IPsec

jimp

There are still some issues, some fixed by the commits made today (gitsync if you can't wait) but a couple more I'm about to create tickets for as they're not so simple.

jimp

In short:

• Snap from this morning can't have more than one concurrent user connected, fixed now
• "Provide a list of accessible networks to clients" doesn't seem to work, but it does work if you specify the policy on the client (Shrew, Android) or if the client ignores that and tunnels everything anyway (iOS).
• "Tunnel All" only works if you add a P2 with 0.0.0.0/0 as local
• If the same user connects twice, the first connection is cut off (good/intentional behavior, but may be different from 2.1)

charliem

[2.2-ALPHA][root@pfsense.localdomain]/root(4): cat /etc/version.buildtime
Mon May 19 13:13:23 CDT 2014
[2.2-ALPHA][root@pfsense.localdomain]/root(5): ipsec pki
exec: /usr/local/bin/pki: not found
[2.2-ALPHA][root@pfsense.localdomain]/root(6): find / -iname pki
[2.2-ALPHA][root@pfsense.localdomain]/root(7):

Is this intentional?  Any valid reason not to include it?

eri--

Added mostly an oversight.

Though why would one need it in a GUI environment is out of me.

jimp

@jimp:

• Snap from this morning can't have more than one concurrent user connected, fixed now

Fixed on current snaps.

@jimp:

• "Provide a list of accessible networks to clients" doesn't seem to work, but it does work if you specify the policy on the client (Shrew, Android) or if the client ignores that and tunnels everything anyway (iOS).

Should be fixed on the next new snaps.

@jimp:

• "Tunnel All" only works if you add a P2 with 0.0.0.0/0 as local

That appears to be a difference in how strongswan and racoon operate mobile connections. It's going to be required to add that manually unless we add an option to automatically add it.

Also L2TP+IPsec is almost working. More on that later.

charliem

@ermal:

Though why would one need it in a GUI environment is out of me.

So newbies like me can follow how-tos on the 'net, trying to learn  :)

charliem

Thanks for working on this.  I'm seeing the following (ask for more details if needed):

• banner doesn't appear (shrewsoft client, banner appeared with racoon)
• re-auth fails, client is oblivious (psk road warrior config)
• No SAs or SPs appear on the web gui when connected
• connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )

Let me know if there is any particular testing or other info you need!  I'm pretty new to IPSEC, just trying to get my 2.1 config working under 2.2.

BTW, the change to weakswan under psk aggressive is a strong motivator to learn a proper config ….

jimp

@charliem:

• banner doesn't appear (shrewsoft client, banner appeared with racoon)

It shows up for me. Are you sure you're on a current snapshot?
Though it appears to only allow a single line banner, where racoon allowed a multi-line banner.

@charliem:

• re-auth fails, client is oblivious (psk road warrior config)

re-auth when? When the P1 expires? Or when the server restarts?

@charliem:

• No SAs or SPs appear on the web gui when connected

That's expected at the moment, there's a ticket open. Those tabs may go away, all the info is on the first tab there's a button under each connection to view the child SAs.

@charliem:

• connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )

What does that mean? Using the key id or IP address where on the client/server?

charliem

@jimp:

@charliem:

• banner doesn't appear (shrewsoft client, banner appeared with racoon)

It shows up for me. Are you sure you're on a current snapshot?
Though it appears to only allow a single line banner, where racoon allowed a multi-line banner.

Current as of last night

@jimp:

@charliem:

• re-auth fails, client is oblivious (psk road warrior config)

re-auth when? When the P1 expires? Or when the server restarts?

