Is there any working site-to-site ipesec config?

bchristopeit

Its not working. And I dont know why. Is there any manual? because the old one didnt work.

Derelict

Thousands upon thousands of them. Trouble with documentation is they are all different.

What are you trying to do?

bchristopeit

I try to connect two sitest with ipsec I am using version 2.3.2

Key Exchange 1
Internet Protocol IPv4
Interface Wan
Remote Gateway IP from the other site

P1
Authentication Method: Mutual PSK
Negotiation mode: Aggressive
My identifier: My IP Adress
Peer identifier: Peer IP Adress
Presherdkey: …
Encryption AES
Hash: SHA1
DH Group 2
Lifetime 28800
Enablde DPD 10/5

P2
Mode Tunnel IPv4
Local Network LAN Subnet
Remote Network Network 192.168.x.x/24
Protocoll ESP
Encryption AES256
Hash SHA1
PFS off
Lifetime 3600

the same at the other site. Okay with diffrent remote ips. I don`t know my mistake. I changed from monowall to pfsense but it looks like a litte bit more complicated.

Aug 24 09:12:42 charon 16[ENC] <con1000|9>parsed INFORMATIONAL_V1 request 874233868 [ N(AUTH_FAILED) ]
Aug 24 09:12:42 charon 16[IKE] <con1000|9>received AUTHENTICATION_FAILED error notify

This is the last error</con1000|9></con1000|9>

bchristopeit

If I change

My identifier: My IP Adress
Peer identifier: Peer IP Adress

to

My identifier: Distinguished name pfsense.localdomain
Peer identifier: any

I got:

Aug 24 09:21:44 charon 15[ENC] <con1000|15>parsed INFORMATIONAL_V1 request 719346522 [ N(INVAL_KE) ]
Aug 24 09:21:44 charon 15[IKE] <con1000|15>received INVALID_KE_PAYLOAD error notify

this is from the other site

Aug 24 09:30:36 charon 11[IKE] <6> no shared key found for 'pfSense.localdomain'[172.31.xxx.xxx] - '213.200.xxx.xxx'[213.200.xxx.xxx]
Aug 24 09:30:36 charon 11[IKE] <6> no shared key found for 172.31.xxx.xxx - 213.200.xxx.xxx</con1000|15></con1000|15>

Derelict

Both sides are pfSense 2.3.2?

bchristopeit

Yes

Derelict

Then you might as well use IKEv2, AES-GCM, etc.

Refer to the attached diagram.

pfSense A

Phase 1

Disabled: unchecked
Key Exchange Version: V2
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: 172.25.228.13
Authentication Method: Mutual PSK
My Identifier: My IP address
Peer Identifier: Peer IP Address
Pre-Shared Key: presharedkey (pick something random and strong here)
Encryption Algorithm: AES 256 bits
Hash Algorithm: SHA256
DH Group: 14
Lifetime: 28800
Disable rekey: unchecked
Disable Reauth: unchecked
Responder Only: unchecked
MOBIKE: Disable
Split Connections: unchecked
Dear Peer Detection: checked
Delay: 10
Max failures: 5

Phase 2

Disabled: unchecked
Mode: Tunnel IPv4
Local Network: LAN subnet
NAT/BINAT translation: None
Remote Network: Network: 172.25.234.0 /24
Encryption Algorithms: AES256-GCM: Checked (Auto)
Hash Algorithms: None checked
PFS key group: 14
Lifetime: 3600
Automatically ping host: 172.25.234.1

pfSense C

Phase 1

Disabled: unchecked
Key Exchange Version: V2
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: 172.25.228.5
Authentication Method: Mutual PSK
My Identifier: My IP address
Peer Identifier: Peer IP Address
Pre-Shared Key: presharedkey (pick something random and strong here)
Encryption Algorithm: AES 256 bits
Hash Algorithm: SHA256
DH Group: 14
Lifetime: 28800
Disable rekey: unchecked
Disable Reauth: unchecked
Responder Only: unchecked
MOBIKE: Disable
Split Connections: unchecked
Dear Peer Detection: checked
Delay: 10
Max failures: 5

