Mutual PSK + XAuth Help

Technyne

Hi,

We are running 2.0 and can successfully connect using Shrewsoft with Mutual PSK, however when we try to implement X-Auth we get user auth failed. We have created new groups, used admin groups, created individual psk under the psk tabs etc.. and can't seem to get it to connect.

We have racoon running in debug mode and will post logs if needed.

Any tips or tricks would be greatly appreciated.

Thanks in advance!

lint

You actually do not need to apply the user to the admins group, just permissions of "User - VPN - IPsec xauth Dialin."

You will not be using the PSK tab in IPsec; you will use the User Manager to set a login/password.  The PSK will be configured in phase 1.

Please post the IPsec log.

I'm sure you've reviewed this page, but just in case: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

Technyne

@lint:

You actually do not need to apply the user to the admins group, just permissions of "User - VPN - IPsec xauth Dialin."

You will not be using the PSK tab in IPsec; you will use the User Manager to set a login/password.  The PSK will be configured in phase 1.

Please post the IPsec log.

I'm sure you've reviewed this page, but just in case: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

Hi Lint,

We have our system configured exactly as that link shows. We created a VPN users group and granted that user group the dial in permission. We then created a new user in the user manager and use the credentials to connect, which is where we get the error of "User Authentication Failed" in the shrewsoft client. Below is a log from the standard mode, we will reset to debug mode and repost if needed.

Nov 21 12:18:36	racoon: [173.57.XXX.XXX] ERROR: unknown Informational exchange received.
Nov 21 12:18:36	racoon: INFO: login failed for user "interlock"
Nov 21 12:18:36	racoon: ERROR: Port pool depleted
Nov 21 12:18:36	racoon: ERROR: isakmp_cfg_config.port_pool == NULL
Nov 21 12:18:36	racoon: [173.57.XXX.XXX] INFO: received INITIAL-CONTACT
Nov 21 12:18:36	racoon: [Self]: INFO: ISAKMP-SA established 71.252.XXX.XXX[4500]-173.57.XXX.XXX[42751] spi:fbe2c5d200fe6eea:17dc078efa2bfd79
Nov 21 12:18:36	racoon: INFO: Sending Xauth request
Nov 21 12:18:36	racoon: INFO: NAT detected: ME PEER
Nov 21 12:18:36	racoon: INFO: NAT-D payload #1 doesn't match
Nov 21 12:18:36	racoon: [173.57.XXX.XXX] INFO: Hashing 173.57.XXX.XXX[42751] with algo #2
Nov 21 12:18:36	racoon: INFO: NAT-D payload #0 doesn't match
Nov 21 12:18:36	racoon: [Self]: [71.252.XXX.XXX] INFO: Hashing 71.252.XXX.XXX[4500] with algo #2
Nov 21 12:18:36	racoon: [Self]: INFO: NAT-T: ports changed to: 173.57.72.XXX[42751]<->71.252.XXX.XXX[4500]
Nov 21 12:18:36	racoon: INFO: Adding xauth VID payload.
Nov 21 12:18:36	racoon: [Self]: [71.252.XXX.XXX] INFO: Hashing 71.252.XXX.XXX[500] with algo #2
Nov 21 12:18:36	racoon: [173.57.XXX.XXX] INFO: Hashing 173.57.XXX.XXX[500] with algo #2
Nov 21 12:18:36	racoon: INFO: Adding remote and local NAT-D payloads.
Nov 21 12:18:36	racoon: [173.57.XXX.XXX] INFO: Selected NAT-T version: RFC 3947
Nov 21 12:18:36	racoon: INFO: received Vendor ID: CISCO-UNITY
Nov 21 12:18:36	racoon: INFO: received Vendor ID: DPD
Nov 21 12:18:36	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Nov 21 12:18:36	racoon: INFO: received Vendor ID: RFC 3947
Nov 21 12:18:36	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Nov 21 12:18:36	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Nov 21 12:18:36	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Nov 21 12:18:36	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Nov 21 12:18:36	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Nov 21 12:18:36	racoon: INFO: begin Aggressive mode.
Nov 21 12:18:36	racoon: [Self]: INFO: respond new phase 1 negotiation: 71.252.XXX.XXX[500]<=>173.57.XXX.XXX[500]

lint

ERROR: Port pool depleted

Based on this part of the error message, I would set a Virtual Address Pool in the Mobile Clients tab under IPsec.  Just set the IP subnet that you were planning on using for VPNs.

Then, in Shrew, you can set it to obtain the IP automatically.

I bet that will fix the problem.

Technyne

@lint:

ERROR: Port pool depleted

Based on this part of the error message, I would set a Virtual Address Pool in the Mobile Clients tab under IPsec.  Just set the IP subnet that you were planning on using for VPNs.

Then, in Shrew, you can set it to obtain the IP automatically.

I bet that will fix the problem.

That was it!

Excellent!

Based on this information I will write a tutorial for XAuth+IPSec road warrior VPN.

Technyne

Well,

Now that we have the connectivity, how do we go about getting the local DNS entries to get to remote clients?

Technyne

I've been searching and reading as much as possible but seem to have come up empty. Is there a way to push the local DNS entries to VPN clients over Shrew or am I spinning my wheels?

I can ping the hosts via IP but not via hostname.

Thanks,
Technyne