Shrewsoft IPSEC with PFSense 2.3.2_1



  • Hello

    i've tried to configure the MobileClient working with ShrewSoft Client. Found a lot of how-to's, but nothing seems to work. The Problem lies still in Phase1 and I guess there is a general problem on this device.

    That's all I get from the logs:

    Feb 9 09:16:21 charon 09[NET] <con2|8>sending packet: from 128.x.x.x[500] to 194.x.x.x[500] (432 bytes)
    Feb 9 09:16:21 charon 09[IKE] <con2|8>sending retransmit 1 of response message ID 0, seq 1
    Feb 9 09:16:17 charon 16[IKE] <con2|8>AGGRESSIVE request with message ID 0 processing failed
    Feb 9 09:16:17 charon 16[NET] <con2|8>sending packet: from 128.x.x.x[500] to 194.x.x.x[500] (68 bytes)
    Feb 9 09:16:17 charon 16[ENC] <con2|8>generating INFORMATIONAL_V1 request 794222943 [ HASH N(PLD_MAL) ]
    Feb 9 09:16:17 charon 16[IKE] <con2|8>message parsing failed
    Feb 9 09:16:17 charon 16[ENC] <con2|8>could not decrypt payloads
    Feb 9 09:16:17 charon 16[ENC] <con2|8>invalid HASH_V1 payload length, decryption failed?
    Feb 9 09:16:17 charon 16[NET] <con2|8>received packet: from 194.x.x.x[4500] to 128.x.x.x[4500] (100 bytes)
    Feb 9 09:16:17 charon 07[IKE] <con2|8>queueing INFORMATIONAL_V1 request as tasks still active
    Feb 9 09:16:17 charon 07[NET] <con2|8>received packet: from 194.x.x.x[4500] to 128.x.x.x[4500] (84 bytes)
    Feb 9 09:16:17 charon 07[NET] <con2|8>sending packet: from 128.x.x.x[500] to 194.x.x.x[500] (432 bytes)
    Feb 9 09:16:17 charon 07[ENC] <con2|8>generating AGGRESSIVE response 0 [ SA KE No ID V V V V V NAT-D NAT-D HASH ]
    Feb 9 09:16:17 charon 07[CFG] <8> selected peer config "con2"
    Feb 9 09:16:17 charon 07[CFG] <8> looking for XAuthInitPSK peer configs matching 128.x.x.x…194.x.x.x[test]
    Feb 9 09:16:17 charon 07[IKE] <8> 194.x.x.x is initiating a Aggressive Mode IKE_SA
    Feb 9 09:16:17 charon 07[IKE] <8> received Cisco Unity vendor ID
    Feb 9 09:16:17 charon 07[ENC] <8> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
    Feb 9 09:16:17 charon 07[ENC] <8> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
    Feb 9 09:16:17 charon 07[ENC] <8> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
    Feb 9 09:16:17 charon 07[IKE] <8> received DPD vendor ID
    Feb 9 09:16:17 charon 07[IKE] <8> received FRAGMENTATION vendor ID
    Feb 9 09:16:17 charon 07[IKE] <8> received NAT-T (RFC 3947) vendor ID
    Feb 9 09:16:17 charon 07[IKE] <8> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 9 09:16:17 charon 07[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 9 09:16:17 charon 07[ENC] <8> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
    Feb 9 09:16:17 charon 07[IKE] <8> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Feb 9 09:16:17 charon 07[IKE] <8> received XAuth vendor ID
    Feb 9 09:16:17 charon 07[ENC] <8> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V ]
    Feb 9 09:16:17 charon 07[NET] <8> received packet: from 194.x.x.x[500] to 128.x.x.x[500] (492 bytes)

    It seems the pfsense is not able to decrypt the payload
    Feb 9 09:16:17 charon 16[ENC] <con2|8>could not decrypt payloads
    Feb 9 09:16:17 charon 16[ENC] <con2|8>invalid HASH_V1 payload length, decryption failed?

    On Client-Side there is a "Phase1 sa rejected, invalid auth data" in the log.  But "group" an PSK are the same on both sites. Any hints?

    My Config:
    User Authentication Local Database
    Group Authentication none
    Virtual Address Pool Provide a virtual IP address to clients =192.168.x.x/24
    Network List Provide a list of accessible networks to clients
    Save Xauth Password Allow clients to save Xauth passwords (Cisco VPN client only). NOTE: With iPhone clients, this does not work when deployed via the iPhone configuration utility, only by manual entry.
    DNS Default Domain no
    Split DNS no
    Provide a list of split DNS domain names to clients. Enter a space separated list.
    DNS Servers no
    WINS Servers no
    Phase2 PFS Group no
    Login Banner no

    Phase1

    Key Exchange version V1
    Internet Protocol IPv4
    Interface WAN
    Description Mobile VPN
    Authentication Method Mutual PSK + Xauth
    Negotiation mode Aggressive
    My identifier IP Address
    Peer identifier Distinguished name =test
    Pre-Shared Key =mykey
    Encryption Algorithm AES 256
    Hash Algorithm SHA1
    DH Group 2(1024bit)
    Lifetime (Seconds) 28800
    Disable rekey no
    Responder Only no
    NAT Traversal Force yes
    Enable DPD yes
    Delay 10
    Max failures 5

    Phase2
    Disabled no
    Mode Tunnel IPv4
    Local Network Lan subnet
    NAT/BINAT translation None
    Description empty
    Protocoll ESP
    Enc.Algorithm AES Auto
    Hash Algorithms SHA1
    PFS key group off
    Lifetime 3600</con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8>



  • That client is dead i believe. I did get it to work, but had all sorts of issues with it. I just gave up on Mobile IPSEC completely and went to OpenVPN. Works a wonderfully.



  • It still works great for me, but you have to make sure of a couple of things - please look at this thread and it will work no problem - https://forum.pfsense.org/index.php?topic=125086.0



  • Yeah Shrewsoft and pfsense ipsec Mobile Clientsettings work, I built a testing-environment and it worked like a charm now (after some kinks), but on this system it seems not be able to do so. I do not know, why the system is not able to decrypt the payload. This is strange.



  • i had a working config but after one of the recent pfsense updates its no more. i can ping ips but not domain names