IPSEC ShrewSoft VPN Woes



  • Hello Chaps,

    Firstly I would like to thank you for making a ace product and those that contribute with the awesome guides.

    I am in the process of replacing my Cisco 1841 with a PFSensed Watchguard x750e, due the Cisco not been able to NAT and do packet inspection beyond 40Mb.

    I have become a bit stuck in my efforts to get a IPSEC VPN Set up, from the logs it is evident that the Shrewsoft VPN configuration is incorrect, my IPAD can VPN with no problems, being able to ping all the remote LAN and being able to browse the internet through the VPN.

    I can connect with with my ShrewSoft VPN connection, but i am unable to ping the PFsense box, or any machines on the Lan, would anyone the kind enough to offer some advice as to why this may be?

    Successful VPN connect and disconnect with IPAD:

    Oct 24 10:40:54 racoon: INFO: Released port 0
    Oct 24 10:40:54 racoon: [Self]: INFO: ISAKMP-SA deleted PFSENSE_PUBLIC_ADD[4500]-CLIENT_ADD[4500] spi:8dd95b8b34515e25:e7497b1fada304c0
    Oct 24 10:40:54 racoon: INFO: purged ISAKMP-SA spi=8dd95b8b34515e25:e7497b1fada304c0:00004bac.
    Oct 24 10:40:54 racoon: INFO: purged IPsec-SA spi=147830056.
    Oct 24 10:40:54 racoon: INFO: purging ISAKMP-SA spi=8dd95b8b34515e25:e7497b1fada304c0:00004bac.
    Oct 24 10:40:54 racoon: INFO: purged IPsec-SA proto_id=ESP spi=199313569.
    Oct 24 10:40:54 racoon: INFO: deleting a generated policy.
    Oct 24 10:40:36 racoon: [Self]: INFO: IPsec-SA established: ESP PFSENSE_PUBLIC_ADD[500]->CLIENT_ADD[500] spi=199313569(0xbe148a1)
    Oct 24 10:40:36 racoon: [Self]: INFO: IPsec-SA established: ESP PFSENSE_PUBLIC_ADD[500]->CLIENT_ADD[500] spi=147830056(0x8cfb528)
    Oct 24 10:40:36 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
    Oct 24 10:40:36 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Oct 24 10:40:36 racoon: INFO: no policy found, try to generate the policy : 10.173.201.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    Oct 24 10:40:36 racoon: [Self]: INFO: respond new phase 2 negotiation: PFSENSE_PUBLIC_ADD[4500]<=>CLIENT_ADD[4500]
    Oct 24 10:40:36 racoon: WARNING: Ignored attribute 28683
    Oct 24 10:40:36 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Oct 24 10:40:35 racoon: INFO: login succeeded for user "VPN_NG"
    Oct 24 10:40:35 racoon: INFO: Using port 0
    Oct 24 10:40:31 racoon: [Self]: INFO: ISAKMP-SA established PFSENSE_PUBLIC_ADD[4500]-CLIENT_ADD[4500] spi:8dd95b8b34515e25:e7497b1fada304c0
    Oct 24 10:40:31 racoon: INFO: Sending Xauth request
    Oct 24 10:40:31 racoon: INFO: NAT detected: ME PEER
    Oct 24 10:40:31 racoon: [CLIENT_ADD] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Oct 24 10:40:31 racoon: INFO: NAT-D payload #1 doesn't match
    Oct 24 10:40:31 racoon: INFO: NAT-D payload #0 doesn't match
    Oct 24 10:40:31 racoon: [Self]: INFO: NAT-T: ports changed to: CLIENT_ADD[4500]<->PFSENSE_PUBLIC_ADD[4500]
    Oct 24 10:40:31 racoon: INFO: Adding xauth VID payload.
    Oct 24 10:40:31 racoon: [Self]: [PFSENSE_PUBLIC_ADD] INFO: Hashing PFSENSE_PUBLIC_ADD[500] with algo #2 (NAT-T forced)
    Oct 24 10:40:31 racoon: [CLIENT_ADD] INFO: Hashing CLIENT_ADD[500] with algo #2 (NAT-T forced)
    Oct 24 10:40:31 racoon: INFO: Adding remote and local NAT-D payloads.
    Oct 24 10:40:31 racoon: [CLIENT_ADD] INFO: Selected NAT-T version: RFC 3947
    Oct 24 10:40:31 racoon: INFO: received Vendor ID: DPD
    Oct 24 10:40:31 racoon: INFO: received Vendor ID: CISCO-UNITY
    Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Oct 24 10:40:31 racoon: INFO: received Vendor ID: RFC 3947
    Oct 24 10:40:31 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Oct 24 10:40:31 racoon: INFO: begin Aggressive mode.
    Oct 24 10:40:31 racoon: [Self]: INFO: respond new phase 1 negotiation: PFSENSE_PUBLIC_ADD[500]<=>CLIENT_ADD[500]

