IPhone + IPSec
-
I am a bit of a noob when it comes to VPNs so I decided to ask before I even try to configure this. Is it possible to connect iPhone to pfSense using IPSec with current 2.0 builds?
TIA
-
Hi azzido,
I think the standard IPsec client off the iPhone is not compatible with pfSense 1.2.3. But I have not testet it with the new 2.0 version. But it should be the same.
PPTP will probably work.Maverick
-
Nop. IPSEC with xauth is part of pfsense 2.0
Should go!Apple provides some info regarding to this. Tried it with an erarly alpha. Was without luck. But there is an entry regarding iphone here at the forums.
-
Thanks for your replies. I will give it a go when I have some free time.
-
It should work. Will it at this point is another question, the underlying ipsec-tools 0.8 is a bit questionable at this point.
-
So after a lot of experimenting I was able to successfully create raw IPSec tunnel between iPhone and pfSense. Here are my pfSense settings:
VPN -> IPsec
Enable IPsec yes
VPN -> IPsec -> Tunnels -> Phase 1
Interface WAN
Negotiation mode aggressive
My identifier My IP address or Distinguished name (both work fine)
Peer identifier Distinguished name
Encryption algorithm AES / 256 bits
Hash algorithm SHA1
DH key group 2
Lifetime 28800
Authentication method Mutual PSK + Xauth
Pre-Shared Key *
NAT Traversal Enable
Dead Peer Detection EnableVPN -> IPsec -> Tunnels -> Phase 2
Mode Tunnel
Local Network see Bug #430
Protocol ESP
Encryption algorithms 3DES
Hash algorithms SHA1
PFS key group off
Lifetime 3600VPN -> IPsec -> Mobile clients
IKE Extensions
Enable IPsec Mobile Client Support yesExtended Authentication (Xauth)
User Authentication system
Group Authentication systemClient Configuration (mode-cfg)
Virtual Address Pool 192.168.100.160 / 28
DNS Servers 192.168.100.1The only problem with GUI configuration is that it does not allow leaving local network in phase two configuration blank. But all that needs to be done is changing SA config in racoon.conf to look like this sainfo anonymous {…}
In iPhone config looks like this:
Server domain name or IP address of pfSense box
Account Local user name that exists on pfSense
Password User password
Use Certificate off
Group Name Peer identifier from pfSense setup
Secret Pre-Shared Key from pfSense setupOnce the connection is establish iPhone gets IP address and I see SADs and SPDs in pfSense box, however no traffic gets thru the tunnel.
My LAN is using 192.168.100.0/24 subnet pfSense IP on LAN side is 192.168.100.1 - can I use IP addresses from the same subnet for VPN clients (now it's configured to use 192.168.100.160/28) or should I rather use different subnet for them?
-
My LAN is using 192.168.100.0/24 subnet pfSense IP on LAN side is 192.168.100.1 - can I use IP addresses from the same subnet for VPN clients (now it's configured to use 192.168.100.160/28) or should I rather use different subnet for them?
You have to use a different subnet otherwise routing doesn't work.
What is on your loval LAN IF should stay there (192.168.100.0/24) and is not supposed to be routed out through your IPsec tunnel.
You might have 192.168.101.0/28 as spare to use for your IPsec clients. Don't forget to create firewall rules to permit traffic!Apart from that thanks for the post. I'll try it as soon as my time permits!
-
In order to eliminate NATting, packet size and other issues I have decided to connect to PF box from wifi network rather than 3G.
Setup looks like this:
- VPN running on LAN interface.
- Firewall rules on LAN, Wifi networks and IPSec are allow all with logging enabled on IPSec.
LAN Net 192.168.100.0/24
PF IP on LAN Net 192.168.100.1/32Wifi Net 192.168.102.0/24
PF IP on Wifi Net 192.168.102.1/32iPhone IP on Wifi Net 192.168.102.140/32
VPN Net 192.168.103.0/24
iPhone VPN IP 192.168.103.1/32With this I am able to successfully establish VPN tunnel. iPhone gets IP address and shows that VPN is running PF box shows that everything is established as well.
