Unable to use MutualPSK+xauth with Aggressive Mode PSK

TomTheOne

Hi all,

I try to dialin to a network like described here:
https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

I was using this howto with version 2.1.5-RELEASE (i386) successfully.

Now i have a new version on another box called: 2.2.4-RELEASE (amd64)
I tried the same setup but i get the errormessage below in the logs:

charon: 11[ENC] generating INFORMATIONAL_V1 request 1773405528 [ N(AUTH_FAILED) ]
charon: 11[IKE] Aggressive Mode PSK disabled for security reasons

I was searching the web and found out there was some modifications regarding the ipsec - service.
Seems the ipsec service is now called StrongSwan.

I found a hint regarding the old behavior:
https://www.strongswan.org/blog/2012/06/20/bye-bye-pluto.html

Alright, i would like to degrade my box to a weakswan-box. I need this compatibility because of different reasons.
Searching the config file on the pfSense box at /var/etc/ipsec/strongswan.conf and what can i see? The config entry is already there:

i_dont_care_about_security_and_use_aggressive_mode_psk=yes

(okay, there is no space before and after the equal-sign, but i think this is not a big deal)

What the hell is preventing the box from behaving like the old 2.1.5 release?

If someone has already found a solution i would very appreciate for a share.

A good week and best regards
Tom

cmb

That usually means you don't have aggressive configured on the phase 1. I have noticed at times strongswan doesn't want to enable its i_dont_care_about_security_use_aggressive_mode_psk until it gets a stop/start and we only reload it on config changes, so you might want to stop, then start, that under Status>Services.

TomTheOne

Hi cmb,

Thanks for your feedback.

That usually means you don't have aggressive configured on the phase 1

I have aggressive configured on the phase 1 - i crosschecked that.

I have noticed at times strongswan doesn't want to enable its
i_dont_care_about_security_use_aggressive_mode_psk until it gets a stop/start and we only reload it
on config changes, so you might want to stop, then start, that under Status>Services.

I have stop/started the service about 200 times - i rebooted also the box. As additional information:
On the system log i had this entry every time i tried to establish a connection:

php-fpm[8492]: /vpn_ipsec.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.

The entry did not come away after a reboot of the box - but the ipsec logentry "Aggressive Mode PSK disabled for security reasons" remains.

Regarding this post: https://forum.pfsense.org/index.php?topic=85367.0
i expected a reboot would solve my problem - but it didnt :-(

Best regards,
Tom

TomTheOne

Update:

I removed the whole mobile client configuration incl. phase1/2 configuration.

Now the old friend came back in the system log:
  php-fpm[45547]: /status_services.php: WARNING: Setting
  i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured
  using aggressive mode with pre-shared keys. This is not a secure configuration.

And the other old friend in the ipsec log came back as well:
  charon: 13[IKE] Aggressive Mode PSK disabled for security reasons

To me: It looks like the i_dont_care_about_security_and_use_aggressive_mode_psk-option does not work as expected.

TomTheOne

Final:

If the box is restarted i get this records in the system log:

Sep 22 22:51:03 php-fpm[78405]: /vpn_ipsec_mobile.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Sep 22 22:51:03 check_reload_status: Reloading filter
Sep 22 22:50:18 check_reload_status: Syncing firewall
Sep 22 22:49:07 php-fpm[73737]: /status_services.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Sep 22 22:49:07 check_reload_status: Reloading filter
Sep 22 22:49:07 php-fpm[73737]: /status_services.php: Forcefully reloading IPsec
Sep 22 22:46:56 php-fpm[67267]: /diag_ipsec.php: Successful login for user 'admin' from: w.x.y.z
Sep 22 22:46:56 php-fpm[67267]: /diag_ipsec.php: Successful login for user 'admin' from: w.x.y.z
Sep 22 22:44:24 php-fpm[67267]: /rc.start_packages: Restarting/Starting all packages.
Sep 22 22:44:23 check_reload_status: Starting packages
Sep 22 22:44:23 php-fpm[245]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - w.x.y.z -> w.x.y.z  - Restarting packages.
(…)

If i try to establish a ipsec connection i get this record logged in the ipsec log:

Sep 22 21:45:35 charon: 13[NET] sending packet: from w.x.y.z [500] to w.x.y.z [41095] (56 bytes)
Sep 22 21:45:35 charon: 13[ENC] generating INFORMATIONAL_V1 request 2643803158 [ N(AUTH_FAILED) ]
Sep 22 21:45:35 charon: 13[IKE] Aggressive Mode PSK disabled for security reasons
Sep 22 21:45:34 charon: 13[IKE] w.x.y.z is initiating a Aggressive Mode IKE_SA
Sep 22 21:45:34 charon: 13[IKE] w.x.y.z is initiating a Aggressive Mode IKE_SA
Sep 22 21:45:34 charon: 13[IKE] received DPD vendor ID
Sep 22 21:45:34 charon: 13[IKE] received Cisco Unity vendor ID
Sep 22 21:45:34 charon: 13[IKE] received XAuth vendor ID
(…)

This does not make sense to me, because:

a) the system tells me that the insecure configuration will be activated, but then
b) the insecure configuration is still not allowed.

confused

cmb

@TomTheOne:

To me: It looks like the i_dont_care_about_security_and_use_aggressive_mode_psk-option does not work as expected.

It most definitely works as expected, there are many, many people using configs that require that option.

Guessing maybe there is another reason for AUTH_FAILED and that log's misleading. Make sure identifiers match, PSK, etc.

what's the client you're using?

TomTheOne

Hi cmb

Guessing maybe there is another reason for AUTH_FAILED and that log's misleading. Make sure identifiers match, PSK, etc.

Ok. I'm in the situation that i can use version 2.1.5 and 2.2.4 in parallel on different static, public IP's. I did doublecheck every setting against the 2.1.5 version on both sides: firewall and client. I've spend ~6 hours to crosscheck every setting again and again on both sides. I came to the clue that the settings are correct (or the same).

It most definitely works as expected, there are many, many people using configs that require that option.

I'm not sure if this statement is correct, here is another person with the same/a similar issue.
https://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/
At the end of the article are some comments with suggested modifications, those suggestions does not work here.
Those suggestions are not part of the article yet and the warning on top of the page remains.

what's the client you're using?

I'm using/testing with the latest 8.x iOS & SHREW SOFT VPN CLIENT Standard 2.2.2.

What can i do? I can try to downgrade the 2.2.4 verstion to 2.1.5 and test again. Probably another try would be to downgrade to the - i386 version of 2.2.4 and trying again.

Update:

• I tried MutualPSK in main mode with the Shew Soft Client - this is working fine but does not work on IOS.
• There is no chance to use MutualPSK + XAuth, aggresive mode: I'll end up here: [IKE] Aggressive Mode PSK disabled for security reasons

If you would have additional suggestions, please let me know.

Have a good week,
Tom

TomTheOne

i'm not sure, is it possible that the } - char is missing in the charon section of /var/etc/ipsec/strongswan.conf so that (prob.) the setting becomes invalid?