Security Settings Problems.
-
I've playing around with IPSec the past couple of weeks. I've managed to find settings that will work with both the windows shrew soft client and my Android device. However the security of these settings is lower than I would like. When I try to increase the level of security my Android device fails to connect and my laptop client connects in with some settings and not with others. I have also been testing Mutual RSA + Xauth and can't seem to get it to work at all.
When connecting through my laptop it is always through a remote network with Shrew Soft VPN Client version 2.2.2.
My Android phone is currently running version 4.4.Here are the settings that work fine:
pfSense Phase 1 Internet Protocol: IPv4 Interface: WAN Authentication Method: Mutual PSK + Xauth My Identifier: My IP address Peer Identifier: User distinguished name Pre-Shared Key: *** Policy Generation: Unique Proposal Checking: Obey Encryption Algorithm: AES 256 Hash Algorithm: SHA1 DH Key Group: 2 (1024) Lifetime: 3600 NAT Traversal: Force Dead Peer Detection: disabled Phase 2 Mode: Tunnel IPv4 Local Network: LAN Subnet NAT/BINAT: None Protocol: ESP Encryption Algorithms: AES 256 Hash Algorithms: SHA 1 PFS key group 2 (1024 bit) Lifetime: 3600 Mobile Clients IKE Extensions: Enabled User Authentication: Local Database Group Authentication: none Virtual Address Pool: 192.168.200.1/24 DNS: 192.168.1.1 Shrew Soft General Host Name: vpnhostname.info Port: 500 Adapter Mode: Use a virtual adapter and assigned address MTU: 1380 Address & Netmask: Obtain Automatically Client NAT Traversal: Force-rfc NAT Traversal Port: 4500 Keep-alive packet rate: 15 IKE Fragmentation: enable Maximum packet size: 540 Dead Peer Detection: disabled ISAKMP Failure Notifications: enabled Client Login Banner: enabled Name Resolution Everything is set to default here Authentication Authentication Method: Mutual PSK + Xauth Local Identity: User Fully Qualified Domain Name Remote Identity: IP Address Use a discovered remote host address: enabled Pre Shared Key: *** Phase 1 Exchange Type: aggressive DH Exchange: group 2 Cipher Algorithm: aes Cipher Key Length: 256 hash Algorithm: sha1 Key Life Time Limit: 3600 Key Life Data limit: 0 Check Point Compatible Vendor ID: disabled Phase 2 Transform Algorithm: esp-aes Transform Key Length: 254 HMAC algorithm: sha1 PFS Exchange: group 2 Compress Algorithm: disabled Key Life Time Limit: 3600 Key Life Data Limit: 0 Policy Policy Generation Level: unique Maintain Persistent Security Associations: disabled Optain Topology Automatically or Tunnel All: enabled Phone Settings: Type: IPSec Xauth PSK Server Address: vpnhostname.info IPSec Identifier: vpnid IPSec pre-shared key: ***
Using these settings I can connect fine with both my laptop client and my Android device. I can access my internal LAN and tunnel all traffic through my home network (as intended).
Here is a successful connection by phone
Nov 28 18:45:13 racoon: [Self]: INFO: respond new phase 1 negotiation: (pfsense wan ip)[500]<=>(phone ip)[8237] Nov 28 18:45:13 racoon: INFO: begin Aggressive mode. Nov 28 18:45:13 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Nov 28 18:45:13 racoon: INFO: received Vendor ID: RFC 3947 Nov 28 18:45:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Nov 28 18:45:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Nov 28 18:45:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 Nov 28 18:45:13 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Nov 28 18:45:13 racoon: INFO: received Vendor ID: CISCO-UNITY Nov 28 18:45:13 racoon: INFO: received Vendor ID: DPD Nov 28 18:45:13 racoon: [phone ip] INFO: Selected NAT-T version: RFC 3947 Nov 28 18:45:13 racoon: INFO: Adding remote and local NAT-D payloads. Nov 28 18:45:13 racoon: [phone ip] INFO: Hashing (phone ip)[8237] with algo #2 (NAT-T forced) Nov 28 18:45:13 racoon: [Self]: [pfsense wan ip] INFO: Hashing (pfsense wan ip)[500] with algo #2 (NAT-T forced) Nov 28 18:45:13 racoon: INFO: Adding xauth VID payload. Nov 28 18:45:13 racoon: [Self]: INFO: NAT-T: ports changed to: (phone ip)[15601]<->(pfsense wan ip)[4500] Nov 28 18:45:13 racoon: INFO: NAT-D payload #0 doesn't match Nov 28 18:45:13 racoon: INFO: NAT-D payload #1 doesn't match Nov 28 18:45:13 racoon: INFO: NAT detected: ME PEER Nov 28 18:45:13 racoon: INFO: Sending Xauth request Nov 28 18:45:13 racoon: [Self]: INFO: ISAKMP-SA established (pfsense wan ip)[4500]-(phone ip)[15601] spi:1a0bbe0d907bba5c:4919b5bbd93d4598 Nov 28 18:45:13 racoon: [phone ip] INFO: received INITIAL-CONTACT Nov 28 18:45:13 racoon: INFO: Using port 0 Nov 28 18:45:13 racoon: user 'matt' authenticated Nov 28 18:45:13 racoon: INFO: login succeeded for user "matt" Nov 28 18:45:15 racoon: [Self]: INFO: respond new phase 2 negotiation: (pfsense wan ip)[4500]<=>(phone ip)[15601] Nov 28 18:45:15 racoon: INFO: no policy found, try to generate the policy : 192.168.200.2/32[0] 0.0.0.0/0[0] proto=any dir=in Nov 28 18:45:15 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Nov 28 18:45:15 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Nov 28 18:45:16 racoon: [Self]: INFO: IPsec-SA established: ESP (pfsense wan ip)[500]->(phone ip)[500] spi=189654654(0xb4de67e) Nov 28 18:45:16 racoon: [Self]: INFO: IPsec-SA established: ESP (pfsense wan ip)[500]->(phone ip)[500] spi=127100297(0x7936589)
If I change negotiation mode to main I receive this error with my phone:
racoon: [phone ip] ERROR: exchange Aggressive not allowed in any applicable rmconf.
As far as I can tell there is no way to change the negotiation type on my phone. This seems to be a poor implementation of IPSec by Google.
When I connect with my laptop set to main I receive this error:
Nov 29 10:46:04 racoon: [laptop ip] ERROR: couldn't find the pskey for laptop ip. Nov 29 10:46:04 racoon: [laptop ip] ERROR: failed to process ph1 packet (side: 1, status: 4). Nov 29 10:46:04 racoon: [laptop ip] ERROR: phase1 negotiation failed. Nov 29 10:46:08 racoon: [laptop ip] ERROR: unknown Informational exchange received
If I have negotiation set to aggressive and Phase 1 DH Group set to anything higher than group 2 my phone fails to connect but my laptop works fine.
Here is the error when my phone attempts to connect:
Nov 29 11:00:35 racoon: ERROR: no suitable proposal found. Nov 29 11:00:35 racoon: [phone ip] ERROR: failed to get valid proposal. Nov 29 11:00:35 racoon: [phone ip] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1). Nov 29 11:00:35 racoon: [phone ip] ERROR: phase1 negotiation failed.
If I set Phase 1 DH group to group 2 and proposal checking to Exact my laptop successfully establishes a phase 1 tunnel but fails to establish a phase 2 tunnel. Here is the error I receive:
Nov 29 11:05:21 racoon: [Self]: INFO: respond new phase 2 negotiation: (pfsenes wan ip)[4500]<=>(laptop ip)[4500] Nov 29 11:05:21 racoon: INFO: Update the generated policy : 192.168.200.2/32[0] 0.0.0.0/0[0] proto=any dir=in Nov 29 11:05:21 racoon: ERROR: lifebyte mismatched: my:2147483647 peer:0 Nov 29 11:05:21 racoon: ERROR: not matched Nov 29 11:05:21 racoon: ERROR: no suitable policy found. Nov 29 11:05:21 racoon: [laptop ip] ERROR: no proposal chosen [Check Phase 2 settings, algorithm]. Nov 29 11:05:21 racoon: [laptop ip]RROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
The error seems to stem from the lifebyte mismatch in Phase 2. However I cannot find a place in the pfsense webGUI to set the lifebyte size. Shrew Soft will not let me enter 2147483647 as a value because it is too large.
With these settings my phone doesn't get past Phase 1 with the same error above when set to DH group 5 or higher.
Setting proposal checking to Claim results with the same Phase 1 error on my phone. My laptop works fine.
Setting proposal checking to Strict results with the same Phase 1 error on my phone. My laptop works fine.
The problem with using Obey is it allows the client to propose less strict security settings than the server is configured to use.