/usr/local/sbin/setkey -D 192.168.100.1 192.168.102.140 esp mode=any spi=21819106(0x014ceee2) reqid=1(0x00000001) E: 3des-cbc 1f2b8323 4c9c64c3 0e3d14e9 21036487 b9b54e97 d34ad402 A: hmac-sha1 6eb6c681 b9973c05 0ddb7500 5055d72e 387238b6 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Mar 17 00:03:56 2010 current: Mar 17 00:04:02 2010 diff: 6(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=30132 refcnt=1 192.168.102.140 192.168.100.1 esp mode=tunnel spi=126923864(0x0790b458) reqid=1(0x00000001) E: 3des-cbc a2966aca 3a14e471 68ac9be4 46ef1b7a 0a62a43f 2d3bbd8e A: hmac-sha1 fc72506a a0a353f2 ed3421b5 0099eeab 24a74481 seq=0x00000003 replay=4 flags=0x00000000 state=mature created: Mar 17 00:03:56 2010 current: Mar 17 00:04:02 2010 diff: 6(s) hard: 3600(s) soft: 2880(s) last: Mar 17 00:04:00 2010 hard: 0(s) soft: 0(s) current: 291(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=0 pid=30132 refcnt=1/usr/local/sbin/setkey -DP 192.168.103.1[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/192.168.102.140-192.168.100.1/unique:1 created: Mar 17 00:21:20 2010 lastused: Mar 17 00:21:20 2010 lifetime: 3600(s) validtime: 0(s) spid=67 seq=1 pid=56374 refcnt=1 0.0.0.0/0[any] 192.168.103.1[any] any out ipsec esp/tunnel/192.168.100.1-192.168.102.140/unique:1 created: Mar 17 00:21:20 2010 lastused: Mar 17 00:21:20 2010 lifetime: 3600(s) validtime: 0(s) spid=68 seq=0 pid=56374 refcnt=1When I try to access LAN or WAN from iPhone I can see the traffic coming in to pfSense box with tcpdump and it shows up in firewall logs as pass, but there is nothing sent back to iPhone:
tcpdump -i ath0_wlan0 -n esp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ath0_wlan0, link-type EN10MB (Ethernet), capture size 96 bytes 00:04:21.020655 IP 192.168.102.140 > 192.168.100.1: ESP(spi=0x0790b458,seq=0x5), length 100 00:04:22.034883 IP 192.168.102.140 > 192.168.100.1: ESP(spi=0x0790b458,seq=0x6), length 100 00:04:25.116667 IP 192.168.102.140 > 192.168.100.1: ESP(spi=0x0790b458,seq=0x7), length 100 00:04:26.396920 IP 192.168.102.140 > 192.168.100.1: ESP(spi=0x0790b458,seq=0x8), length 108 00:04:27.395123 IP 192.168.102.140 > 192.168.100.1: ESP(spi=0x0790b458,seq=0x9), length 108 00:04:30.411657 IP 192.168.102.140 > 192.168.100.1: ESP(spi=0x0790b458,seq=0xa), length 108If I try to ping iPhone from machine on LAN I don't get any response. If I traceroute iPhone IP traffic goes to PF box and then gets routed to WAN gateway. So it seems that PF box does not know that it needs to pass 192.168.103.1/32 traffic to VPN tunnel. Here is routing table on PF box:
netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default xx.xxx.xxx.xxx UGS 0 542780 pppoe0 xx.xxx.xxx.xx link#9 UHS 0 0 lo0 xx.xxx.xxx.xxx link#9 UH 0 0 pppoe0 127.0.0.1 link#5 UH 0 19 lo0 127.0.0.2 127.0.0.1 UHS 0 60899 lo0 192.168.100.0/24 link#1 U 0 876571 vr0 192.168.100.1 link#1 UHS 0 0 lo0 192.168.102.0/24 link#10 U 0 238520 ath0_w 192.168.102.1 link#10 UHS 0 0 lo0Any idea why this is happening?
Sorry for the long post :)
-
@cmb:
It should work. Will it at this point is another question, the underlying ipsec-tools 0.8 is a bit questionable at this point.