    ShrewSoft:

    Oct 24 10:46:51 racoon: WARNING: Short payload
    Oct 24 10:46:51 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
    Oct 24 10:46:51 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
    Oct 24 10:46:46 racoon: WARNING: Short payload
    Oct 24 10:46:46 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
    Oct 24 10:46:46 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
    Oct 24 10:46:46 racoon: [Self]: INFO: ISAKMP-SA established PFSENSE_PUBLIC_ADD[4500]-CLIENT_ADD[1147] spi:cda024940f8fa319:b5bac1a5968617ca
    Oct 24 10:46:46 racoon: INFO: Sending Xauth request
    Oct 24 10:46:46 racoon: INFO: NAT detected: ME PEER
    Oct 24 10:46:46 racoon: INFO: NAT-D payload #1 doesn't match
    Oct 24 10:46:46 racoon: INFO: NAT-D payload #0 doesn't match
    Oct 24 10:46:46 racoon: INFO: Adding xauth VID payload.
    Oct 24 10:46:46 racoon: [Self]: [PFSENSE_PUBLIC_ADD] INFO: Hashing PFSENSE_PUBLIC_ADD[4500] with algo #2 (NAT-T forced)
    Oct 24 10:46:46 racoon: [CLIENT_ADD] INFO: Hashing CLIENT_ADD[1147] with algo #2 (NAT-T forced)
    Oct 24 10:46:46 racoon: INFO: Adding remote and local NAT-D payloads.
    Oct 24 10:46:46 racoon: [CLIENT_ADD] INFO: Selected NAT-T version: RFC 3947
    Oct 24 10:46:46 racoon: INFO: received Vendor ID: CISCO-UNITY
    Oct 24 10:46:46 racoon: INFO: received Vendor ID: DPD
    Oct 24 10:46:46 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Oct 24 10:46:46 racoon: INFO: received Vendor ID: RFC 3947
    Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Oct 24 10:46:46 racoon: INFO: begin Aggressive mode.
    Oct 24 10:46:46 racoon: [Self]: INFO: respond new phase 1 negotiation: PFSENSE_PUBLIC_ADD[4500]<=>CLIENT_ADD[1147]
    Oct 24 10:46:43 racoon: INFO: login succeeded for user "VPN_NG"
    Oct 24 10:46:43 racoon: INFO: Using port 0
    Oct 24 10:46:43 racoon: [CLIENT_ADD] INFO: received INITIAL-CONTACT
    Oct 24 10:46:43 racoon: [Self]: INFO: ISAKMP-SA established PFSENSE_PUBLIC_ADD[4500]-CLIENT_ADD[1147] spi:5d41d4152c5f4ce1:a3c3bb8aa2dac3de
    Oct 24 10:46:43 racoon: INFO: Sending Xauth request
    Oct 24 10:46:43 racoon: INFO: NAT detected: ME PEER
    Oct 24 10:46:43 racoon: INFO: NAT-D payload #1 doesn't match
    Oct 24 10:46:43 racoon: INFO: NAT-D payload #0 doesn't match
    Oct 24 10:46:43 racoon: [Self]: INFO: NAT-T: ports changed to: CLIENT_ADD[1147]<->PFSENSE_PUBLIC_ADD[4500]
    Oct 24 10:46:43 racoon: INFO: Adding xauth VID payload.
    Oct 24 10:46:43 racoon: [Self]: [PFSENSE_PUBLIC_ADD] INFO: Hashing PFSENSE_PUBLIC_ADD[500] with algo #2 (NAT-T forced)
    Oct 24 10:46:43 racoon: [CLIENT_ADD] INFO: Hashing CLIENT_ADD[500] with algo #2 (NAT-T forced)
    Oct 24 10:46:43 racoon: INFO: Adding remote and local NAT-D payloads.
    Oct 24 10:46:43 racoon: [CLIENT_ADD] INFO: Selected NAT-T version: RFC 3947
    Oct 24 10:46:43 racoon: INFO: received Vendor ID: CISCO-UNITY
    Oct 24 10:46:43 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Oct 24 10:46:43 racoon: INFO: received Vendor ID: RFC 3947
    Oct 24 10:46:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Oct 24 10:46:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 24 10:46:43 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Oct 24 10:46:43 racoon: INFO: begin Aggressive mode.
    Oct 24 10:46:43 racoon: [Self]: INFO: respond new phase 1 negotiation: PFSENSE_PUBLIC_ADD[500]<=>CLIENT_ADD[500]

