Pfsense 2.3.2 ipsec vpn mobile configuration not correctly generated



  • Hi folks

    I remark some issues with the 2.3.2 version an the web gui on setting up new mobile client ipsec configuration. all of them lacking the 'remote subnet' information 'mobile client' in P2.

    upgrade pfsense 2.3.x to 2.3.2 ipsec mobile client configs are showing the information and i'm able to connect.
    new setups miss the info (also in the xml-backup file) and i'm not able to connect. reproduced on multiple installations.

    (site to site ipsec vpns work perfectly, only affects mobile access)

    does anybody have the same issue? how can i enter this to web-gui / ipsec bugtracker of pfsense?

    Kind regards
    Jones


  • Rebel Alliance Developer Netgate

    I can't seem to reproduce this, but the wording is confusing. Can you provide more details about the exact procedure you are following and what shows in the GUI for a working setup compared to one that doesn't? Screenshots would be helpful.



  • Hi

    After enabling IPSec Mobile Support, I create the Phase 1 as the GUI ask me to do in the top yellow box.

    Adding P1:
    General Information

    • (disabled off)
    • V1
    • IPv4
    • WAN
    • (no description)
      Phase 1 Proposal (Authentication)
    • Mutual PSK + XAuth
    • Aggressive
    • My IP address
    • *** a pre-shared key
      Phase 1 Proposal (Algorithms)
    • AES - 256
    • SHA1
    • DH 2
    • 28800
      Advanced Options
    • (rekey off)
    • (responder off)
    • NAT auto
    • DPD on
    • Delay 10
    • Failures 5

    Pretty much the defaults except the Mutual PSK + XAuth setting.

    Then adding P2:
    General Information

    • (disabled off)
    • Tunnel IPv4
    • LAN Subnet
    • NAT none
    • (no description)
      Phase 2 Proposal (SA/Key Exchange)
    • ESP
    • AES - auto
    • SHA1
    • PFS off
    • 3600
      Advanced Configuration
    • (empty)

    All is saved and applied.
    Now the GUI shows missing 'Remote Subnet' information like in the screenshot attached. This started about Release 2.3.1.

    Thanks for any help!

    Jones



  • Rebel Alliance Developer Netgate

    Can you show the config.xml portion for that Phase 1/2? And the Mobile Clients tab settings. Normally a mobile client P2 would show "Mobile Client" in that spot, not a blank space.



  • Many thanks for looking into this.

    Attached the Mobile Config settings screenshot.

    The NOT working XML:

    <ipsec><enable><client><enable><user_source>Local Database</user_source>
    <group_source>none</group_source>
    <pool_address>10.0.44.0</pool_address>
    <pool_netbits>24</pool_netbits></enable></client>

    <phase1><ikeid>1</ikeid>
    <iketype>ikev1</iketype>
    <mode>aggressive</mode>
    <interface>wan</interface>
    <mobile><protocol>inet</protocol>
    <myid_type>myaddress</myid_type>
    <myid_data><peerid_type>peeraddress</peerid_type>
    <peerid_data><encryption-algorithm><name>aes</name>
    <keylen>256</keylen></encryption-algorithm>
    <hash-algorithm>sha1</hash-algorithm>
    <dhgroup>2</dhgroup>
    <lifetime>28800</lifetime>
    <pre-shared-key>***</pre-shared-key>
    <private-key><certref><caref><authentication_method>xauth_psk_server</authentication_method>
    <descr><nat_traversal>on</nat_traversal>
    <mobike>off</mobike>
    <dpd_delay>10</dpd_delay>
    <dpd_maxfail>5</dpd_maxfail></descr></caref></certref></private-key></peerid_data></myid_data></mobile></phase1>

    <phase2><ikeid>1</ikeid>
    <uniqid>***</uniqid>
    <mode>tunnel</mode>
    <reqid>2</reqid>
    <localid><type>lan</type></localid>

    <protocol>esp</protocol>
    <encryption-algorithm-option><name>aes</name>
    <keylen>auto</keylen></encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime>3600</lifetime></phase2>

    <uniqueids>yes</uniqueids></enable></ipsec>

    An old working XML:

    <ipsec><enable><client><enable><user_source>Local Database</user_source>
    <group_source>none</group_source>
    <pool_address>10.0.22.0</pool_address>
    <pool_netbits>24</pool_netbits></enable></client>
    <phase1><ikeid>1</ikeid>
    <iketype>ikev1</iketype>
    <mode>aggressive</mode>
    <interface>wan</interface>
    <mobile><protocol>inet</protocol>
    <myid_type>myaddress</myid_type>
    <myid_data><peerid_type>any</peerid_type>
    <peerid_data><encryption-algorithm><name>aes</name>
    <keylen>256</keylen></encryption-algorithm>
    <hash-algorithm>sha1</hash-algorithm>
    <dhgroup>2</dhgroup>
    <lifetime>28800</lifetime>
    <pre-shared-key>***</pre-shared-key>
    <private-key><certref><caref><authentication_method>xauth_psk_server</authentication_method>
    <descr><nat_traversal>on</nat_traversal>
    <mobike>off</mobike>
    <dpd_delay>10</dpd_delay>
    <dpd_maxfail>5</dpd_maxfail></descr></caref></certref></private-key></peerid_data></myid_data></mobile></phase1>

    <phase2><ikeid>1</ikeid>
    <uniqid>***</uniqid>
    <mode>tunnel</mode>
    <reqid>1</reqid>
    <localid><type>lan</type></localid>
    <remoteid><type>mobile</type></remoteid>
    <protocol>esp</protocol>
    <encryption-algorithm-option><name>aes</name>
    <keylen>auto</keylen></encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime>3600</lifetime></phase2></enable></ipsec>

    I believe the V 2.3.2 (ev. 2.3.1) webgui does not save all ipsec data correctly, as the <remoteid><type>tag is generated empty.

