IPSec dead since 2.3.1
-
Since upgrade to Version 2.3.1 (and newer, actual 2.3.1-RELEASE-p1 installed) it isn't possible to connect from one PFSense to another PFSense using IPSec:
- IPSec from a PFSense to another device (e.g. Fritz.Box from AVM) works fine.
- IPSec from a PFSense to a PFSense is broken (tested three endpoinds):
May 29 08:26:31 charon 09[IKE] <con7000|15>received AUTHENTICATION_FAILED error notify May 29 08:26:31 charon 09[ENC] <con7000|15>parsed INFORMATIONAL_V1 request 1039777267 [ N(AUTH_FAILED) ] May 29 08:26:31 charon 09[NET] <con7000|15>received packet: from 109.230.xxx.xx[500] to 192.168.xxx.xx[500] (56 bytes) May 29 08:26:30 charon 09[NET] <con7000|15>sending packet: from 192.168.xxx.xx[500] to 109.230.xxx.xx[500] (380 bytes) May 29 08:26:30 charon 09[IKE] <con7000|15>sending retransmit 1 of request message ID 0, seq 1 May 29 08:26:26 charon 11[NET] <con7000|15>sending packet: from 192.168.xxx.xx[500] to 109.230.xxx.xx[500] (380 bytes) May 29 08:26:26 charon 11[ENC] <con7000|15>generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] May 29 08:26:26 charon 11[IKE] <con7000|15>initiating Aggressive Mode IKE_SA con7000[15] to 109.230.xxx.xx May 29 08:26:26 charon 09[KNL] creating acquire job for policy 192.168.xxx.xx/32|/0 === 109.230.xxx.xx/32|/0 with reqid {15}</con7000|15></con7000|15></con7000|15></con7000|15></con7000|15></con7000|15></con7000|15></con7000|15>
- The config wasn't changed since version 2.2 of PFSense.
- i also tried to disable all IPSec entries and created new ones - same issue, the connection didn't come up
Any Ideas?
-
After setting the following settings at System->Advanced-> System Tunables:
net.inet.raw.maxdgram 131072 net.inet.raw.recvspace 131072 net.raw.sendspace 65535 net.raw.recvspace 65535
VPN comes up. But now it is very slow.
Before at version 2.2.6 there was a trafficrate from 1,2-1,6MB/s now it is 350KB/s at maximum.
Has anybody an idea how to get the transfer speed up again?
-
Hello after trying some configurations I found the following config working with PFS 2.3.1 and Fritzbox 7490 (06.55-33668 BETA):
Assuming the following Values:
PFS IP: 10.0.10.1
PFS Network: 10.0.10.0/24
PFS EXTERN IP: 217.0.0.217FB IP: 192.168.10.1
FB Network: 192.168.10.0/24
FB DDNS Name: abcd.myfritz.netPSK: same_most_secret_password_as_in_PFS
Fritzbox VPN Import File:
/*
- Path_to_Fritzbox_VPN_config_file.cfg
- Timestamp
*/
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "VPN_fancy_name"; <<< VPN Name
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 217.0.0.217; <<< External IP of PFS
remote_virtualip = 0.0.0.0;
keepalive_ip = 10.0.10.1; <<< Private IP of PFS (usually default gateway IP of local PFS network)
localid {
fqdn = "abcd.myfritz.net"; <<< external FQDN e.g. MyFritz ID
}
remoteid {
ipaddr = 217.0.0.217; <<< External IP of PFS
}
mode = phase1_mode_aggressive;
phase1ss = "def/3des/sha";
keytype = connkeytype_pre_shared;
key = "same_most_secret_password_as_in_PFS"; <<< Pre-Shared-Password
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.10.0; <<< Private Network of Fritzbox
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 10.0.10.0; <<< Private Network of PFS
mask = 255.255.255.0;
}
}
phase2ss = "esp-3des-sha/ah-no/comp-no/pfs";
accesslist = "permit ip any 10.0.10.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}// EOF
Config within PFS 2.3.1:
===============
Phase 1 - General Information
Disabled: off
Key Exchange version : V1
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: abcd.myfritz.net <<< external FQDN e.g. MyFritz ID
Description: VPN NamePhase 1 Proposal (Authentication)
Authentication Method: Mutual PSK
Negotiation mode: Aggresive
My identifier: My IP address
Peer identifier: Distinguished name / abcd.myfritz.net <<< external FQDN e.g. MyFritz ID
Pre-Shared Key: same_most_secret_password_as_in_PFS <<< Shared PasswordPhase 1 Proposal (Algorithms)
Encryption Algorithm: 3DES
Hash Algorithm: SHA256 or SHA1 (try both, one should work!)
DH Group: 1 (768 bit)
Lifetime (Seconds): 3600Phase 1 - Advanced Options
Disable rekey: off
Responder Only: off
NAT Traversal: auto
Dead Peer Detection: on
Delay: 10
Max failures: 5–-
Phase 2 - General Information
Disabled: off
Mode: Tunnel IPv4
Local Network: LAN subnet
NAT/BINAT translation: none
Remote Network: Network / 192.168.10.0 / 24
Description: VPN NamePhase 2 Proposal (SA/Key Exchange)
Protocol: ESP
Encryption Algorithms: AES / 256 bits and 3DES
Hash Algorithms: SHA1
PFS key group: 1 (768 bit)
Lifetime: 3600Phase 2 - Advanced Configuration
Automatically ping host: 192.168.10.1 <<< Private IP of FritzboxI did not try to find the most secure VPN settings possible, but this config works with my needs.
I use on both side more then one VPN.
Using this setup works on the Fritzbox in combination of Single User VPNs and additional Fritzbox-Fritzbox Connections.If one has any Ideas to change settings to increase the security level, please let me know.