Dear CMB
can I replace ipsec-tools 0.8 with 0.7 ? If can, how to do it?
in pf2.0, which function is base on ipsec-tools 0.8 but not 0.7thanks very much
-
I found this issue: http://sourceforge.net/tracker/?func=detail&atid=541482&aid=2963121&group_id=74601 that looks awfully similar to what I am experiencing and also very close to what pakjebakmeel reported here http://forum.pfsense.org/index.php/topic,22415.0.html
-
can I replace ipsec-tools 0.8 with 0.7 ?
No. That won't work properly with the FreeBSD version we use.
-
I am now able to get traffic flowing thru VPN tunnel (iPhone connected via wifi). In order to accomplish that I had to change generate_policy from unique to on and add passive = on to racoon config file.
Once iPhone connects traffic is not sent back to iPhone, but if I flush SPD entries and add them manually everything starts working fine.SPD entries that are generated by racoon when tunnel is created:
/usr/local/sbin/setkey -DP 192.168.103.1[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/192.168.102.140-192.168.100.1/require created: Mar 21 22:51:51 2010 lastused: Mar 21 22:51:51 2010 lifetime: 3600(s) validtime: 0(s) spid=17 seq=1 pid=53571 refcnt=1 0.0.0.0/0[any] 192.168.103.1[any] any out ipsec esp/tunnel/192.168.100.1-192.168.102.140/require created: Mar 21 22:51:51 2010 lastused: Mar 21 22:51:55 2010 lifetime: 3600(s) validtime: 0(s) spid=18 seq=0 pid=53571 refcnt=1then I flush them and add again:
/usr/local/sbin/setkey -FP && /usr/local/sbin/setkey -f /var/etc/spd3.conf cat /var/etc/spd3.conf spdadd 192.168.103.1/32[any] 0.0.0.0/0[any] any -P in ipsec esp/tunnel/192.168.102.140-192.168.100.1/require; spdadd 0.0.0.0/0[any] 192.168.103.1/32[any] any -P out ipsec esp/tunnel/192.168.100.1-192.168.102.140/require;new SPD entries:
/usr/local/sbin/setkey -DP 192.168.103.1[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/192.168.102.140-192.168.100.1/require spid=19 seq=1 pid=13924 refcnt=1 0.0.0.0/0[any] 192.168.103.1[any] any out ipsec esp/tunnel/192.168.100.1-192.168.102.140/require spid=20 seq=0 pid=13924 refcnt=1once that's done I can access hosts on LAN without any problems and I see ESP traffic being sent back to iPhone. The only difference I can see between SPD entries that racoon creates and the ones generated by setkey is that latter don't have create date, last used date and life time values.
I also tried creating VPN tunnel from WinXP box (connected via wifi) using Shrew Soft VPN client and behavior was exactly the same. No traffic was being send back to WinXP box until I flushed and re-added SPDs. So this does look like racoon issue. Anyone has seen this before or have any idea what can be causing this?Side note: before I could access internet from VPN connected devices I had to switch outbound NAT to manual rule generation and add NAT rule on WAN interface for VPN traffic 192.168.103.0/24 - is this how it's supposed to be?
TIA
-
I am now able to get traffic flowing thru VPN tunnel (iPhone connected via wifi). In order to accomplish that I had to change generate_policy from unique to on and add passive = on to racoon config file.
Once iPhone connects traffic is not sent back to iPhone, but if I flush SPD entries and add them manually everything starts working fine.once that's done I can access hosts on LAN without any problems and I see ESP traffic being sent back to iPhone. The only difference I can see between SPD entries that racoon creates and the ones generated by setkey is that latter don't have create date, last used date and life time values.
I also tried creating VPN tunnel from WinXP box (connected via wifi) using Shrew Soft VPN client and behavior was exactly the same. No traffic was being send back to WinXP box until I flushed and re-added SPDs. So this does look like racoon issue. Anyone has seen this before or have any idea what can be causing this?Side note: before I could access internet from VPN connected devices I had to switch outbound NAT to manual rule generation and add NAT rule on WAN interface for VPN traffic 192.168.103.0/24 - is this how it's supposed to be?
I change source code to make "generate_policy" from "unique" to "on"
and add "passive = on" to racoon config file.
but error is still!