    What do you think?

    Regards


    </type></remoteid>



  • Hi forum folks

    Today, I was on an 2.3-RELEASE pfSense. Needed to add a Mobile Client IPSec Tunnel. And I remarked that already the V 2.3.0 has this issue? I start to believe that probably I'm missing something on the Mobile Client Setup?

    Regards
    Jones


  • Rebel Alliance Developer Netgate

    I was able to reproduce the GUI showing up that way on one of my test VMs but it still works fine, I have no problems with it.

    The only difference in your XML is that it's missing a "mobile" in the P2 remote type. Try the attached patch using the System Patches package (path strip level = 2) and see if it helps. Edit/save a mobile P2 after applying.

    p2-mobile-type-diff.txt



  • I can confirm the exact same issue, only modifying the XML config by hand seemed to fix this, "mobile" turns to empty when you save config.  This was one of multiple issues I had to deal with so I fixed it and moved on, therefore I cannot recall if this was actually breaking the functionality, but I don't think it did.



  • I can confirm things are broken without the patch mentioned above.


  • Rebel Alliance Developer Netgate

    I went ahead and committed the above patch, should be in 2.3.2_1



  • Hi folks,

    thanks for all your support. I can confirm that all our IPSec tunnels are working again on 2.3.2_1. I'm not sure there was an issue related to the gui stuff. The GUI still shows the empty remote subnet (witch in the end does not bother for mobile-configs :-)). We changed our configs on the 'desktop client' side from EasyVPN to ModeConfig (which is almost the same, except we can/must provide the remote network subnet). And voila, were up and running again. Even the OS X built in IPSec is again able to connect to our pfSense boxes.

    Regards, jones



  • Hi,

    Using 2.3.2-RELEASE-p1 (amd64) I'm also missing the remote subnet in P2 for mobile clients.
    Current Base System 2.3.2_1

    Is this only missing to be shown in the GUI or does it affect the VPN functionality?

    Reason for asking is that I have an issue with the route on the client that needs to be added manually after VPN is connecten when setting Win 10 not to use the default gateway in order not to route Internet traffic over VPN.

    The client do not know that traffic for the remote network are to be routed to the virtual IP assigned by PFsense unless the route is added manually after VPN connection is established.

    I would like routing to happen automatically for mobile VPN users.

    Besides that it works like a charm.

    Thanks


  • Rebel Alliance Developer Netgate

    Routing is controlled only on the client side with IKEv2, the server side cannot influence what the client does.

    Win 10 changed the behavior recently. There is an option you have to change to make it route all traffic, or you can add a route using powershell. Search the forum there has been some talk of it recently.



  • Thanks

    I can configure ther routing manually at Win 10 after the VPN is connceted and everything works.

    But the problem occours bechause PFsense uses a Virtual IP for mobile clients that is unknow to the client and not within the LAN network.

    Hence the client have no change of making the route automatically.
    On our old firewall we use the server side Lan network also for virtual IP but that seems to be a no go with Pfsense.
    But as mentioned everythign works when we add the route manually.


  • Rebel Alliance Developer Netgate

    That is completely off topic for this thread. Start a new thread if you'd like to discuss that.



  • @hauserjo:

    Hi folks,

    thanks for all your support. I can confirm that all our IPSec tunnels are working again on 2.3.2_1. I'm not sure there was an issue related to the gui stuff. The GUI still shows the empty remote subnet (witch in the end does not bother for mobile-configs :-)). We changed our configs on the 'desktop client' side from EasyVPN to ModeConfig (which is almost the same, except we can/must provide the remote network subnet). And voila, were up and running again. Even the OS X built in IPSec is again able to connect to our pfSense boxes.

    Regards, jones

    Do you made any change to the OS X system?
    I was unable to connect to VPN and using Internet, since upgrading from 2.2 to 2.3.2_1 with the OS X built In IPSEC.



  • Has this problem reappeared in 2.3.4-RELEASE-p1

    @hauserjo:

    Hi

    After enabling IPSec Mobile Support, I create the Phase 1 as the GUI ask me to do in the top yellow box.

    Adding P1:
    General Information

    • (disabled off)
    • V1
    • IPv4
    • WAN
    • (no description)
      Phase 1 Proposal (Authentication)
    • Mutual PSK + XAuth
    • Aggressive
    • My IP address
    • *** a pre-shared key
      Phase 1 Proposal (Algorithms)
    • AES - 256
    • SHA1
    • DH 2
    • 28800
      Advanced Options
    • (rekey off)
    • (responder off)
    • NAT auto
    • DPD on
    • Delay 10
    • Failures 5

    Pretty much the defaults except the Mutual PSK + XAuth setting.

    Then adding P2:
    General Information

    • (disabled off)
    • Tunnel IPv4
    • LAN Subnet
    • NAT none
    • (no description)
      Phase 2 Proposal (SA/Key Exchange)
    • ESP
    • AES - auto
    • SHA1
    • PFS off
    • 3600
      Advanced Configuration
    • (empty)

    All is saved and applied.
    Now the GUI shows missing 'Remote Subnet' information like in the screenshot attached. This started about Release 2.3.1.

    Thanks for any help!

    Jones



  • seems so, i have the same issue. the patch posted above cannot be applied. i have multiple p2 configured lan, wlan, dmz. i can only access lan subnet. and i have no idea why. i don't even know if my problem is related to this topic.