Has anyone managed to successfully connect pFsense 2.0>Feb2011 with Mobile Clien



  • Has anyone managed to successfully connect pFsense 2.0>Feb2011 with Mobile Clients via Hybrid-RSA-Xauth method ?

    For me still keeps failing with both Shrew client (Win+Lin) and Cisco VPN client.

    This file is automatically generated. Do not edit

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    listen
    {
           adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
           isakmp 192.168.1.1 [500];
           isakmp_natt 192.168.1.1 [4500];
    }

    mode_cfg
    {
           auth_source system;
           group_source system;
           pool_size 13;
           network4 192.168.1.225;
           netmask4 255.255.255.240;
           split_network include 192.168.1.0/24;
           banner "/var/etc/racoon.motd";
           save_passwd on;
    }

    remote anonymous
    {
           ph1id 1;
           exchange_mode aggressive;
           my_identifier asn1dn ;
           peers_identifier keyid tag "andrei@test.com";
           ike_frag on;
           generate_policy = unique;
           initial_contact = off;
           nat_traversal = on;
           certificate_type x509 "cert-1.crt" "cert-1.key";
           ca_type x509 "ca-1.crt";
           dpd_delay = 10;
           dpd_maxfail = 5;
           support_proxy on;
           proposal_check obey;

    proposal
           {
                   authentication_method hybrid_rsa_server;
                   encryption_algorithm aes 256;
                   hash_algorithm sha1;
                   dh_group 2;
                   lifetime time 28800 secs;
           }
    }

    sainfo subnet 192.168.1.0/24 any anonymous
    {
           remoteid 1;
           encryption_algorithm aes 256, aes 192, aes 128, blowfish 256, blowfish 248, blowfish 240, blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200, blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160, blowfish 152, blowfish 144, blowfish 136, blowfish 128, 3des, cast128;
           authentication_algorithm hmac_sha1,hmac_md5;

    lifetime time 3600 secs;
           compression_algorithm deflate;
    }

    Shrew set to auto and racoon produces following log:

    ….
    55eb64d8 e4df4fd3 7e2313f0 d0fd8451 0d000014 8404adf9 cda05760 b2ca292e
    4bff537b 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 0000002c f4ed19e0
    c114eb51 6faaac0e e37daf28 07b4381f 00000002 0000138e 00000000 00000000
    18800000
    2011-02-13 15:02:33: [192.168.1.10] DEBUG2: Checking remote conf "anonymous" anonymous.
    2011-02-13 15:02:33: DEBUG2: enumrmconf: "anonymous" matches.
    2011-02-13 15:02:33: DEBUG2: Etype mismatch: got 4, expected 2.
    2011-02-13 15:02:33: [192.168.1.10] ERROR: exchange Identity Protection not allowed in any applicable rmconf.

    I know that probably it works with preshared keys and other auth methods, but I'm specially interested in this auth method: hybrid-rsa-xauth.

    According to tcpdump, there's only one isakmp packet: from shrew client to pfsense. Pfsense is not responding.

    This is with pfSense-2.0-BETA5-i386-20110210-2050.
    With pfSense-2.0-BETA5-i386-20110210-0159, iked daemon that comes with shrew + cisco vpn client failed to verify the certificate provided by pfsense (failed to verify remote peer certificate), although I had already imported the CA crt exported by pfsense in advance, but there was nothing more in the shrew iked logs (decode log_level).

    I'm just interested in a copy-paste pfsense racoon 0.8 beta config from recent versions that works with mobile clients, if anyone is willing to share.

    Any thoughts would be highly appreciated.

    Thanks in advance.



  • I set up the client to main mode by mistake.  Back to original problem: iked daemon can't verify the crt file provided by racoon.

    For some reason, the Cisco vpn client also fails to do it.