192.168.103.1/32 is your virtual IP?switch outbound NAT to manual rule generation is need?
I will try this and reply for U, thanks!
-
I have my iphone working well through IPSec minus some minor DNS issues which i havent bothered isolating yet
Setup:
March 20th Snapshot 2.0-Beta1 running on ESX 4.0 Update 1
VPN: IPSec: Edit Phase 1: Mobile Client
Interface: WAN
Negotiation mode: Aggressive
My identifier: My IP Address
Peer identifiier: Distinguished name - private.local
Encryption Algorithm: AES 256bits
Hash Algorithm: SHA1
DH Key Group: 2
Lifetime: 28800
Authentication Method: Mutual PSK + Xauth
Pre-Shared Key: <private key="">NAT Transveral: Enable
Enable DPD: ON 10s Delay, 5 Retry–-------
VPN: IPsec: Edit Phase 2: Mobile Client
Mode: Tunnel
Local Network: Network 172.18.1.0 / 24- Note this is the subnet that will be added to the remote devices routing table ie 172.18.1.0 / 24 to utun0, the remote device must be able to configure it's routing table to send packets back to your network.
Protocol: ESP
Encryption: AES 256bits
Hash Algorithms: SHA1
PFS Key Group: Off
Lifetime: 3600s
VPN: IPsec: Mobile
IKE Extensions: Enable IPsec Mobile Client Support
User Authentication: system
Group Authentication: systemVirtual Address Pool: ON - Network 172.18.254.0 / 24
- Note this network MUST NOT be a network already in use on your local network
- Also of note there is a bug in this particular snapshot in that racoon's conf file is not generated correctly. The php generation code will insert an erroneous value into pool_size, this can be corrected so the gui works with a workaround of editing vpn.inc and manually setting the pool_size to your correct network value. ie in this case 253.
Network List: ON
DNS Default Domain: ON - private.local
DNS Servers: ON - <dns server="" ip="" address="">WINS Servers: OFF
Phase2 PFS Group: OFF
Login Banner: OFF
Now that IPsec is setup correctly you must give a firewall rule to pass traffic, goto your firewall rules page, IPsec tab, and add a rule to pass all traffic to test with.
Also be sure to add a new local user to the system so you can login.
Iphone settings:
Server: address of pfsense ipsec server
Account: Your newly created local user
Password: Password of your new local user
Group Name: private.local
Secret: <private key="">--------Enjoy
Edit:
Just noticed that there appears to be nowhere in the GUI to enable client save password, if you want this nugget you need to edit your vpn.inc file and throw this gem in
$racoonconf .= "\tsave_passwd on;\n";
into the mode_cfg area, the same area you need to apply the fix for pool_size
Edit: Corrected pool_size for network above, should be 253</private></dns></private>
-
Thanks a lot for your post kingjedi. My config was very close to yours, but I changed it to be exactly as yours and still the same issue. ESP traffic coming into pfSense box, but nothing is being sent to iPhone. What iPhone OS version are you running? I am on 3.1.2. I also assume you are running full pfSense install and not nanobsd? Thanks again.
-
It's on 3.1.3 but it's the cisco vpn stack.. this should also apply to any cisco client just the same.
Did you try restarting racoon? Also after restarting it and trying a connection, post your log dump
-
Another strange thing is if I select AES 256 bit in phase two then SAs are not created. So in this example I am using 3DES in phase 2.
a.b.c.d - pf box external ip
k.l.m.n - iPhone ip$ cat /var/log/ipsec.log
Mar 22 20:19:47 pfsense racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
Mar 22 20:19:47 pfsense racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
Mar 22 20:19:47 pfsense racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Mar 22 20:19:47 pfsense racoon: INFO: Resize address pool from 0 to 254
Mar 22 20:19:47 pfsense racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Protocol not available
Mar 22 20:19:47 pfsense racoon: INFO: a.b.c.d[4500] used as isakmp port (fd=8)
Mar 22 20:19:47 pfsense racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Protocol not available
Mar 22 20:19:47 pfsense racoon: INFO: a.b.c.d[500] used as isakmp port (fd=9)
Mar 22 20:19:55 pfsense racoon: INFO: respond new phase 1 negotiation: a.b.c.d[500]<=>k.l.m.n[50940]
Mar 22 20:19:55 pfsense racoon: INFO: begin Aggressive mode.