Phase 2

Disabled: unchecked
Mode: Tunnel IPv4
Local Network: LAN subnet
NAT/BINAT translation: None
Remote Network: Network: 172.25.232.0 /24
Encryption Algorithms: AES256-GCM: Checked (Auto)
Hash Algorithms: None checked
PFS key group: 14
Lifetime: 3600
Automatically ping host: 172.25.232.1

And firewall rules on the IPsec tabs on both sides that pass the traffic you need. An example is included that is wide-open. That might or might not meet your needs/threat model.

pfSense+VPN.png
pfSense+VPN.png_thumb
![Screen Shot 2016-08-24 at 1.07.08 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-08-24 at 1.07.08 AM.png_thumb)
![Screen Shot 2016-08-24 at 1.07.08 AM.png](/public/imported_attachments/1/Screen Shot 2016-08-24 at 1.07.08 AM.png)

bchristopeit

Thanks it looks better but I got:

PFSense A
Aug 24 10:17:17 charon 10[CFG] received stroke: terminate 'con1'
Aug 24 10:17:17 charon 10[CFG] no IKE_SA named 'con1' found
Aug 24 10:17:17 charon 10[CFG] received stroke: initiate 'con1'
Aug 24 10:17:17 charon 15[IKE] <con1|8>initiating IKE_SA con1[8] to 213.200.xxx.xxx
Aug 24 10:17:17 charon 15[ENC] <con1|8>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 24 10:17:17 charon 15[NET] <con1|8>sending packet: from 172.31.xxx.xxx[500] to 213.200.xxx.xxx[500] (464 bytes)
Aug 24 10:17:17 charon 15[NET] <con1|8>received packet: from 213.200.xxx.xxx[500] to 172.31.xxx.xxx[500] (464 bytes)
Aug 24 10:17:17 charon 15[ENC] <con1|8>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 24 10:17:17 charon 15[IKE] <con1|8>local host is behind NAT, sending keep alives
Aug 24 10:17:17 charon 15[IKE] <con1|8>remote host is behind NAT
Aug 24 10:17:17 charon 15[IKE] <con1|8>authentication of '172.31.xxx.xxx' (myself) with pre-shared key
Aug 24 10:17:17 charon 15[IKE] <con1|8>establishing CHILD_SA con1
Aug 24 10:17:17 charon 15[ENC] <con1|8>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Aug 24 10:17:17 charon 15[NET] <con1|8>sending packet: from 172.31.xxx.xxx[4500] to 213.200.xxx.xxx[4500] (320 bytes)
Aug 24 10:17:17 charon 15[NET] <con1|8>received packet: from 213.200.xxx.xxx[4500] to 172.31.xxx.xxx[4500] (80 bytes)
Aug 24 10:17:17 charon 15[ENC] <con1|8>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 24 10:17:17 charon 15[IKE] <con1|8>received AUTHENTICATION_FAILED notify error

PFsense B
Aug 24 10:17:17 charon 06[NET] <8> received packet: from 213.200.229.167[500] to 172.31.xxx.xxx[500] (464 bytes)
Aug 24 10:17:17 charon 06[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 24 10:17:17 charon 06[IKE] <8> 213.200.229.167 is initiating an IKE_SA
Aug 24 10:17:17 charon 06[IKE] <8> local host is behind NAT, sending keep alives
Aug 24 10:17:17 charon 06[IKE] <8> remote host is behind NAT
Aug 24 10:17:17 charon 06[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 24 10:17:17 charon 06[NET] <8> sending packet: from 172.31.xxx.xxx[500] to 213.200.229.167[500] (464 bytes)
Aug 24 10:17:17 charon 06[NET] <8> received packet: from 213.200.229.167[4500] to 172.31.xxx.xxx[4500] (320 bytes)
Aug 24 10:17:17 charon 06[ENC] <8> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Aug 24 10:17:17 charon 06[CFG] <8> looking for peer configs matching 172.31.xxx.xxx[213.200.xxx.xxx]…213.200.229.167[172.31.xxx.xxx]
Aug 24 10:17:17 charon 06[CFG] <bypasslan|8>selected peer config 'bypasslan'
Aug 24 10:17:17 charon 06[IKE] <bypasslan|8>no shared key found for '213.200.xxx.xxx' - '172.31.xxx.xxx'
Aug 24 10:17:17 charon 06[IKE] <bypasslan|8>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 24 10:17:17 charon 06[ENC] <bypasslan|8>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 24 10:17:17 charon 06[NET] <bypasslan|8>sending packet: from 172.31.xxx.xxx[4500] to 213.200.xxx.xxx[4500] (80 bytes)</bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8>

