1/Phase2 settings...  >:(

But I think it's a good start for you. It would be great if you find the needed settings in pfSense and tell us.  ;)

Best regards,

Thorsten

Edit: Also I found something interesting (german only): http://manuals.info.apple.com/de_DE/Einsatz_in_Unternehmen.pdf
With beginning of page 77 there are all informations how to configure the server for IPsec/RSA. But I didn't get it to work

Friberg

I think i might had fucked it up with the certificates before. But now I've fixed that.
Still get the following in the log while trying to connect:

Feb 28 12:08:13 racoon: ERROR: phase1 negotiation failed due to time up. f4609f5ded51e7d0:42d4332ac6140f8c
Feb 28 12:07:45 racoon: ERROR: the length in the isakmp header is too big.
Feb 28 12:07:45 racoon: ERROR: the length in the isakmp header is too big.
Feb 28 12:07:41 racoon: ERROR: phase1 negotiation failed due to time up. add19f1658dea8ea:5a62dd906429b37c
Feb 28 12:07:34 racoon: ERROR: the length in the isakmp header is too big.
Feb 28 12:07:34 racoon: ERROR: the length in the isakmp header is too big.
Feb 28 12:07:23 racoon: INFO: Adding remote and local NAT-D payloads.
Feb 28 12:07:23 racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[500] with algo #2
Feb 28 12:07:23 racoon: [231.231.231.231] INFO: Hashing 231.231.231.231[500] with algo #2
Feb 28 12:07:23 racoon: INFO: NAT detected: PEER
Feb 28 12:07:23 racoon: INFO: NAT-D payload #1 doesn't match
Feb 28 12:07:23 racoon: [231.231.231.231] INFO: Hashing 231.231.231.231[500] with algo #2
Feb 28 12:07:23 racoon: INFO: NAT-D payload #0 verified
Feb 28 12:07:23 racoon: [Self]: [123.123.123.123] INFO: Hashing 123.123.123.123[500] with algo #2
Feb 28 12:07:22 racoon: INFO: Adding xauth VID payload.
Feb 28 12:07:22 racoon: [231.231.231.231] INFO: Selected NAT-T version: RFC 3947
Feb 28 12:07:22 racoon: INFO: received Vendor ID: DPD
Feb 28 12:07:22 racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 28 12:07:22 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 28 12:07:22 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 28 12:07:22 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 28 12:07:22 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Feb 28 12:07:22 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Feb 28 12:07:22 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Feb 28 12:07:22 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Feb 28 12:07:22 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Feb 28 12:07:22 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Feb 28 12:07:22 racoon: INFO: received Vendor ID: RFC 3947
Feb 28 12:07:22 racoon: INFO: begin Identity Protection mode.
Feb 28 12:07:22 racoon: [Self]: INFO: respond new phase 1 negotiation: 123.123.123.123[500]<=>231.231.231.231[500]

Anyone know what wrong? It's getting kind of annoying not having this working.. :(
As I said before, PSK works fine, but I want On Demand.

twaldorf

Try to disable NAT-T

What settings you have used in Phase1 / Phase2 ?!?!

Friberg

Disable NAT-T ends up in this:

Feb 28 13:43:56 racoon: ERROR: phase1 negotiation failed due to time up. c25178ca6d2f7e34:496a9eb9de9daf91
Feb 28 13:43:37 racoon: INFO: Adding xauth VID payload.
Feb 28 13:43:37 racoon: INFO: received Vendor ID: DPD
Feb 28 13:43:37 racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 28 13:43:37 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 28 13:43:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 28 13:43:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 28 13:43:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Feb 28 13:43:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Feb 28 13:43:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Feb 28 13:43:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Feb 28 13:43:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Feb 28 13:43:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Feb 28 13:43:37 racoon: INFO: received Vendor ID: RFC 3947
Feb 28 13:43:37 racoon: INFO: begin Identity Protection mode.
Feb 28 13:43:37 racoon: [Self]: INFO: respond new phase 1 negotiation: 193.33.218.3[500]<=>95.199.18.139[500]

Ive tried alot of different settings in Phase 1 & 2. I'm attaching screenshots of the latest configuration.

Thanks!

Edit:
Also, I do see some blocks in the System logs: Firewall for my clients ip, to my remote vpn ip @ 4500/UDP. I've added an rule for this @ WAN interface, but they still show up as blocked in firewall. Might this break something?
As I said, the PSK works.. Shouldn't it use the same ports?

twaldorf

Did you finally get it works? I really want this too. Please explain your way if you found out the settings!  :)

Friberg

I'm sorry, I've not got it to work.
I reverted back to PSK for now. I might get in to it sometime in the future, but right now I do not have the time.

Hope someone else might pick it up and write some nice tutorial, if its even possible.

dhatz

According to a comment here, it works using ipsec-tools 0.8 and IOS4 (his config is for Debian wheezy).

