Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec dead since 2.3.1

    IPsec
    2
    3
    1354
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      timo last edited by

      Since upgrade to Version 2.3.1 (and newer, actual 2.3.1-RELEASE-p1 installed) it isn't possible to connect from one PFSense to another PFSense using IPSec:

      • IPSec from a PFSense to another device (e.g. Fritz.Box from AVM) works fine.
      • IPSec from a PFSense to a PFSense is broken (tested three endpoinds):
      
      May 29 08:26:31 	charon 		09[IKE] <con7000|15>received AUTHENTICATION_FAILED error notify
      May 29 08:26:31 	charon 		09[ENC] <con7000|15>parsed INFORMATIONAL_V1 request 1039777267 [ N(AUTH_FAILED) ]
      May 29 08:26:31 	charon 		09[NET] <con7000|15>received packet: from 109.230.xxx.xx[500] to 192.168.xxx.xx[500] (56 bytes)
      May 29 08:26:30 	charon 		09[NET] <con7000|15>sending packet: from 192.168.xxx.xx[500] to 109.230.xxx.xx[500] (380 bytes)
      May 29 08:26:30 	charon 		09[IKE] <con7000|15>sending retransmit 1 of request message ID 0, seq 1
      May 29 08:26:26 	charon 		11[NET] <con7000|15>sending packet: from 192.168.xxx.xx[500] to 109.230.xxx.xx[500] (380 bytes)
      May 29 08:26:26 	charon 		11[ENC] <con7000|15>generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
      May 29 08:26:26 	charon 		11[IKE] <con7000|15>initiating Aggressive Mode IKE_SA con7000[15] to 109.230.xxx.xx
      May 29 08:26:26 	charon 		09[KNL] creating acquire job for policy 192.168.xxx.xx/32|/0 === 109.230.xxx.xx/32|/0 with reqid {15}</con7000|15></con7000|15></con7000|15></con7000|15></con7000|15></con7000|15></con7000|15></con7000|15> 
      
      • The config wasn't changed since version 2.2 of PFSense.
      • i also tried to disable all IPSec entries and created new ones - same issue, the connection didn't come up

      Any Ideas?

      1 Reply Last reply Reply Quote 0
      • T
        timo last edited by

        After setting the following settings at System->Advanced-> System Tunables:

        
        net.inet.raw.maxdgram 131072
        net.inet.raw.recvspace 131072
        net.raw.sendspace 65535
        net.raw.recvspace 65535 
        
        

        VPN comes up. But now it is very slow.

        Before at version 2.2.6 there was a trafficrate from 1,2-1,6MB/s now it is 350KB/s at maximum.

        Has anybody an idea how to get the transfer speed up again?

        1 Reply Last reply Reply Quote 0
        • K
          kobold-meb last edited by

          Hello after trying some configurations I found the following config working with PFS 2.3.1 and Fritzbox 7490 (06.55-33668 BETA):

          Assuming the following Values:
          PFS IP: 10.0.10.1
          PFS Network: 10.0.10.0/24
          PFS EXTERN IP: 217.0.0.217

          FB IP: 192.168.10.1
          FB Network: 192.168.10.0/24
          FB DDNS Name: abcd.myfritz.net

          PSK: same_most_secret_password_as_in_PFS

          Fritzbox VPN Import File:

          /*

          • Path_to_Fritzbox_VPN_config_file.cfg
          • Timestamp
            */

          vpncfg {
                  connections {
                          enabled = yes;
                          conn_type = conntype_lan;
                          name = "VPN_fancy_name";      <<< VPN Name
                          always_renew = yes;
                          reject_not_encrypted = no;
                          dont_filter_netbios = yes;
                          localip = 0.0.0.0;
                          local_virtualip = 0.0.0.0;
                          remoteip = 217.0.0.217;              <<< External IP of PFS
                          remote_virtualip = 0.0.0.0;
                          keepalive_ip = 10.0.10.1;            <<< Private IP of PFS (usually default gateway IP of local PFS network)
                          localid {
                                  fqdn = "abcd.myfritz.net";    <<< external FQDN e.g. MyFritz ID
                          }
                          remoteid {
                                  ipaddr = 217.0.0.217;          <<< External IP of PFS
                          }
                          mode = phase1_mode_aggressive;
                          phase1ss = "def/3des/sha";
                          keytype = connkeytype_pre_shared;
                          key = "same_most_secret_password_as_in_PFS";  <<< Pre-Shared-Password
                          cert_do_server_auth = no;
                          use_nat_t = no;
                          use_xauth = no;
                          use_cfgmode = no;
                          phase2localid {
                                  ipnet {
                                          ipaddr = 192.168.10.0;  <<< Private Network of Fritzbox
                                          mask = 255.255.255.0;
                                  }
                          }
                          phase2remoteid {
                                  ipnet {
                                          ipaddr = 10.0.10.0;        <<< Private Network of PFS
                                          mask = 255.255.255.0;
                                  }
                          }
                          phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
                          accesslist = "permit ip any 10.0.10.0 255.255.255.0";
                  }
                  ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                                      "udp 0.0.0.0:4500 0.0.0.0:4500";
          }

          // EOF

          Config within PFS 2.3.1:

          ===============
          Phase 1 - General Information
          Disabled: off
          Key Exchange version : V1
          Internet Protocol: IPv4
          Interface: WAN
          Remote Gateway: abcd.myfritz.net    <<< external FQDN e.g. MyFritz ID
          Description: VPN Name

          Phase 1 Proposal (Authentication)
          Authentication Method: Mutual PSK
          Negotiation mode: Aggresive
          My identifier: My IP address
          Peer identifier: Distinguished name  /  abcd.myfritz.net      <<< external FQDN e.g. MyFritz ID
          Pre-Shared Key: same_most_secret_password_as_in_PFS  <<< Shared Password

          Phase 1 Proposal (Algorithms)
          Encryption Algorithm: 3DES
          Hash Algorithm: SHA256  or SHA1  (try both, one should work!)
          DH Group: 1 (768 bit)
          Lifetime (Seconds): 3600

          Phase 1 - Advanced Options
          Disable rekey: off
          Responder Only: off
          NAT Traversal: auto
          Dead Peer Detection: on
          Delay: 10
          Max failures: 5

          –-

          Phase 2 - General Information
          Disabled: off
          Mode: Tunnel IPv4
          Local Network: LAN subnet
          NAT/BINAT translation: none
          Remote Network: Network / 192.168.10.0 / 24
          Description: VPN Name

          Phase 2 Proposal (SA/Key Exchange)
          Protocol: ESP
          Encryption Algorithms: AES / 256 bits  and 3DES
          Hash Algorithms: SHA1
          PFS key group: 1 (768 bit)
          Lifetime: 3600

          Phase 2 - Advanced Configuration
          Automatically ping host: 192.168.10.1  <<< Private IP of Fritzbox

          I did not try to find the most secure VPN settings possible, but this config works with my needs.
          I use on both side more then one VPN.
          Using this setup works on the Fritzbox in combination of Single User VPNs and additional Fritzbox-Fritzbox Connections.

          If one has any Ideas to change settings to increase the security level, please let me know.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post