Pfsense 2.3.2 ipsec vpn mobile configuration not correctly generated

hauserjo

Hi folks

I remark some issues with the 2.3.2 version an the web gui on setting up new mobile client ipsec configuration. all of them lacking the 'remote subnet' information 'mobile client' in P2.

upgrade pfsense 2.3.x to 2.3.2 ipsec mobile client configs are showing the information and i'm able to connect.
new setups miss the info (also in the xml-backup file) and i'm not able to connect. reproduced on multiple installations.

(site to site ipsec vpns work perfectly, only affects mobile access)

does anybody have the same issue? how can i enter this to web-gui / ipsec bugtracker of pfsense?

Kind regards
Jones

jimp

I can't seem to reproduce this, but the wording is confusing. Can you provide more details about the exact procedure you are following and what shows in the GUI for a working setup compared to one that doesn't? Screenshots would be helpful.

hauserjo

Hi

After enabling IPSec Mobile Support, I create the Phase 1 as the GUI ask me to do in the top yellow box.

Adding P1:
General Information

(disabled off)
V1
IPv4
WAN
(no description)
Phase 1 Proposal (Authentication)
Mutual PSK + XAuth
Aggressive
My IP address
*** a pre-shared key
Phase 1 Proposal (Algorithms)
AES - 256
SHA1
DH 2
28800
Advanced Options
(rekey off)
(responder off)
NAT auto
DPD on
Delay 10
Failures 5

Pretty much the defaults except the Mutual PSK + XAuth setting.

Then adding P2:
General Information

(disabled off)
Tunnel IPv4
LAN Subnet
NAT none
(no description)
Phase 2 Proposal (SA/Key Exchange)
ESP
AES - auto
SHA1
PFS off
3600
Advanced Configuration
(empty)

All is saved and applied.
Now the GUI shows missing 'Remote Subnet' information like in the screenshot attached. This started about Release 2.3.1.

Thanks for any help!

Jones

mobile-client-overview.jpg_thumb

jimp

Can you show the config.xml portion for that Phase 1/2? And the Mobile Clients tab settings. Normally a mobile client P2 would show "Mobile Client" in that spot, not a blank space.

hauserjo

Many thanks for looking into this.

Attached the Mobile Config settings screenshot.

The NOT working XML:

<ipsec><enable><client><enable><user_source>Local Database</user_source>
<group_source>none</group_source>
<pool_address>10.0.44.0</pool_address>
<pool_netbits>24</pool_netbits></enable></client>

<phase1><ikeid>1</ikeid>
<iketype>ikev1</iketype>
<mode>aggressive</mode>
<interface>wan</interface>
<mobile><protocol>inet</protocol>
<myid_type>myaddress</myid_type>
<myid_data><peerid_type>peeraddress</peerid_type>
<peerid_data><encryption-algorithm><name>aes</name>
<keylen>256</keylen></encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>28800</lifetime>
<pre-shared-key>***</pre-shared-key>
<private-key><certref><caref><authentication_method>xauth_psk_server</authentication_method>
<descr><nat_traversal>on</nat_traversal>
<mobike>off</mobike>
<dpd_delay>10</dpd_delay>
<dpd_maxfail>5</dpd_maxfail></descr></caref></certref></private-key></peerid_data></myid_data></mobile></phase1>

<phase2><ikeid>1</ikeid>
<uniqid>***</uniqid>
<mode>tunnel</mode>
<reqid>2</reqid>
<localid><type>lan</type></localid>

An old working XML:

<ipsec><enable><client><enable><user_source>Local Database</user_source>
<group_source>none</group_source>
<pool_address>10.0.22.0</pool_address>
<pool_netbits>24</pool_netbits></enable></client>
<phase1><ikeid>1</ikeid>
<iketype>ikev1</iketype>
<mode>aggressive</mode>
<interface>wan</interface>
<mobile><protocol>inet</protocol>
<myid_type>myaddress</myid_type>
<myid_data><peerid_type>any</peerid_type>
<peerid_data><encryption-algorithm><name>aes</name>
<keylen>256</keylen></encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>28800</lifetime>
<pre-shared-key>***</pre-shared-key>
<private-key><certref><caref><authentication_method>xauth_psk_server</authentication_method>
<descr><nat_traversal>on</nat_traversal>
<mobike>off</mobike>
<dpd_delay>10</dpd_delay>
<dpd_maxfail>5</dpd_maxfail></descr></caref></certref></private-key></peerid_data></myid_data></mobile></phase1>

<phase2><ikeid>1</ikeid>
<uniqid>***</uniqid>
<mode>tunnel</mode>
<reqid>1</reqid>
<localid><type>lan</type></localid>
<remoteid><type>mobile</type></remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option><name>aes</name>
<keylen>auto</keylen></encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<pfsgroup>0</pfsgroup>
<lifetime>3600</lifetime></phase2></enable></ipsec>

I believe the V 2.3.2 (ev. 2.3.1) webgui does not save all ipsec data correctly, as the <remoteid><type>tag is generated empty.