When P1 expires:

May 21 10:33:46 pfsense charon: 01[IKE] <con1-1|4>IKE_SA con1-1[4] established between 24.74.xx.yy[24.74.xx.yy]…173.15.aa.bb[10.5.60.58]
May 21 10:33:46 pfsense charon: 01[IKE] scheduling reauthentication in 2828s
May 21 10:33:46 pfsense charon: 01[IKE] <con1-1|4>scheduling reauthentication in 2828s</con1-1|4>
May 21 10:33:46 pfsense charon: 01[IKE] maximum IKE_SA lifetime 3368s
.
.
.
May 21 11:20:06 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:26 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:26 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:46 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:46 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:54 pfsense charon: 16[IKE] initiator did not reauthenticate as requested  <== 2828 sec expires here
May 21 11:20:54 pfsense charon: 16[IKE] <con1-1|4>initiator did not reauthenticate as requested
May 21 11:20:54 pfsense charon: 16[IKE] IKE_SA con1-1[4] will timeout in 9 minutes
May 21 11:20:54 pfsense charon: 16[IKE] <con1-1|4>IKE_SA con1-1[4] will timeout in 9 minutes
May 21 11:20:54 pfsense charon: 11[KNL] creating rekey job for ESP CHILD_SA with SPI c3d88eca and reqid {1}
May 21 11:20:54 pfsense charon: 11[ENC] generating QUICK_MODE request 2100136337 [ HASH SA No ID ID ]
May 21 11:20:54 pfsense charon: 11[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:20:58 pfsense charon: 16[IKE] sending retransmit 1 of request message ID 2100136337, seq 1
May 21 11:20:58 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 1 of request message ID 2100136337, seq 1
May 21 11:20:58 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:21:06 pfsense charon: 16[IKE] sending retransmit 2 of request message ID 2100136337, seq 1
May 21 11:21:06 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 2 of request message ID 2100136337, seq 1
May 21 11:21:06 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:21:19 pfsense charon: 16[IKE] sending retransmit 3 of request message ID 2100136337, seq 1
May 21 11:21:19 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 3 of request message ID 2100136337, seq 1
May 21 11:21:19 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:21:38 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:21:38 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:21:42 pfsense charon: 16[IKE] sending retransmit 4 of request message ID 2100136337, seq 1
May 21 11:21:42 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 4 of request message ID 2100136337, seq 1
May 21 11:21:42 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:21:42 pfsense charon: 16[KNL] creating rekey job for ESP CHILD_SA with SPI c71c158f and reqid {1}
May 21 11:22:01 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:01 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:21 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:21 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:24 pfsense charon: 01[IKE] sending retransmit 5 of request message ID 2100136337, seq 1
May 21 11:22:24 pfsense charon: 01[IKE] <con1-1|4>sending retransmit 5 of request message ID 2100136337, seq 1
May 21 11:22:24 pfsense charon: 01[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:22:43 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:43 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:03 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:03 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:23 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:23 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:39 pfsense charon: 16[IKE] giving up after 5 retransmits
May 21 11:23:39 pfsense charon: 16[IKE] <con1-1|4>giving up after 5 retransmits
May 21 11:23:39 pfsense charon: 16[IKE] unable to reestablish IKE_SA due to asymmetric setup
May 21 11:23:39 pfsense charon: 16[IKE] <con1-1|4>unable to reestablish IKE_SA due to asymmetric setup
May 21 11:23:39 pfsense charon: 16[KNL] unable to delete SAD entry with SPI ca40ad92: No such file or directory (2)
May 21 11:23:39 pfsense charon: 16[CFG] lease 192.168.3.2 by '10.5.60.58' went offline</con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4>

@charliem:

• connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )

What does that mean? Using the key id or IP address where on the client/server?

On pfSense I have to configure PSK entries for the ip addresses , and configure the shrewsoft client to use 'ip address (discovered remote host address)'.  Can't get 'key id' to work.  I'll pay more attention and give better details, or set up proper certs.

jimp

It works for me using an ID, though I use "User FQDN" as the type. My "mobile" config is the same as what we have documented on the doc wiki for mobile IPsec on 2.x, since we are trying to ensure a smooth transition using the same settings as before.

The reauth bit looks like the client didn't do what it should. I'm not sure what the server can do there to help, if anything.