Ipsec Mobile clients with Mutual PSK + xauth



  • When selecting Mutual PSK + xauth for mobile clients the interface asks for Peer identifier and Pre-Shared Key.

    should it not use the Pre-Shared keys under VPN: IPsec: Keys for mobile clients?

    I have IPsec running with just Mutual PSK, I would like to get user auth to work, my problem is if I enter anything in Peer identifier it stops working.

    everything is working perfect if I manual edit racoon.conf to use authentication_method xauth_psk_server

    is this a bug or am I doing anything wrong?


  • Rebel Alliance Developer Netgate

    IIRC, with Mutual PSK+xauth, the PSK is more like the "group" key in Cisco terms. It's a PSK shared by all clients.



  • ok,

    Mutual PSK works fine

    but if I configure a group using that PSK, I cannot complete phase2 do to this is what I get:

    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: respond new phase 1 negotiation: 10.0.10.1[500]<=>10.0.20.12[500]
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: begin Aggressive mode.
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: CISCO-UNITY
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: RFC 3947
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: DPD
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Selected NAT-T version: RFC 3947
    Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: invalied encryption algorithm=0.
    Sep 1 14:41:03 last message repeated 3 times
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Adding remote and local NAT-D payloads.
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Hashing 10.0.20.12[500] with algo #2
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Hashing 10.0.10.1[500] with algo #2
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Adding xauth VID payload.
    Sep 1 14:41:03 racoon: [Mobile Clients]: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: received Vendor ID: CISCO-UNITY
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Hashing 10.0.10.1[500] with algo #2
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: NAT-D payload #0 verified
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Hashing 10.0.20.12[500] with algo #2
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: NAT-D payload #1 verified
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: NAT not detected
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Sending Xauth request
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: ISAKMP-SA established 10.0.10.1[500]-10.0.20.12[500] spi:5a3ce113229cac40:cf7a589d4b727706
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: Using port 0
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: login succeeded for user "******"
    Sep 1 14:41:03 racoon: [Mobile Clients]: INFO: respond new phase 2 negotiation: 10.0.10.1[500]<=>10.0.20.12[500]
    Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
    Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
    Sep 1 14:41:03 racoon: [Mobile Clients]: ERROR: failed to pre-process packet.
    Sep 1 14:41:05 racoon: [Mobile Clients]: INFO: respond new phase 2 negotiation: 10.0.10.1[500]<=>10.0.20.12[500]
    Sep 1 14:41:05 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
    Sep 1 14:41:05 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
    Sep 1 14:41:05 racoon: [Mobile Clients]: ERROR: failed to pre-process packet.
    Sep 1 14:41:09 racoon: [Mobile Clients]: INFO: respond new phase 2 negotiation: 10.0.10.1[500]<=>10.0.20.12[500]
    Sep 1 14:41:09 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
    Sep 1 14:41:09 racoon: [Mobile Clients]: ERROR: failed to get sainfo.
    Sep 1 14:41:09 racoon: [Mobile Clients]: ERROR: failed to pre-process packet.
    Sep 1 14:41:13 racoon: [Mobile Clients]: ERROR: fatal INVALID-MESSAGE-ID notify messsage, phase1 should be deleted.
    Sep 1 14:41:13 racoon: [Mobile Clients]: INFO: ISAKMP-SA expired 10.0.10.1[500]-10.0.20.12[500] spi:5a3ce113229cac40:cf7a589d4b727706
    Sep 1 14:41:14 racoon: [Mobile Clients]: INFO: ISAKMP-SA deleted 10.0.10.1[500]-10.0.20.12[500] spi:5a3ce113229cac40:cf7a589d4b727706
    Sep 1 14:41:14 racoon: [Mobile Clients]: INFO: Released port 0


  • Rebel Alliance Developer Netgate

    I haven't tried it myself, but I'm guessing this is the real problem:

    Sep 1 14:41:03    racoon: [Mobile Clients]: ERROR: invalied encryption algorithm=0.
    

    What do you have selected for encryption options in phase 2?



