Trouble setting up IPSec (No Aggressive option?)



  • I'm following the IPSec roadwarrior howto at:
    https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

    It indicates that under phase1 settings I should set:
    Negotiation mode: aggressive

    However, there is no such setting in phase1. Has this been removed?

    Connecting from Android fails and I suspect it's due to the above missing setting…

    Any help would be appreciated. Below are the logs!

    James

    Dec 9 22:06:43 charon 16[NET] <1> received packet: from 172.56.38.118[53375] to 76.14.18.240[500] (612 bytes)
    Dec 9 22:06:43 charon 16[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    Dec 9 22:06:43 charon 16[IKE] <1> received NAT-T (RFC 3947) vendor ID
    Dec 9 22:06:43 charon 16[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Dec 9 22:06:43 charon 16[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Dec 9 22:06:43 charon 16[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Dec 9 22:06:43 charon 16[IKE] <1> received XAuth vendor ID
    Dec 9 22:06:43 charon 16[IKE] <1> received Cisco Unity vendor ID
    Dec 9 22:06:43 charon 16[IKE] <1> received FRAGMENTATION vendor ID
    Dec 9 22:06:43 charon 16[IKE] <1> received DPD vendor ID
    Dec 9 22:06:43 charon 16[IKE] <1> 172.56.38.118 is initiating a Main Mode IKE_SA
    Dec 9 22:06:43 charon 16[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
    Dec 9 22:06:43 charon 16[NET] <1> sending packet: from 76.14.18.240[500] to 172.56.38.118[53375] (136 bytes)
    Dec 9 22:06:43 charon 16[NET] <1> received packet: from 172.56.38.118[53375] to 76.14.18.240[500] (252 bytes)
    Dec 9 22:06:43 charon 16[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Dec 9 22:06:43 charon 16[IKE] <1> remote host is behind NAT
    Dec 9 22:06:43 charon 16[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Dec 9 22:06:43 charon 16[NET] <1> sending packet: from 76.14.18.240[500] to 172.56.38.118[53375] (268 bytes)
    Dec 9 22:06:43 charon 16[NET] <1> received packet: from 172.56.38.118[25932] to 76.14.18.240[4500] (108 bytes)
    Dec 9 22:06:43 charon 16[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
    Dec 9 22:06:43 charon 16[CFG] <1> looking for XAuthInitPSK peer configs matching 76.14.18.240…172.56.38.118[21.251.173.190]
    Dec 9 22:06:43 charon 16[IKE] <1> found 1 matching config, but none allows XAuthInitPSK authentication using Main Mode
    Dec 9 22:06:43 charon 16[ENC] <1> generating INFORMATIONAL_V1 request 1402810885 [ HASH N(AUTH_FAILED) ]

    Dec 9 22:06:43 charon 16[NET] <1> sending packet: from 76.14.18.240[4500] to 172.56.38.118[25932] (108 bytes)
    Dec 9 22:13:31 charon 00[DMN] signal of type SIGINT received. Shutting down
    Dec 9 22:13:31 ipsec_starter 82271 charon stopped after 200 ms
    Dec 9 22:13:31 ipsec_starter 82271 ipsec starter stopped



  • Just realized that the "NAT Traversal: Force" option referenced in the HowTo is also missing…

    James


  • Rebel Alliance Developer Netgate

    Either you aren't following the how-to you linked, or you have chosen something incorrectly (e.g. picked IKEv2 not IKEv1)



  • I suspect there have been changes since the HowTo was created.

    Under "Phase 1" there is a new section called "General Information" and the HowTo does not mention how to configure it. There is a "Key Exchange version" setting and when I set it to V1, the "Negotiation Mode" option does appear.

    However, the "Policy Generation" and "Proposal Checking" settings still do not appear. Are these important?

    The Android settings, however, are quite different.
    "Type" should be "IPSec Xauth PSK"
    "server address" => your FQDN
    "ipsec identifier" => what you entered as your peer identifier
    "ipsec PSK" => your PSK
    "username" => username of the account you created in pfsense
    "password" => password of the account you created

    I managed to get it to connect but upload speeds are very very slow. I'll try to work that out another evening.

    James P A.K.A. Jim P


  • Rebel Alliance Developer Netgate

    Yes, that how-to is very old.

    "Policy generation" and "proposal checking" were settings from the (really) old IPsec daemon racoon, which hasn't been used since pfSense 2.1.x.

    Android has a bug that will likely prevent the style you're trying from working. You'd be better off trying IKEv2 and using the strongSwan app.



  • I see that IKEv2 is covered in the IPSEC section of the online pfsense book. Is that section current?

    Thanks,
    James


  • Rebel Alliance Developer Netgate

    If it talks about IKEv2, it's current.



  • It seems that for IKEv2 I need to create a Server Certificate which needs to include the IP address of the server. Since my server has a dynamic public IP address, it seems that I cannot use IKEv2 after all. Is that right?

    Thanks,
    James