IPSec dead since 2.3.1

timo

Since upgrade to Version 2.3.1 (and newer, actual 2.3.1-RELEASE-p1 installed) it isn't possible to connect from one PFSense to another PFSense using IPSec:

• IPSec from a PFSense to another device (e.g. Fritz.Box from AVM) works fine.
• IPSec from a PFSense to a PFSense is broken (tested three endpoinds):

May 29 08:26:31 	charon 		09[IKE] <con7000|15>received AUTHENTICATION_FAILED error notify
May 29 08:26:31 	charon 		09[ENC] <con7000|15>parsed INFORMATIONAL_V1 request 1039777267 [ N(AUTH_FAILED) ]
May 29 08:26:31 	charon 		09[NET] <con7000|15>received packet: from 109.230.xxx.xx[500] to 192.168.xxx.xx[500] (56 bytes)
May 29 08:26:30 	charon 		09[NET] <con7000|15>sending packet: from 192.168.xxx.xx[500] to 109.230.xxx.xx[500] (380 bytes)
May 29 08:26:30 	charon 		09[IKE] <con7000|15>sending retransmit 1 of request message ID 0, seq 1
May 29 08:26:26 	charon 		11[NET] <con7000|15>sending packet: from 192.168.xxx.xx[500] to 109.230.xxx.xx[500] (380 bytes)
May 29 08:26:26 	charon 		11[ENC] <con7000|15>generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
May 29 08:26:26 	charon 		11[IKE] <con7000|15>initiating Aggressive Mode IKE_SA con7000[15] to 109.230.xxx.xx
May 29 08:26:26 	charon 		09[KNL] creating acquire job for policy 192.168.xxx.xx/32|/0 === 109.230.xxx.xx/32|/0 with reqid {15}</con7000|15></con7000|15></con7000|15></con7000|15></con7000|15></con7000|15></con7000|15></con7000|15> 

• The config wasn't changed since version 2.2 of PFSense.
• i also tried to disable all IPSec entries and created new ones - same issue, the connection didn't come up

Any Ideas?

timo

After setting the following settings at System->Advanced-> System Tunables:

net.inet.raw.maxdgram 131072
net.inet.raw.recvspace 131072
net.raw.sendspace 65535
net.raw.recvspace 65535 

VPN comes up. But now it is very slow.

Before at version 2.2.6 there was a trafficrate from 1,2-1,6MB/s now it is 350KB/s at maximum.

Has anybody an idea how to get the transfer speed up again?

kobold-meb

Hello after trying some configurations I found the following config working with PFS 2.3.1 and Fritzbox 7490 (06.55-33668 BETA):

Assuming the following Values:
PFS IP: 10.0.10.1
PFS Network: 10.0.10.0/24
PFS EXTERN IP: 217.0.0.217

FB IP: 192.168.10.1
FB Network: 192.168.10.0/24
FB DDNS Name: abcd.myfritz.net

PSK: same_most_secret_password_as_in_PFS

Fritzbox VPN Import File:

/*

• Path_to_Fritzbox_VPN_config_file.cfg
• Timestamp
  */

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "VPN_fancy_name";      <<< VPN Name
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 217.0.0.217;              <<< External IP of PFS
                remote_virtualip = 0.0.0.0;
                keepalive_ip = 10.0.10.1;            <<< Private IP of PFS (usually default gateway IP of local PFS network)
                localid {
                        fqdn = "abcd.myfritz.net";    <<< external FQDN e.g. MyFritz ID
                }
                remoteid {
                        ipaddr = 217.0.0.217;          <<< External IP of PFS
                }
                mode = phase1_mode_aggressive;
                phase1ss = "def/3des/sha";
                keytype = connkeytype_pre_shared;
                key = "same_most_secret_password_as_in_PFS";  <<< Pre-Shared-Password
                cert_do_server_auth = no;
                use_nat_t = no;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.10.0;  <<< Private Network of Fritzbox
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 10.0.10.0;        <<< Private Network of PFS
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
                accesslist = "permit ip any 10.0.10.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}

// EOF

Config within PFS 2.3.1:

===============
Phase 1 - General Information
Disabled: off
Key Exchange version : V1
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: abcd.myfritz.net    <<< external FQDN e.g. MyFritz ID
Description: VPN Name

Phase 1 Proposal (Authentication)
Authentication Method: Mutual PSK
Negotiation mode: Aggresive
My identifier: My IP address
Peer identifier: Distinguished name  /  abcd.myfritz.net      <<< external FQDN e.g. MyFritz ID
Pre-Shared Key: same_most_secret_password_as_in_PFS  <<< Shared Password

Phase 1 Proposal (Algorithms)
Encryption Algorithm: 3DES
Hash Algorithm: SHA256  or SHA1  (try both, one should work!)
DH Group: 1 (768 bit)
Lifetime (Seconds): 3600

Phase 1 - Advanced Options
Disable rekey: off
Responder Only: off
NAT Traversal: auto
Dead Peer Detection: on
Delay: 10
Max failures: 5

–-

Phase 2 - General Information
Disabled: off
Mode: Tunnel IPv4
Local Network: LAN subnet
NAT/BINAT translation: none
Remote Network: Network / 192.168.10.0 / 24
Description: VPN Name

Phase 2 Proposal (SA/Key Exchange)
Protocol: ESP
Encryption Algorithms: AES / 256 bits  and 3DES
Hash Algorithms: SHA1
PFS key group: 1 (768 bit)
Lifetime: 3600

Phase 2 - Advanced Configuration
Automatically ping host: 192.168.10.1  <<< Private IP of Fritzbox

I did not try to find the most secure VPN settings possible, but this config works with my needs.
I use on both side more then one VPN.
Using this setup works on the Fritzbox in combination of Single User VPNs and additional Fritzbox-Fritzbox Connections.

If one has any Ideas to change settings to increase the security level, please let me know.