    11/02/13 21:24:31 0x : f4d1db76 c626e7e5 0846f5c4 0710fb0c
    11/02/13 21:24:31 DB : phase1 resend event canceled ( ref count = 1 )
    11/02/13 21:24:31 -> : send IKE packet 192.168.1.10:500 -> 192.168.1.1:500 ( 136 bytes )
    11/02/13 21:24:31 0x : 45000088 d0090000 40112700 c0a8010a c0a80101 01f401f4 0074472c 59104383
    11/02/13 21:24:31 0x : f746f743 0ef968b9 5da7dc27 08100401 00000000 0000006c a3d3c5b3 49bd90e0
    11/02/13 21:24:31 0x : 8a54b028 c9313cb2 441a922a 256daeb2 11630ca8 ac5e0144 dcdd72a1 30eb315d
    11/02/13 21:24:31 0x : 0a75fc64 8ef99406 507c2a6b c3df42bb 1b0c4266 ed64c666 f4d1db76 c626e7e5
    11/02/13 21:24:31 0x : 0846f5c4 0710fb0c
    11/02/13 21:24:31 !! : unable to verify remote peer certificate
    11/02/13 21:24:31 ii : sending peer DELETE message
    11/02/13 21:24:31 ii : - 192.168.1.10:500 -> 192.168.1.1:500
    11/02/13 21:24:31 ii : - isakmp spi = 59104383f746f743:0ef968b95da7dc27
    11/02/13 21:24:31 ii : - data size 0
    11/02/13 21:24:31 >> : hash payload
    11/02/13 21:24:31 >> : delete payload
    11/02/13 21:24:31 == : new informational hash ( 20 bytes )
    11/02/13 21:24:31 0x : 9615fbeb cc34effb 96a3c29b 72d9c1d2 94a89a26
    11/02/13 21:24:31 == : new informational iv ( 16 bytes )
    11/02/13 21:24:31 0x : 2ba1d95e 870e6983 3fb24718 7b17113e
    11/02/13 21:24:31 >= : cookies 59104383f746f743:0ef968b95da7dc27
    11/02/13 21:24:31 >= : message a1a5664d



  • Your config looks ok; here is my for comparison

    
    # This file is automatically generated. Do not edit
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    listen
    {
            adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
            isakmp a.b.c.d [500];
            isakmp_natt a.b.c.d [4500];
    }
    
    mode_cfg
    {
            auth_source system;
            group_source system;
            pool_size 253;
            network4 192.168.103.1;
            netmask4 255.255.255.0;
            dns4 192.168.100.1;
            default_domain "xyz";
            split_dns "xyz";
            save_passwd on;
    }
    
    remote anonymous
    {
            ph1id 2;
            exchange_mode main;
            my_identifier asn1dn ;
            peers_identifier asn1dn ;
            ike_frag on;
            generate_policy = unique;
            initial_contact = off;
            nat_traversal = on;
            certificate_type x509 "cert-2.crt" "cert-2.key";
            ca_type x509 "ca-2.crt";
            dpd_delay = 10;
            dpd_maxfail = 5;
            support_proxy on;
            proposal_check claim;
    
            proposal
            {
                    authentication_method xauth_rsa_server;
                    encryption_algorithm aes 256;
                    hash_algorithm sha1;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
    }
    
    sainfo   anonymous
    {
            remoteid 2;
            encryption_algorithm aes 256;
            authentication_algorithm hmac_sha1;
    
            lifetime time 3600 secs;
            compression_algorithm deflate;
    }
    
    

    Try using domain name rather than IP when connecting to the pfSense and make sure that cert is issued for that name.



  • Thank you Azzido,

    I see you have xauth_rsa_server. Do you happen to know what is the diff between xauth_rsa_server and hybrid_rsa_server? I know that, for last one, in phase1 only the server is authenticated (with RSA keys checked by client) and client authenticates in phase two with xauth. I didn't find details on the auth methods anywhere.

    Now I'm trying Xauth+PSK so that both client and server will serve each other a preshared key and the client will have to authenticate also in ph2. This gives better result, but the authentication for client fails (auth_source system in mode_cfg) for both a user created under "user manager" in pfsense and the admin user.

    I know that racoon 0.7.3 on Freebsd works with authentication if auth_source is "pam", but racoon on pfsense 2.0 wasn't compiled with libpam.

    Is there any special condition for the user to be authenticated by racoon ?



  • See here for hybrid auth explanation: http://www.netbsd.org/docs/network/ipsec/rasvpn.html#hybrid

    This is how I understand it: in mutual RSA mode client and server have certificates issued by the same CA and only clients that have certificates can connect to the server; in hybrid RSA mode only server has a certificate and it accepts connections from any clients, because client does not have certificate. Hybrid is kind of like SSL you can go to any https website and traffic between you and server will be encrypted, but server has no idea who you are.


Log in to reply