Shrewsoft IPSEC with PFSense 2.3.2_1

butme

Hello

i've tried to configure the MobileClient working with ShrewSoft Client. Found a lot of how-to's, but nothing seems to work. The Problem lies still in Phase1 and I guess there is a general problem on this device.

That's all I get from the logs:

Feb 9 09:16:21 charon 09[NET] <con2|8>sending packet: from 128.x.x.x[500] to 194.x.x.x[500] (432 bytes)
Feb 9 09:16:21 charon 09[IKE] <con2|8>sending retransmit 1 of response message ID 0, seq 1
Feb 9 09:16:17 charon 16[IKE] <con2|8>AGGRESSIVE request with message ID 0 processing failed
Feb 9 09:16:17 charon 16[NET] <con2|8>sending packet: from 128.x.x.x[500] to 194.x.x.x[500] (68 bytes)
Feb 9 09:16:17 charon 16[ENC] <con2|8>generating INFORMATIONAL_V1 request 794222943 [ HASH N(PLD_MAL) ]
Feb 9 09:16:17 charon 16[IKE] <con2|8>message parsing failed
Feb 9 09:16:17 charon 16[ENC] <con2|8>could not decrypt payloads
Feb 9 09:16:17 charon 16[ENC] <con2|8>invalid HASH_V1 payload length, decryption failed?
Feb 9 09:16:17 charon 16[NET] <con2|8>received packet: from 194.x.x.x[4500] to 128.x.x.x[4500] (100 bytes)
Feb 9 09:16:17 charon 07[IKE] <con2|8>queueing INFORMATIONAL_V1 request as tasks still active
Feb 9 09:16:17 charon 07[NET] <con2|8>received packet: from 194.x.x.x[4500] to 128.x.x.x[4500] (84 bytes)
Feb 9 09:16:17 charon 07[NET] <con2|8>sending packet: from 128.x.x.x[500] to 194.x.x.x[500] (432 bytes)
Feb 9 09:16:17 charon 07[ENC] <con2|8>generating AGGRESSIVE response 0 [ SA KE No ID V V V V V NAT-D NAT-D HASH ]
Feb 9 09:16:17 charon 07[CFG] <8> selected peer config "con2"
Feb 9 09:16:17 charon 07[CFG] <8> looking for XAuthInitPSK peer configs matching 128.x.x.x…194.x.x.x[test]
Feb 9 09:16:17 charon 07[IKE] <8> 194.x.x.x is initiating a Aggressive Mode IKE_SA
Feb 9 09:16:17 charon 07[IKE] <8> received Cisco Unity vendor ID
Feb 9 09:16:17 charon 07[ENC] <8> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
Feb 9 09:16:17 charon 07[ENC] <8> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
Feb 9 09:16:17 charon 07[ENC] <8> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
Feb 9 09:16:17 charon 07[IKE] <8> received DPD vendor ID
Feb 9 09:16:17 charon 07[IKE] <8> received FRAGMENTATION vendor ID
Feb 9 09:16:17 charon 07[IKE] <8> received NAT-T (RFC 3947) vendor ID
Feb 9 09:16:17 charon 07[IKE] <8> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 9 09:16:17 charon 07[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 9 09:16:17 charon 07[ENC] <8> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
Feb 9 09:16:17 charon 07[IKE] <8> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Feb 9 09:16:17 charon 07[IKE] <8> received XAuth vendor ID
Feb 9 09:16:17 charon 07[ENC] <8> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V ]
Feb 9 09:16:17 charon 07[NET] <8> received packet: from 194.x.x.x[500] to 128.x.x.x[500] (492 bytes)

It seems the pfsense is not able to decrypt the payload
Feb 9 09:16:17 charon 16[ENC] <con2|8>could not decrypt payloads
Feb 9 09:16:17 charon 16[ENC] <con2|8>invalid HASH_V1 payload length, decryption failed?

On Client-Side there is a "Phase1 sa rejected, invalid auth data" in the log.  But "group" an PSK are the same on both sites. Any hints?

My Config:
User Authentication Local Database
Group Authentication none
Virtual Address Pool Provide a virtual IP address to clients =192.168.x.x/24
Network List Provide a list of accessible networks to clients
Save Xauth Password Allow clients to save Xauth passwords (Cisco VPN client only). NOTE: With iPhone clients, this does not work when deployed via the iPhone configuration utility, only by manual entry.
DNS Default Domain no
Split DNS no
Provide a list of split DNS domain names to clients. Enter a space separated list.
DNS Servers no
WINS Servers no
Phase2 PFS Group no
Login Banner no

Phase1

Key Exchange version V1
Internet Protocol IPv4
Interface WAN
Description Mobile VPN
Authentication Method Mutual PSK + Xauth
Negotiation mode Aggressive
My identifier IP Address
Peer identifier Distinguished name =test
Pre-Shared Key =mykey
Encryption Algorithm AES 256
Hash Algorithm SHA1
DH Group 2(1024bit)
Lifetime (Seconds) 28800
Disable rekey no
Responder Only no
NAT Traversal Force yes
Enable DPD yes
Delay 10
Max failures 5

Phase2
Disabled no
Mode Tunnel IPv4
Local Network Lan subnet
NAT/BINAT translation None
Description empty
Protocoll ESP
Enc.Algorithm AES Auto
Hash Algorithms SHA1
PFS key group off
Lifetime 3600</con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8>

djamp42

That client is dead i believe. I did get it to work, but had all sorts of issues with it. I just gave up on Mobile IPSEC completely and went to OpenVPN. Works a wonderfully.

pinoyboy

It still works great for me, but you have to make sure of a couple of things - please look at this thread and it will work no problem - https://forum.pfsense.org/index.php?topic=125086.0

butme

Yeah Shrewsoft and pfsense ipsec Mobile Clientsettings work, I built a testing-environment and it worked like a charm now (after some kinks), but on this system it seems not be able to do so. I do not know, why the system is not able to decrypt the payload. This is strange.

covex

i had a working config but after one of the recent pfsense updates its no more. i can ping ips but not domain names