Mutual PSK + XAuth Help



  • Hi,

    We are running 2.0 and can successfully connect using Shrewsoft with Mutual PSK, however when we try to implement X-Auth we get user auth failed. We have created new groups, used admin groups, created individual psk under the psk tabs etc.. and can't seem to get it to connect.

    We have racoon running in debug mode and will post logs if needed.

    Any tips or tricks would be greatly appreciated.

    Thanks in advance!



  • You actually do not need to apply the user to the admins group, just permissions of "User - VPN - IPsec xauth Dialin."

    You will not be using the PSK tab in IPsec; you will use the User Manager to set a login/password.  The PSK will be configured in phase 1.

    Please post the IPsec log.

    I'm sure you've reviewed this page, but just in case: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0



  • @lint:

    You actually do not need to apply the user to the admins group, just permissions of "User - VPN - IPsec xauth Dialin."

    You will not be using the PSK tab in IPsec; you will use the User Manager to set a login/password.  The PSK will be configured in phase 1.

    Please post the IPsec log.

    I'm sure you've reviewed this page, but just in case: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

    Hi Lint,

    We have our system configured exactly as that link shows. We created a VPN users group and granted that user group the dial in permission. We then created a new user in the user manager and use the credentials to connect, which is where we get the error of "User Authentication Failed" in the shrewsoft client. Below is a log from the standard mode, we will reset to debug mode and repost if needed.

    Nov 21 12:18:36	racoon: [173.57.XXX.XXX] ERROR: unknown Informational exchange received.
    Nov 21 12:18:36	racoon: INFO: login failed for user "interlock"
    Nov 21 12:18:36	racoon: ERROR: Port pool depleted
    Nov 21 12:18:36	racoon: ERROR: isakmp_cfg_config.port_pool == NULL
    Nov 21 12:18:36	racoon: [173.57.XXX.XXX] INFO: received INITIAL-CONTACT
    Nov 21 12:18:36	racoon: [Self]: INFO: ISAKMP-SA established 71.252.XXX.XXX[4500]-173.57.XXX.XXX[42751] spi:fbe2c5d200fe6eea:17dc078efa2bfd79
    Nov 21 12:18:36	racoon: INFO: Sending Xauth request
    Nov 21 12:18:36	racoon: INFO: NAT detected: ME PEER
    Nov 21 12:18:36	racoon: INFO: NAT-D payload #1 doesn't match
    Nov 21 12:18:36	racoon: [173.57.XXX.XXX] INFO: Hashing 173.57.XXX.XXX[42751] with algo #2
    Nov 21 12:18:36	racoon: INFO: NAT-D payload #0 doesn't match
    Nov 21 12:18:36	racoon: [Self]: [71.252.XXX.XXX] INFO: Hashing 71.252.XXX.XXX[4500] with algo #2
    Nov 21 12:18:36	racoon: [Self]: INFO: NAT-T: ports changed to: 173.57.72.XXX[42751]<->71.252.XXX.XXX[4500]
    Nov 21 12:18:36	racoon: INFO: Adding xauth VID payload.
    Nov 21 12:18:36	racoon: [Self]: [71.252.XXX.XXX] INFO: Hashing 71.252.XXX.XXX[500] with algo #2
    Nov 21 12:18:36	racoon: [173.57.XXX.XXX] INFO: Hashing 173.57.XXX.XXX[500] with algo #2
    Nov 21 12:18:36	racoon: INFO: Adding remote and local NAT-D payloads.
    Nov 21 12:18:36	racoon: [173.57.XXX.XXX] INFO: Selected NAT-T version: RFC 3947
    Nov 21 12:18:36	racoon: INFO: received Vendor ID: CISCO-UNITY
    Nov 21 12:18:36	racoon: INFO: received Vendor ID: DPD
    Nov 21 12:18:36	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Nov 21 12:18:36	racoon: INFO: received Vendor ID: RFC 3947
    Nov 21 12:18:36	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Nov 21 12:18:36	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Nov 21 12:18:36	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    Nov 21 12:18:36	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Nov 21 12:18:36	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Nov 21 12:18:36	racoon: INFO: begin Aggressive mode.
    Nov 21 12:18:36	racoon: [Self]: INFO: respond new phase 1 negotiation: 71.252.XXX.XXX[500]<=>173.57.XXX.XXX[500]
    


  • ERROR: Port pool depleted
    

    Based on this part of the error message, I would set a Virtual Address Pool in the Mobile Clients tab under IPsec.  Just set the IP subnet that you were planning on using for VPNs.

    Then, in Shrew, you can set it to obtain the IP automatically.

    I bet that will fix the problem.



  • @lint:

    ERROR: Port pool depleted
    

    Based on this part of the error message, I would set a Virtual Address Pool in the Mobile Clients tab under IPsec.  Just set the IP subnet that you were planning on using for VPNs.

    Then, in Shrew, you can set it to obtain the IP automatically.

    I bet that will fix the problem.

    That was it!

    Excellent!

    Based on this information I will write a tutorial for XAuth+IPSec road warrior VPN.



  • Well,

    Now that we have the connectivity, how do we go about getting the local DNS entries to get to remote clients?



  • I've been searching and reading as much as possible but seem to have come up empty. Is there a way to push the local DNS entries to VPN clients over Shrew or am I spinning my wheels?

    I can ping the hosts via IP but not via hostname.

    Thanks,
    Technyne


Log in to reply