Trouble setting up IPSec (No Aggressive option?)

jamesp6000

I'm following the IPSec roadwarrior howto at:
https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

It indicates that under phase1 settings I should set:
Negotiation mode: aggressive

However, there is no such setting in phase1. Has this been removed?

Connecting from Android fails and I suspect it's due to the above missing setting…

Any help would be appreciated. Below are the logs!

James

Dec 9 22:06:43 charon 16[NET] <1> received packet: from 172.56.38.118[53375] to 76.14.18.240[500] (612 bytes)
Dec 9 22:06:43 charon 16[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V V ]
Dec 9 22:06:43 charon 16[IKE] <1> received NAT-T (RFC 3947) vendor ID
Dec 9 22:06:43 charon 16[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Dec 9 22:06:43 charon 16[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 9 22:06:43 charon 16[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Dec 9 22:06:43 charon 16[IKE] <1> received XAuth vendor ID
Dec 9 22:06:43 charon 16[IKE] <1> received Cisco Unity vendor ID
Dec 9 22:06:43 charon 16[IKE] <1> received FRAGMENTATION vendor ID
Dec 9 22:06:43 charon 16[IKE] <1> received DPD vendor ID
Dec 9 22:06:43 charon 16[IKE] <1> 172.56.38.118 is initiating a Main Mode IKE_SA
Dec 9 22:06:43 charon 16[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
Dec 9 22:06:43 charon 16[NET] <1> sending packet: from 76.14.18.240[500] to 172.56.38.118[53375] (136 bytes)
Dec 9 22:06:43 charon 16[NET] <1> received packet: from 172.56.38.118[53375] to 76.14.18.240[500] (252 bytes)
Dec 9 22:06:43 charon 16[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 9 22:06:43 charon 16[IKE] <1> remote host is behind NAT
Dec 9 22:06:43 charon 16[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 9 22:06:43 charon 16[NET] <1> sending packet: from 76.14.18.240[500] to 172.56.38.118[53375] (268 bytes)
Dec 9 22:06:43 charon 16[NET] <1> received packet: from 172.56.38.118[25932] to 76.14.18.240[4500] (108 bytes)
Dec 9 22:06:43 charon 16[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
Dec 9 22:06:43 charon 16[CFG] <1> looking for XAuthInitPSK peer configs matching 76.14.18.240…172.56.38.118[21.251.173.190]
Dec 9 22:06:43 charon 16[IKE] <1> found 1 matching config, but none allows XAuthInitPSK authentication using Main Mode
Dec 9 22:06:43 charon 16[ENC] <1> generating INFORMATIONAL_V1 request 1402810885 [ HASH N(AUTH_FAILED) ]
Dec 9 22:06:43 charon 16[NET] <1> sending packet: from 76.14.18.240[4500] to 172.56.38.118[25932] (108 bytes)
Dec 9 22:13:31 charon 00[DMN] signal of type SIGINT received. Shutting down
Dec 9 22:13:31 ipsec_starter 82271 charon stopped after 200 ms
Dec 9 22:13:31 ipsec_starter 82271 ipsec starter stopped

jamesp6000

Just realized that the "NAT Traversal: Force" option referenced in the HowTo is also missing…

James

jimp

Either you aren't following the how-to you linked, or you have chosen something incorrectly (e.g. picked IKEv2 not IKEv1)

jamesp6000

I suspect there have been changes since the HowTo was created.

Under "Phase 1" there is a new section called "General Information" and the HowTo does not mention how to configure it. There is a "Key Exchange version" setting and when I set it to V1, the "Negotiation Mode" option does appear.

However, the "Policy Generation" and "Proposal Checking" settings still do not appear. Are these important?

The Android settings, however, are quite different.
"Type" should be "IPSec Xauth PSK"
"server address" => your FQDN
"ipsec identifier" => what you entered as your peer identifier
"ipsec PSK" => your PSK
"username" => username of the account you created in pfsense
"password" => password of the account you created

I managed to get it to connect but upload speeds are very very slow. I'll try to work that out another evening.

James P A.K.A. Jim P

jimp

Yes, that how-to is very old.

"Policy generation" and "proposal checking" were settings from the (really) old IPsec daemon racoon, which hasn't been used since pfSense 2.1.x.

Android has a bug that will likely prevent the style you're trying from working. You'd be better off trying IKEv2 and using the strongSwan app.

jamesp6000

I see that IKEv2 is covered in the IPSEC section of the online pfsense book. Is that section current?

Thanks,
James

jimp

If it talks about IKEv2, it's current.

jamesp6000

It seems that for IKEv2 I need to create a Server Certificate which needs to include the IP address of the server. Since my server has a dynamic public IP address, it seems that I cannot use IKEv2 after all. Is that right?

Thanks,
James