IPSec Road Warrior with NAT-T Question

FooFighter

Hello,

My family/friends live in different towns and we used to exchange files by SFTP for quite a quite. We now want to switch to an IPSec VPN solution. As I have got an ALIX Box with pfsense it's now my turn to get things done :)

In the beginning we plan to try out an IPSec road warrior solution as the other routers are not capable of IPSec but tunnel this protocol.

I followed this guide
Guide: http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To

Except I had to change the server identifier to Domain as I get a DYNIP from my ISP and use DynDNS / I had to enable NAT-T as all other clients are behind routers.

My sample setup:
LAN1 (192.168.0.0/24) –> PFSENSE 1.2.3 RC1 (LAN: 192.168.0.1|WAN: PPPOE + DynDNS) <-- INTERNET --> MISC ROUTER (IPSEC TUNNEL) --> LAN2 (192.168.1.0/24) --> CLIENT (192.168.1.3 - Shrew Soft VPN Client)

During my first tests I came across the following error:

...
Apr 28 17:21:57 racoon: ERROR: couldn't find the pskey for 192.168.1.3
Apr 28 17:21:57 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Apr 28 17:21:57 racoon: INFO: Selected NAT-T version: RFC 3947
Apr 28 17:21:57 racoon: INFO: received Vendor ID: DPD
Apr 28 17:21:57 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 28 17:21:57 racoon: INFO: received Vendor ID: RFC 3947
Apr 28 17:21:57 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 28 17:21:57 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 28 17:21:57 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Apr 28 17:21:57 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 28 17:21:57 racoon: INFO: begin Aggressive mode.
...

I currently can't imagine what went wrong :(

Regards,

Foo

jimp

Are you sure you have the proper identifier/psk setup for the client? Just going by what it says, it looks like it can't find a proper matching key for the connection. Double check what you have entered in the pfSense side on the Pre-Shared Keys tab, and make sure it matches with the identifier used in the Shrew Soft client on its Authentication tab.

I haven't tested NAT-T w/IPSec yet, but I'm not sure you really need that if their other routers have IPSec passthrough capability. Either way, I don't think that is the source of your issue or a contributing factor.

FooFighter

Thank you for the info.

I'm thinking of setting up a virtual network with two subnets via vmware to have an easier access to both ends of the vpn so I hopefully can better debug my problems :)

Regards,

Foo

FooFighter

Update:

Got this up an running with PFSENSE 1.2.3 RC2 - family/friends fully connected  ;D
Main problem was my misunderstanding of the setting "Server Identifier: IP Address"
I had set my DynDNS domain name in pfSense but the client settings were set to expected an IP Address.

Finally the Shrewsoft trace util (debug) pointed me to the right direction
–-

PFUser

I am sorry for this question but:  ???
What data did you enter in the "Server Identifier: IP Address" field.
I have tried

1. I have used the data under “Client Configuration” > “General Tab:” > “Host: <pfsense box="" wan="" ip="">”
   In my case in was 24.X.X.X

2. I have used the data under “Client Configuration” > “General Tab:” > “Address: (pick some other random range you are not using, like 192.168.111.xx)”
   In my case in was 172.21.30.253

3. I have used the data under “Client Configuration” > “Policy:” > “Address: (Network behind pfSense you want to access, e.g. 192.168.1.0)”
   In my case in was 172.21.30.0

4. The IP on the computer that I have the client IPSec software on.
   In my case in was 192.168.168.103

5. The Public IP of the Linksys WRT54G that my computer with the client IPSec sites behind.
   In my case in was 68.X.X.X

But none of there seems to work.</pfsense>

jimp

@PFUser:

I am sorry for this question but:  ???
What data did you enter in the "Server Identifier: IP Address" field.

On the Shrew Soft client?

Remote Identity:
  Type: IP Address

Use Discovered remote host address

Or which setting on what software are you referring to, exactly?

Usually the server identifier is left blank on pfSense unless you know better.

PFUser

I am following this.
http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To

On the PFSense config side.

SNIP**************
Fill in the settings as follows:

Phase 1 Proposal (authentication):
Negotiation Mode      : Aggressive
Server Identifier    : IP Address
Encryption Algorithm  : 3DES
Hash Algorithm        : SHA1
DH Key Group          : 2
Lifetime              : 86400
Authentication Method : Pre-Shared Key
SNIP************

jimp

I believe that should really be set to "My IP Address" in the drop-down box.

I updated the howto.

PFUser

Thank you for your response.

I have two other questions but it depends on the answer to this one.
In this part of the tutorial,

Under “Client Configuration” > “General Tab:” > “Address: (pick some other random range you are not using, like 192.168.111.xx)”

1. Is the “range” that you are referring to an unused IP that in not being used on your LAN side of your pfSense firewall.
2. Or is it a New subnet that is not in LAN subnet like 10.10.10.2 if you have a setup like below.

Example

---

192.168.1.1 LAN < pfSense > WAN 69.59.43.3

---

jimp

It is a new subnet that does not exist on any other interface to which pfSense can directly connect.

PFUser

Thank you once again.
And rebooting my client PC everything started to work.
The following is just for informational use only:

I made up a new IPSec VPN pool is IP subnet 10.10.10.0/24 that was not on my any interface on my pfSense firewall.

In the tutorial under the “Client Configuration” > “General Tab:” > “Address:” and “Netmask:”
I added this on my Shrew Soft client:
Address: 10.10.10.2
Netmask: 255.255.255.0

On the pfSense firewall I added a new rule.
Action: Pass
Interface: IPSEC
Protocol: Any
Source:
        Type: Network
        Address: 10.10.10.0/24
Destination: LAN subnet

Now I am able to see the whole network.
This is my first IPSec VPN. That is why I am being so detailed about everything.
Thanks for all your help.

XZed

well, i arrived on this post after so much discussion but if i well understood :

since pfSense 1.2.3, it's (finally) possible to use ipsec vpn clients (shrew-like) to connect to pfsense from anywhere (anywhere = any network with nat….does it mean all  ;D ?) ?

a little feedback from experimented users :

why do you prefer ipsec to openvpn for mobile clients ? (well, i don't want to open a debate  ;D)

Sincerely,

jimp

@XZed:

why do you prefer ipsec to openvpn for mobile clients ? (well, i don't want to open a debate  ;D)

You may want to start a new thread for that question, it won't be seen by as many people when it is buried deep in a thread like this.

XZed

@jimp:

You may want to start a new thread for that question, it won't be seen by as many people when it is buried deep in a thread like this.

u're right  ;D

thanks for the advice  ;)