The problems with my phone appear to be a limitation with the vpn client built into Android. I don't imagine there is any way around this unless I use a third party app for Android. If anyone knows of good third party apps I'd appreciate it.
I have also been trying out Mutual RSA + Xauth with little success. I followed this guide http://forum.pfsense.org/index.php?topic=47106.0
Phase 1 is successful but Phase 2 fails to establish
Here are my settings:
pfSense Phase 1 Internet Protocol: IPv4 Interface: WAN Authentication Method: Mutual RSA + Xauth My Identifier: ASN. 1 distinguished name Peer Identifier: ASN. 1 distinguished name Policy Generation: Unique Proposal Checking: Obey Encryption Algorithm: AES 256 Hash Algorithm: SHA1 DH Key Group: 2 (1024) Lifetime: 3600 My Certificate: IPSec Testing Server Cert My Certificate Authority: IPSec Testing CA NAT Traversal: Force Dead Peer Detection: disabled Phase 2 same as above Mobile Clients same as above Shrew Soft Everything is the same except for the Authentication page Local Identity: ASN. 1 Distinguished Name Use the subject in the client certificate: enabled Remote Identity: ASN. 1 Distinguished Name Use the subject in the received certificate: enabled Credentials Server Certificate Authority File: IPSec Testing CA.crt Client Certificate File: ipsectestuser-IPSecTestUser.crt Client Private Key File: ipsectestuser-IPSecTestUser.key
Here is the error I receive:
Nov 29 11:42:20 racoon: [Self]: INFO: respond new phase 1 negotiation: pfsense wan ip[500]<=>laptop ip[500] Nov 29 11:42:20 racoon: INFO: begin Aggressive mode. Nov 29 11:42:20 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Nov 29 11:42:20 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Nov 29 11:42:20 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Nov 29 11:42:20 racoon: INFO: received Vendor ID: RFC 3947 Nov 29 11:42:20 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Nov 29 11:42:20 racoon: INFO: received Vendor ID: CISCO-UNITY Nov 29 11:42:20 racoon: [laptop ip] INFO: Selected NAT-T version: RFC 3947 Nov 29 11:42:20 racoon: INFO: Adding remote and local NAT-D payloads. Nov 29 11:42:20 racoon: [laptop ip] INFO: Hashing laptop ip[500] with algo #2 (NAT-T forced) Nov 29 11:42:20 racoon: [Self]: [pfsense wan ip] INFO: Hashing pfsense wan ip[500] with algo #2 (NAT-T forced) Nov 29 11:42:20 racoon: INFO: Adding xauth VID payload. Nov 29 11:42:20 racoon: [Self]: INFO: NAT-T: ports changed to: laptop ip[4500]<->pfsense wan ip[4500] Nov 29 11:42:20 racoon: INFO: NAT-D payload #0 doesn't match Nov 29 11:42:20 racoon: INFO: NAT-D payload #1 doesn't match Nov 29 11:42:20 racoon: INFO: NAT detected: ME PEER Nov 29 11:42:20 racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=CA/ST=Ontario/L=Toronto/O=mydomain/emailAddress=admin@mydomain.info/CN=ipsectestuser Nov 29 11:42:20 racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=CA/ST=Ontario/L=Toronto/O=mydomain/emailAddress=admin@mydomain.info/CN=internal-ca Nov 29 11:42:20 racoon: INFO: Sending Xauth request Nov 29 11:42:20 racoon: [Self]: INFO: ISAKMP-SA established pfsense wan ip[4500]-laptop ip[4500] spi:932e2d58eaf8f51d:49e0fc0ff0161318 Nov 29 11:42:20 racoon: [laptop ip] INFO: received INITIAL-CONTACT Nov 29 11:42:20 racoon: INFO: Using port 0 Nov 29 11:42:20 racoon: user 'ipsectestuser' authenticated Nov 29 11:42:20 racoon: INFO: login succeeded for user "ipsectestuser" Nov 29 11:42:20 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Nov 29 11:42:20 racoon: ERROR: Cannot open "/etc/motd" Nov 29 11:42:21 racoon: [Self]: INFO: respond new phase 2 negotiation: pfsense wan ip[4500]<=>laptop ip[4500] Nov 29 11:42:21 racoon: ERROR: failed to get sainfo. Nov 29 11:42:21 racoon: ERROR: failed to get sainfo. Nov 29 11:42:21 racoon: [laptop ip] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).