IPSec dead since 2.3.1



  • Since upgrade to Version 2.3.1 (and newer, actual 2.3.1-RELEASE-p1 installed) it isn't possible to connect from one PFSense to another PFSense using IPSec:

    • IPSec from a PFSense to another device (e.g. Fritz.Box from AVM) works fine.
    • IPSec from a PFSense to a PFSense is broken (tested three endpoinds):
    
    May 29 08:26:31 	charon 		09[IKE] <con7000|15>received AUTHENTICATION_FAILED error notify
    May 29 08:26:31 	charon 		09[ENC] <con7000|15>parsed INFORMATIONAL_V1 request 1039777267 [ N(AUTH_FAILED) ]
    May 29 08:26:31 	charon 		09[NET] <con7000|15>received packet: from 109.230.xxx.xx[500] to 192.168.xxx.xx[500] (56 bytes)
    May 29 08:26:30 	charon 		09[NET] <con7000|15>sending packet: from 192.168.xxx.xx[500] to 109.230.xxx.xx[500] (380 bytes)
    May 29 08:26:30 	charon 		09[IKE] <con7000|15>sending retransmit 1 of request message ID 0, seq 1
    May 29 08:26:26 	charon 		11[NET] <con7000|15>sending packet: from 192.168.xxx.xx[500] to 109.230.xxx.xx[500] (380 bytes)
    May 29 08:26:26 	charon 		11[ENC] <con7000|15>generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
    May 29 08:26:26 	charon 		11[IKE] <con7000|15>initiating Aggressive Mode IKE_SA con7000[15] to 109.230.xxx.xx
    May 29 08:26:26 	charon 		09[KNL] creating acquire job for policy 192.168.xxx.xx/32|/0 === 109.230.xxx.xx/32|/0 with reqid {15}</con7000|15></con7000|15></con7000|15></con7000|15></con7000|15></con7000|15></con7000|15></con7000|15> 
    
    • The config wasn't changed since version 2.2 of PFSense.
    • i also tried to disable all IPSec entries and created new ones - same issue, the connection didn't come up

    Any Ideas?



  • After setting the following settings at System->Advanced-> System Tunables:

    
    net.inet.raw.maxdgram 131072
    net.inet.raw.recvspace 131072
    net.raw.sendspace 65535
    net.raw.recvspace 65535 
    
    

    VPN comes up. But now it is very slow.

    Before at version 2.2.6 there was a trafficrate from 1,2-1,6MB/s now it is 350KB/s at maximum.

    Has anybody an idea how to get the transfer speed up again?



  • Hello after trying some configurations I found the following config working with PFS 2.3.1 and Fritzbox 7490 (06.55-33668 BETA):

    Assuming the following Values:
    PFS IP: 10.0.10.1
    PFS Network: 10.0.10.0/24
    PFS EXTERN IP: 217.0.0.217

    FB IP: 192.168.10.1
    FB Network: 192.168.10.0/24
    FB DDNS Name: abcd.myfritz.net

    PSK: same_most_secret_password_as_in_PFS

    Fritzbox VPN Import File:

    /*

    • Path_to_Fritzbox_VPN_config_file.cfg
    • Timestamp
      */

    vpncfg {
            connections {
                    enabled = yes;
                    conn_type = conntype_lan;
                    name = "VPN_fancy_name";      <<< VPN Name
                    always_renew = yes;
                    reject_not_encrypted = no;
                    dont_filter_netbios = yes;
                    localip = 0.0.0.0;
                    local_virtualip = 0.0.0.0;
                    remoteip = 217.0.0.217;              <<< External IP of PFS
                    remote_virtualip = 0.0.0.0;
                    keepalive_ip = 10.0.10.1;            <<< Private IP of PFS (usually default gateway IP of local PFS network)
                    localid {
                            fqdn = "abcd.myfritz.net";    <<< external FQDN e.g. MyFritz ID
                    }
                    remoteid {
                            ipaddr = 217.0.0.217;          <<< External IP of PFS
                    }
                    mode = phase1_mode_aggressive;
                    phase1ss = "def/3des/sha";
                    keytype = connkeytype_pre_shared;
                    key = "same_most_secret_password_as_in_PFS";  <<< Pre-Shared-Password
                    cert_do_server_auth = no;
                    use_nat_t = no;
                    use_xauth = no;
                    use_cfgmode = no;
                    phase2localid {
                            ipnet {
                                    ipaddr = 192.168.10.0;  <<< Private Network of Fritzbox
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2remoteid {
                            ipnet {
                                    ipaddr = 10.0.10.0;        <<< Private Network of PFS
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
                    accesslist = "permit ip any 10.0.10.0 255.255.255.0";
            }
            ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                                "udp 0.0.0.0:4500 0.0.0.0:4500";
    }

    // EOF

    Config within PFS 2.3.1:

    ===============
    Phase 1 - General Information
    Disabled: off
    Key Exchange version : V1
    Internet Protocol: IPv4
    Interface: WAN
    Remote Gateway: abcd.myfritz.net    <<< external FQDN e.g. MyFritz ID
    Description: VPN Name

    Phase 1 Proposal (Authentication)
    Authentication Method: Mutual PSK
    Negotiation mode: Aggresive
    My identifier: My IP address
    Peer identifier: Distinguished name  /  abcd.myfritz.net      <<< external FQDN e.g. MyFritz ID
    Pre-Shared Key: same_most_secret_password_as_in_PFS  <<< Shared Password

    Phase 1 Proposal (Algorithms)
    Encryption Algorithm: 3DES
    Hash Algorithm: SHA256  or SHA1  (try both, one should work!)
    DH Group: 1 (768 bit)
    Lifetime (Seconds): 3600

    Phase 1 - Advanced Options
    Disable rekey: off
    Responder Only: off
    NAT Traversal: auto
    Dead Peer Detection: on
    Delay: 10
    Max failures: 5

    –-

    Phase 2 - General Information
    Disabled: off
    Mode: Tunnel IPv4
    Local Network: LAN subnet
    NAT/BINAT translation: none
    Remote Network: Network / 192.168.10.0 / 24
    Description: VPN Name

    Phase 2 Proposal (SA/Key Exchange)
    Protocol: ESP
    Encryption Algorithms: AES / 256 bits  and 3DES
    Hash Algorithms: SHA1
    PFS key group: 1 (768 bit)
    Lifetime: 3600

    Phase 2 - Advanced Configuration
    Automatically ping host: 192.168.10.1  <<< Private IP of Fritzbox

    I did not try to find the most secure VPN settings possible, but this config works with my needs.
    I use on both side more then one VPN.
    Using this setup works on the Fritzbox in combination of Single User VPNs and additional Fritzbox-Fritzbox Connections.

    If one has any Ideas to change settings to increase the security level, please let me know.


Log in to reply