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: RFC 3947
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: DPD
Mar 22 20:19:55 pfsense racoon: INFO: Selected NAT-T version: RFC 3947
Mar 22 20:19:56 pfsense racoon: INFO: Adding remote and local NAT-D payloads.
Mar 22 20:19:56 pfsense racoon: INFO: Hashing k.l.m.n[50940] with algo #2
Mar 22 20:19:56 pfsense racoon: INFO: Hashing a.b.c.d[500] with algo #2
Mar 22 20:19:56 pfsense racoon: INFO: Adding xauth VID payload.
Mar 22 20:19:56 pfsense racoon: WARNING: the packet retransmitted in a short time from k.l.m.n[50940]
Mar 22 20:19:56 pfsense racoon: NOTIFY: the packet is retransmitted by k.l.m.n[50940] (1).
Mar 22 20:19:56 pfsense racoon: INFO: NAT-T: ports changed to: k.l.m.n[17531]<->a.b.c.d[4500]
Mar 22 20:19:56 pfsense racoon: INFO: Hashing a.b.c.d[4500] with algo #2
Mar 22 20:19:56 pfsense racoon: INFO: NAT-D payload #0 verified
Mar 22 20:19:56 pfsense racoon: INFO: Hashing k.l.m.n[17531] with algo #2
Mar 22 20:19:56 pfsense racoon: INFO: NAT-D payload #1 doesn't match
Mar 22 20:19:56 pfsense racoon: ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Mar 22 20:19:56 pfsense racoon: INFO: NAT detected: PEER
Mar 22 20:19:56 pfsense racoon: INFO: Sending Xauth request
Mar 22 20:19:56 pfsense racoon: INFO: ISAKMP-SA established a.b.c.d[4500]-k.l.m.n[17531] spi:438bae0be73b0b53:8485b1bbf6e7f82f
Mar 22 20:20:08 pfsense racoon: INFO: Using port 0
Mar 22 20:20:08 pfsense racoon: INFO: login succeeded for user "username"
Mar 22 20:20:10 pfsense racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Mar 22 20:20:10 pfsense racoon: WARNING: Ignored attribute 28683
Mar 22 20:20:11 pfsense racoon: INFO: respond new phase 2 negotiation: a.b.c.d[4500]<=>k.l.m.n[17531]
Mar 22 20:20:11 pfsense racoon: INFO: no policy found, try to generate the policy : 192.168.103.1/32[0] 192.168.100.0/24[0] proto=any dir=in
Mar 22 20:20:11 pfsense racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Mar 22 20:20:11 pfsense racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Mar 22 20:20:11 pfsense racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Mar 22 20:20:11 pfsense last message repeated 3 times
Mar 22 20:20:12 pfsense racoon: INFO: IPsec-SA established: ESP a.b.c.d[500]->k.l.m.n[500] spi=267341062(0xfef4d06)
Mar 22 20:20:12 pfsense racoon: INFO: IPsec-SA established: ESP a.b.c.d[500]->k.l.m.n[500] spi=35705435(0x220d25b)
Mar 22 20:20:12 pfsense racoon: ERROR: such policy does not already exist: "192.168.103.1/32[0] 192.168.100.0/24[0] proto=any dir=in"
Mar 22 20:20:12 pfsense racoon: ERROR: such policy does not already exist: "192.168.100.0/24[0] 192.168.103.1/32[0] proto=any dir=out"
CLOG���$ setkey -D
a.b.c.d[4500] k.l.m.n[17531]
esp-udp mode=any spi=35705435(0x0220d25b) reqid=1(0x00000001)
E: 3des-cbc 8e9ec11a 3bb59911 dd07fe15 4c92d410 eef3e449 4470d6c6
A: hmac-sha1 8929b853 29c35dfe 91db6c6e 0508c951 f2593c1a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 22 20:20:12 2010 current: Mar 22 20:20:21 2010
diff: 9(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=51497 refcnt=1
k.l.m.n[17531] a.b.c.d[4500]
esp-udp mode=tunnel spi=267341062(0x0fef4d06) reqid=1(0x00000001)
E: 3des-cbc de063f0f c0f82961 86eae7ff 0f6326a8 6c718478 519873ef
A: hmac-sha1 b529c065 e5141885 a92b3d59 4dd79e9c 77b95276
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 22 20:20:12 2010 current: Mar 22 20:20:21 2010
diff: 9(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=51497 refcnt=1$setkey -DP
192.168.103.1[any] 192.168.100.0/24[any] any
in ipsec
esp/tunnel/k.l.m.n-a.b.c.d/unique:1
