Ipsec Mobile clients with Mutual PSK + xauth
-
When selecting Mutual PSK + xauth for mobile clients the interface asks for Peer identifier and Pre-Shared Key.
should it not use the Pre-Shared keys under VPN: IPsec: Keys for mobile clients?
I have IPsec running with just Mutual PSK, I would like to get user auth to work, my problem is if I enter anything in Peer identifier it stops working.
everything is working perfect if I manual edit racoon.conf to use authentication_method xauth_psk_server
is this a bug or am I doing anything wrong?
-
IIRC, with Mutual PSK+xauth, the PSK is more like the "group" key in Cisco terms. It's a PSK shared by all clients.
-
ok,
Mutual PSK works fine
but if I configure a group using that PSK, I cannot complete phase2 do to this is what I get:
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: respond new phase 1 negotiation: 10.0.10.1[500]<=>10.0.20.12[500]
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: begin Aggressive mode.
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: CISCO-UNITY
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: RFC 3947
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: DPD
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Selected NAT-T version: RFC 3947
Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: invalied encryption algorithm=0.
Sep 1 14:41:03 last message repeated 3 times
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Adding remote and local NAT-D payloads.
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Hashing 10.0.20.12[500] with algo #2
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Hashing 10.0.10.1[500] with algo #2
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Adding xauth VID payload.
Sep 1 14:41:03 racoon: [Mobile Clients]: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: CISCO-UNITY
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Hashing 10.0.10.1[500] with algo #2
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: NAT-D payload #0 verified
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Hashing 10.0.20.12[500] with algo #2
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: NAT-D payload #1 verified
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: NAT not detected
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Sending Xauth request
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: ISAKMP-SA established 10.0.10.1[500]-10.0.20.12[500] spi:5a3ce113229cac40:cf7a589d4b727706
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Using port 0
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: login succeeded for user "******"
Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: respond new phase 2 negotiation: 10.0.10.1[500]<=>10.0.20.12[500]
Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: failed to pre-process packet.
Sep 1 14:41:05 racoon: [Mobile Clients]: INFO: respond new phase 2 negotiation: 10.0.10.1[500]<=>10.0.20.12[500]
Sep 1 14:41:05 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
Sep 1 14:41:05 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
Sep 1 14:41:05 racoon: [Mobile Clients]: ERROR: failed to pre-process packet.
Sep 1 14:41:09 racoon: [Mobile Clients]: INFO: respond new phase 2 negotiation: 10.0.10.1[500]<=>10.0.20.12[500]
Sep 1 14:41:09 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
Sep 1 14:41:09 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
Sep 1 14:41:09 racoon: [Mobile Clients]: ERROR: failed to pre-process packet.
Sep 1 14:41:13 racoon: [Mobile Clients]: ERROR: fatal INVALID-MESSAGE-ID notify messsage, phase1 should be deleted.
Sep 1 14:41:13 racoon: [Mobile Clients]: INFO: ISAKMP-SA expired 10.0.10.1[500]-10.0.20.12[500] spi:5a3ce113229cac40:cf7a589d4b727706
Sep 1 14:41:14 racoon: [Mobile Clients]: INFO: ISAKMP-SA deleted 10.0.10.1[500]-10.0.20.12[500] spi:5a3ce113229cac40:cf7a589d4b727706
Sep 1 14:41:14 racoon: [Mobile Clients]: INFO: Released port 0 -
I haven't tried it myself, but I'm guessing this is the real problem:
Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: invalied encryption algorithm=0.What do you have selected for encryption options in phase 2?
-
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;but if that was the error they I dont see why it works with Mutual PSK, the only thing that is changes is from Mutual PSK to Mutual PSK + xauth
and they ofcause use the Peer identifier and Pre-Shared Key in Phase1 instead of the ones under VPN: IPsec: Keys
phase1 config under Mutual PSK:
remote anonymous
{
ph1id 3;
exchange_mode aggressive;
my_identifier address 10.0.10.1;ike_frag on;
generate_policy = on;
initial_contact = on;
nat_traversal = on;dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check obey;
passive on;proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}phase2 mutual PSK
sainfo anonymous
{
remoteid 3;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;lifetime time 3600 secs;
compression_algorithm deflate;
}phase1 with Mutual PSK + xauth
remote anonymous
{
ph1id 3;
exchange_mode aggressive;
my_identifier address 10.0.10.1;ike_frag on;
generate_policy = unique;
initial_contact = off;
nat_traversal = on;dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;proposal
{
authentication_method xauth_psk_server;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}phase2 Mutual PSK + xauth
sainfo subnet 10.0.80.0/24 any anonymous
{
remoteid 3;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;lifetime time 3600 secs;
compression_algorithm deflate;
} -
Try changing the Proposal Checking drop-down. In mutual PSK, the default is obey, in MPSK+xauth, the default is claim.
Try the different values there, see if any work for you.
-
I have now tried all 4 but none of the works,
claim and obey gave the same result
but strict and exact gave rejected authmethod
-
You might try leaving that at the default then.
What VPN client are you using to connect, and how exactly is it configured?
-
for VPN client I am using vpnc from a machine running ubuntu 10.04
gateway is set to 10.0.10.1
group: test
user: vpn
Encryption method: Secure (default)
NAT-T enableIP setting automatic (VPN)
-
Is there a way to see what configuration file it writes out, so we can see exactly what options it's trying to use?
-
if it racoon.conf I hasted the 2 earlier if not what configuration file would you like
-
if it racoon.conf I hasted the 2 earlier if not what configuration file would you like
The client config
-
The only difference in my config between the 2 are Username=
[main]
Description=ipsec
Host=10.0.10.1
AuthType=1
GroupName=test
GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=vpn
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=
DHGroup=2
ForceKeepAlives=0
enc_GroupPwd=
UserPassword=
enc_UserPassword=
NTDomain=
EnableMSLogon=0
MSLogonType=0
TunnelingMode=0
TcpTunnelingPort=10000
PeerTimeout=0
EnableLocalLAN=1
SendCertChain=0
VerifyCertDN=
EnableSplitDNS=1
SingleDES=0
SPPhonebook=
X-NM-Use-NAT-T=1
X-NM-Routes=10.0.70.0/24