  • encryption_algorithm aes 256;
    authentication_algorithm hmac_sha1;

    but if that was the error they I dont see why it works with Mutual PSK, the only thing that is changes is from Mutual PSK to Mutual PSK + xauth

    and they ofcause use the Peer identifier and Pre-Shared Key in Phase1 instead of the ones under VPN: IPsec: Keys

    phase1 config under Mutual PSK:
    remote anonymous
    {
            ph1id 3;
            exchange_mode aggressive;
            my_identifier address 10.0.10.1;

    ike_frag on;
            generate_policy = on;
            initial_contact = on;
            nat_traversal = on;

    dpd_delay = 10;
            dpd_maxfail = 5;
            support_proxy on;
            proposal_check obey;
            passive on;

    proposal
            {
                    authentication_method pre_shared_key;
                    encryption_algorithm 3des;
                    hash_algorithm sha1;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
    }

    phase2 mutual PSK
    sainfo  anonymous
    {
            remoteid 3;
            encryption_algorithm aes 256;
            authentication_algorithm hmac_sha1;

    lifetime time 3600 secs;
            compression_algorithm deflate;
    }

    phase1 with Mutual PSK + xauth
    remote anonymous
    {
            ph1id 3;
            exchange_mode aggressive;
            my_identifier address 10.0.10.1;

    ike_frag on;
            generate_policy = unique;
            initial_contact = off;
            nat_traversal = on;

    dpd_delay = 10;
            dpd_maxfail = 5;
            support_proxy on;
            proposal_check claim;

    proposal
            {
                    authentication_method xauth_psk_server;
                    encryption_algorithm 3des;
                    hash_algorithm sha1;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
    }

    phase2 Mutual PSK + xauth
    sainfo subnet 10.0.80.0/24 any anonymous
    {
            remoteid 3;
            encryption_algorithm aes 256;
            authentication_algorithm hmac_sha1;

    lifetime time 3600 secs;
            compression_algorithm deflate;
    }


  • Rebel Alliance Developer Netgate

    Try changing the Proposal Checking drop-down. In mutual PSK, the default is obey, in MPSK+xauth, the default is claim.

    Try the different values there, see if any work for you.



  • I have now tried all 4 but none of the works,

    claim and obey gave the same result

    but strict and exact gave rejected authmethod


  • Rebel Alliance Developer Netgate

    You might try leaving that at the default then.

    What VPN client are you using to connect, and how exactly is it configured?



  • for VPN client I am using vpnc from a machine running ubuntu 10.04

    gateway is set to 10.0.10.1
    group: test
    user: vpn
    Encryption method: Secure (default)
    NAT-T enable

    IP setting automatic (VPN)


  • Rebel Alliance Developer Netgate

    Is there a way to see what configuration file it writes out, so we can see exactly what options it's trying to use?



  • if it racoon.conf I hasted the 2 earlier if not what configuration file would you like



  • @armsby:

    if it racoon.conf I hasted the 2 earlier if not what configuration file would you like

    The client config



  • The only difference in my config between the 2 are Username=

    [main]
    Description=ipsec
    Host=10.0.10.1
    AuthType=1
    GroupName=test
    GroupPwd=
    EnableISPConnect=0
    ISPConnectType=0
    ISPConnect=
    ISPCommand=
    Username=vpn
    SaveUserPassword=0
    EnableBackup=0
    BackupServer=
    EnableNat=1
    CertStore=0
    CertName=
    CertPath=
    CertSubjectName=
    CertSerialHash=
    DHGroup=2
    ForceKeepAlives=0
    enc_GroupPwd=
    UserPassword=
    enc_UserPassword=
    NTDomain=
    EnableMSLogon=0
    MSLogonType=0
    TunnelingMode=0
    TcpTunnelingPort=10000
    PeerTimeout=0
    EnableLocalLAN=1
    SendCertChain=0
    VerifyCertDN=
    EnableSplitDNS=1
    SingleDES=0
    SPPhonebook=
    X-NM-Use-NAT-T=1
    X-NM-Routes=10.0.70.0/24


Log in to reply