Note: Comment is in German.

Harry Comp says:
13. November 2011 at 14:06

Hallo und danke für die Infos.
Leider fehlen aber hier essentielle Parts bei Racoon und Netzwerkplanung im Internet.
Auch der CA Part fehlt mir hier.
Für Info bitte einfach ein Email schicken.
Ich habe eine laufende Instanz und kann nur sagen, daß es ein langer Weg dahin war.
Enterprise Guide gibt schon einige Hints in Punkto Certificate handling.
So viel sei gesagt.

Racoon:
Es fehlt CA und CRL handling.
Im Dir. /etc/racoon/certs
CA: ln -s ca.crt openssl x509 -noout -subject_hash -in ca.crt.0
CRL: ln -s crl.pem openssl crl -noout -hash -in crl.r0
Hostkey darf kein password enthalten. (Wird bei xca export nachgefragt)
Sonst: openssl rsa -in host.key -out host.key.decr
Danach mv host.key.decr host.key (im Dir /etc/racoon/certs)
Was noch im Certs Dir sein muss:
ca.crt
host.crt
host.key
crl.pem
client key+crt (Alle clients)
Für Cert Handling verwende ich xca (debian paket)
racoon version 0.8.x (Debian wheezy)
Bez. xca. Bitte bei Issuer und CA: DNS:host.domain.com (angeben)
DNS sollte RR ausflösbar sein. (Sie Enterprise integration guide)

Iphone mit IOS4+ kann nur mehr aes 256.
Working demo Config:

path pre_shared_key “/etc/racoon/psk.txt”;
path certificate “/etc/racoon/certs”;

log info;

listen {
isakmp 192.168.200.1 [500]; #IP of gentoo box
isakmp_natt 192.168.200.1 [4500];
adminsock disabled;
}

remote anonymous {
exchange_mode main,aggressive;
my_identifier asn1dn;
verify_identifier on;
certificate_type x509 “host.crt” “host.key”;
ike_frag on; # use IKE fragmentation
proposal_check claim;
passive on;
support_proxy on;
generate_policy on; # automatically generate IPsec policies
nat_traversal force; # always use NAT-T
dpd_delay 20; # DPD poll every 20 seconds
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method xauth_rsa_server;
dh_group 5;
}
}

sainfo anonymous {
lifetime time 1 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

mode_cfg {
auth_source pam; # validate logins against PAM
pool_size 20; # size of the VPN IP pool: 254 addresses
network4 192.168.1.100; # 1st address of VPN IPv4 pool
netmask4 255.255.255.0;
dns4 192.168.1.1; # IPv4 DNS server
default_domain “domain.com”;
banner “/etc/racoon/motd”;
pfs_group 2;
}

Firewall arno-iptables-firewall:
/etc/arno-iptables-firewall/plugins/ipsec-vpn.conf
ENABLED=1
IPSEC_VPN_NETS=”0/0″
IPSEC_ALLOWED_HOSTS=”0/0″
IPSEC_NAT_TRAVERSAL=1

/etc/arno-iptables-firewall/debconf.cfg (Asuzug)
DC_INT_IF=”eth0″ #(LAN)
DC_EXT_IF=”eth2″ #INTERNET INTERFACE (192.168.200.0/24)
DC_INTERNAL_NET=”192.168.1.0/24″
DC_NAT_INTERNAL_NET=”192.168.1.0/24″

IPHONE:
Konfigurationstool:
VPN(CISCO)
HOSTNAME: hostname wie im Cert DNS:
Account: Ausfüllen oder nicht (wie es beliebt)
Geräte-Auth: Cert
Zert importieren (Client Zertifikat Vorher im xca als p12 exportieren. Ohne Cert Chain !!!!)
Password vergeben. (Im Konfig Tool -> Zert auch das Password für den Export hinterlegen)
On demand bei Bedarf aktivieren. (Siehe Enterprise Guide Seite 36 für Optionen)
Hosts werden von rechts nach link gemacht.
example.com matcht also auch test.intern.example.com
Proxy: Nach belieben.

ACHTUNG !!!!! (CA Teil bevor das Profile auf das Iphone geladen wird)
Das CA Cert auf einem Webserver bereitstellen.
Im Iphone auf die Site via Safari Surfen.
Z.B. http://example.com/ca.crt
Danach dieses Installieren .
Im Konfigtool erscheint dann ein zweites Profile (Bei Geräte)
Danach kann das VPN Profile auf das Iphone geladen werden.
Damit Vertraut das Iphone deinem Client Cert.
Danach surfe mal ne Seite an die im OnDemand matched.
Username/Password einfach auf dem Host vergeben. (Via PAM; cp /etc/pam.d/sshd /etc/pam.d/racoon)
Dann funkts es auch schon.

Vielen Dank für deine Anleitung. Sie hat mich auf die richtige Spur gebracht.

Ciao
Comp