What do you think?

Regards

mobile-config.jpg_thumb </type></remoteid>

hauserjo

Hi forum folks

Today, I was on an 2.3-RELEASE pfSense. Needed to add a Mobile Client IPSec Tunnel. And I remarked that already the V 2.3.0 has this issue? I start to believe that probably I'm missing something on the Mobile Client Setup?

Regards
Jones

jimp

I was able to reproduce the GUI showing up that way on one of my test VMs but it still works fine, I have no problems with it.

The only difference in your XML is that it's missing a "mobile" in the P2 remote type. Try the attached patch using the System Patches package (path strip level = 2) and see if it helps. Edit/save a mobile P2 after applying.

p2-mobile-type-diff.txt

owczi

I can confirm the exact same issue, only modifying the XML config by hand seemed to fix this, "mobile" turns to empty when you save config. This was one of multiple issues I had to deal with so I fixed it and moved on, therefore I cannot recall if this was actually breaking the functionality, but I don't think it did.

laffer1

I can confirm things are broken without the patch mentioned above.

jimp

I went ahead and committed the above patch, should be in 2.3.2_1

hauserjo

Hi folks,

thanks for all your support. I can confirm that all our IPSec tunnels are working again on 2.3.2_1. I'm not sure there was an issue related to the gui stuff. The GUI still shows the empty remote subnet (witch in the end does not bother for mobile-configs :-)). We changed our configs on the 'desktop client' side from EasyVPN to ModeConfig (which is almost the same, except we can/must provide the remote network subnet). And voila, were up and running again. Even the OS X built in IPSec is again able to connect to our pfSense boxes.

Regards, jones

handersen

Hi,

Using 2.3.2-RELEASE-p1 (amd64) I'm also missing the remote subnet in P2 for mobile clients.
Current Base System 2.3.2_1

Is this only missing to be shown in the GUI or does it affect the VPN functionality?

Reason for asking is that I have an issue with the route on the client that needs to be added manually after VPN is connecten when setting Win 10 not to use the default gateway in order not to route Internet traffic over VPN.

The client do not know that traffic for the remote network are to be routed to the virtual IP assigned by PFsense unless the route is added manually after VPN connection is established.

I would like routing to happen automatically for mobile VPN users.

Besides that it works like a charm.

Thanks

jimp

Routing is controlled only on the client side with IKEv2, the server side cannot influence what the client does.

Win 10 changed the behavior recently. There is an option you have to change to make it route all traffic, or you can add a route using powershell. Search the forum there has been some talk of it recently.

handersen

Thanks

I can configure ther routing manually at Win 10 after the VPN is connceted and everything works.

But the problem occours bechause PFsense uses a Virtual IP for mobile clients that is unknow to the client and not within the LAN network.

Hence the client have no change of making the route automatically.
On our old firewall we use the server side Lan network also for virtual IP but that seems to be a no go with Pfsense.
But as mentioned everythign works when we add the route manually.

jimp

That is completely off topic for this thread. Start a new thread if you'd like to discuss that.

fgunno

@hauserjo:

Hi folks,

thanks for all your support. I can confirm that all our IPSec tunnels are working again on 2.3.2_1. I'm not sure there was an issue related to the gui stuff. The GUI still shows the empty remote subnet (witch in the end does not bother for mobile-configs :-)). We changed our configs on the 'desktop client' side from EasyVPN to ModeConfig (which is almost the same, except we can/must provide the remote network subnet). And voila, were up and running again. Even the OS X built in IPSec is again able to connect to our pfSense boxes.

Regards, jones

Do you made any change to the OS X system?
I was unable to connect to VPN and using Internet, since upgrading from 2.2 to 2.3.2_1 with the OS X built In IPSEC.

mirage22

Has this problem reappeared in 2.3.4-RELEASE-p1

@hauserjo:

Hi

After enabling IPSec Mobile Support, I create the Phase 1 as the GUI ask me to do in the top yellow box.

Adding P1:
General Information

(disabled off)

V1

IPv4

WAN

(no description)
Phase 1 Proposal (Authentication)

Mutual PSK + XAuth

Aggressive

My IP address

*** a pre-shared key
Phase 1 Proposal (Algorithms)

AES - 256

SHA1

DH 2

28800
Advanced Options

(rekey off)

(responder off)

NAT auto

DPD on

Delay 10

Failures 5

Pretty much the defaults except the Mutual PSK + XAuth setting.

Then adding P2:
General Information

(disabled off)

Tunnel IPv4

LAN Subnet

NAT none

(no description)
Phase 2 Proposal (SA/Key Exchange)

ESP

AES - auto

SHA1

PFS off

3600
Advanced Configuration

(empty)

All is saved and applied.
Now the GUI shows missing 'Remote Subnet' information like in the screenshot attached. This started about Release 2.3.1.

Thanks for any help!

Jones

nodau

seems so, i have the same issue. the patch posted above cannot be applied. i have multiple p2 configured lan, wlan, dmz. i can only access lan subnet. and i have no idea why. i don't even know if my problem is related to this topic.