created: Mar 22 20:20:12 2010 lastused: Mar 22 20:20:12 2010
lifetime: 3600(s) validtime: 0(s)
spid=67 seq=1 pid=51688
refcnt=1
192.168.100.0/24[any] 192.168.103.1[any] any
out ipsec
esp/tunnel/a.b.c.d-k.l.m.n/unique:1
created: Mar 22 20:20:12 2010 lastused: Mar 22 20:20:12 2010
lifetime: 3600(s) validtime: 0(s)
spid=68 seq=0 pid=51688
refcnt=1$ cat /var/etc/racoon.conf
This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp a.b.c.d [500];
isakmp_natt a.b.c.d [4500];
}mode_cfg
{
auth_source system;
group_source system;
pool_size 254;
network4 192.168.103.1;
netmask4 255.255.255.0;
split_network include 192.168.100.0/24;
dns4 208.67.222.222;
default_domain "local.lan";
}remote anonymous
{
ph1id 2;
exchange_mode aggressive;
my_identifier address a.b.c.d;
peers_identifier fqdn "local.lan";
ike_frag on;
generate_policy = unique;
initial_contact = off;
nat_traversal = on;dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;proposal
{
authentication_method xauth_psk_server;
encryption_algorithm aes 256;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}sainfo subnet 192.168.100.0/24 any anonymous
{
remoteid 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;lifetime time 3600 secs;
compression_algorithm deflate;
} -
azzido, I do the same as you, but not traffic in VPN tunnel!
-
- Also of note there is a bug in this particular snapshot in that racoon's conf file is not generated correctly. The php generation code will insert an erroneous value into pool_size, this can be corrected so the gui works with a workaround of editing vpn.inc and manually setting the pool_size to your correct network value. ie in this case 254.
How is it erroneous? It looks accurate to me, it's the subnet size minus one, which is what the ipsec-tools docs show (i.e. 253 for a /24). I'm not sure of the exact intent as I didn't write that part, but the guy who did is an ipsec-tools committer so he definitely knows his stuff.
-
@cmb:
- Also of note there is a bug in this particular snapshot in that racoon's conf file is not generated correctly. The php generation code will insert an erroneous value into pool_size, this can be corrected so the gui works with a workaround of editing vpn.inc and manually setting the pool_size to your correct network value. ie in this case 254.
How is it erroneous? It looks accurate to me, it's the subnet size minus one, which is what the ipsec-tools docs show (i.e. 253 for a /24). I'm not sure of the exact intent as I didn't write that part, but the guy who did is an ipsec-tools committer so he definitely knows his stuff.
Looked like it was coming from upstream of it, i'll admit i didnt look that hard.. just saw the -4xxxxxxxxx number in it's place so i weed wacked it, i can try again with a fresh install
Also I did trace the dns issue, the split_dns option was missing which is needed for cisco clients so threw that line in and it's working good, like the new interface as well
Edit:
Fresh install done and again it threw up a bogus value.. however i'll say this before digging to deep, dnsmasq failed to install again and nowhere to be found.. i do a manual pkg_add -r dnsmasq and it takes off like normal.. failed install on esx maybe? or is it not part of the base install?
Anyway the value it inserts into the racoon.conf is -4294967043 for pool_size
Edit: After looking further the ip2long function is returning bogus values ???, also your right about the pool_size, i forgot the sign flip when doing it by hand so it is 253
Edit: Just dawned on me what the root cause almost has to be… a 64bit issue with integer types, sorry should have mentioned earlier this is a 64bit install.