Derelict

You couldn't have possibly done that that fast. Delete what you have and start over. Carefully. It works. I have it working right here.

Derelict

Aug 24 10:04:49 charon 08[NET] <con1|5>sending packet: from 172.31.xxx.xxx[4500] to 213.200.xxx.xxx[4500] (256 bytes)
Aug 24 10:04:49 charon 08[NET] <con1|5>received packet: from 213.200.xxx.xxx[4500] to 172.31.xxx.xxx[4500] (80 bytes)

You can't sent packets directly between an RFC1918 address and a public address. Either something else is in the middle you're not telling me about or you have the configuration screwed up. Slow down, be careful, do it right, and it'll work.</con1|5></con1|5>

bchristopeit

Okay I will delete it and start again.

Derelict

If one side is behind another NAT device, you probably need to set "My identifier" on that side to be the actual public IP address - the one you see from there when you go to http://ifconfig.io/ for example.

My identifier: IP address: Actual public IP address

Like I said, every situation is different. There is no "universal walk through" to setting up a VPN.

bchristopeit

WOHOOOOOO YOU ARE MY HERO !!!!! after I changed my Identifier to the public IP VPN is working. Now I have to setup mobile devices with greenbow. Could I use the same?

Derelict

I hope you take my advice and use IKEv2, AES-GCM, etc.

No idea about the remote access. Completely different thread required.

bchristopeit

Thank you so much. I did it like your example :). Will create a new thread vor IPSec mobile.

timboau

THANKS!
I was about to post this question (i might add it here for some additional key words relating to this)
–----------------
I've been reading about the 'issues' that might present in swanstrong for the authentication of identifiers that could be causing me problems. (possibly adding pre-shared keys?) I've been trying all sorts but just cant seem to hit a working configuration.
I have approx 25 remote PPPoE sites connecting to each other and to a static IP address great. I recently added a new site using Australian NBN (the customer IP is assigned via DHCP)
I cant get the new DHCP site to connect to the Static IP server, it connects fine to other PPPoE servers.

I'm running APU box and virtual pfsense routers:

Do you consider this VPN config the best all rounder settings?
What was key to this config allowing the DHCP to Static IP connections to work successfully?

Derelict

Connecting to a static IP address doesn't generally require anything special. Are you connecting from behind another NAT device?

timboau

Both IPs are fully Public IPs once being allocated by DHCP rather than PPPoE was the only difference I could discern - the other was always Static.

Anyway - working a treat now :)

Do you consider using those specs as a basic for all tunnels to be the most efficient/CPU wise v's no massive need for crazy security v's stability etc?

I was previously using V2 DH2 P1-AES256 SHA1 / P2 AES128 Hash SHA1

Derelict

AES-GCM in a child SA provides authenticated encryption and therefore does not require a separate authentication/hash step (like SHA1/SHA256) and will therefore perform better especially with AES-NI enabled.

I personally believe that AES-128 is perfectly acceptable in almost all circumstances but you will not likely notice a difference between AES-128 and AES-256 so why not…

So, yes, I like the settings I used in this example. That's why I used them. :)