    Any help would be appreciated

    Many Thanks Neil


  • Rebel Alliance Developer Netgate

    In Shew Soft, don't specify "auto" for all of the cipher and related values. Specify exactly what you have on the server config.

    (Or ditch IPsec for windows clients, OpenVPN is much better all around for that)



  • Also ensure that the Phase-2 lifetimes match.



  • Hello Guy's.

    Thank you, I will insure all values match, and report back



  • Hi Guy's

    All values match, but i am still getting the same:

    Oct 26 13:52:51 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
    Oct 26 13:52:51 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
    Oct 26 13:52:46 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
    Oct 26 13:52:46 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange

    Is there any way to get any more detailed logs?


  • Rebel Alliance Developer Netgate

    if it says that xauth failed, my first guess would be the username/password used for auth, or perhaps the account you're trying to use doesn't have the IPsec xauth privilege.



  • I thought that to, but my ipad works fine with the same credentials

    Effective Privileges
    Inherited From Name Description
    Remote Workers User - VPN - IPsec xauth Dialin Indicates whether the user is allowed to dial in via IPsec xauth (Note: Does not allow shell access, but may allow the user to create ssh tunnels)

    It is definitely a Shrewsoft issue than a PFsense issue, im actually surprised how much i can muck about the IPSEC config on the PFsensebox and the IPAD still connects and works every time.

    I would rather use IPSEC than OpenVPN, but that just as I understand it a little more,

    Im currently using the nano version installed on a CF card, which (i believe) to be causing me other issues, so as soon as i get around to getting a PITA ssd i will be doing another install, so starting with a clean slate may help.

    Neil


  • Rebel Alliance Developer Netgate

    When I was updating the IPsec chapter in the book the other day I had Shrew Soft talking to the server fine using Xauth so I know it works. If it's an issue in Shrew Soft, it's in your settings.

    OpenVPN is much, much, much better for mobile clients. There really is no contest there.



  • Hello Jimp,

    As you suggested I used Open VPN, very easy to use, and scalable. Doesnt link windows 8 much though, but i can live with it.

    regards Neil



  • Well, it is probably too late for you, but I thought I should share my experience with pfSense and Shrewd VPN Client.

    On the pfSense side, I simply followed the exact instruction of http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0.

    On Windows7 I downloaded http://www.shrew.net/download/vpn/vpn-client-2.1.7-release.exe.

    Here are the configurations on the shrewd side,

    General
    Hostname: <the server's="" ip="" address="">Port: 500
    Auto Configuration: ike config pull
    Address Method: Use a virtual adapter and assigned address
    MTU: Obtain automatically
    Client
    NAT Traversal: force-rfc
    NAT Traversal Port: 4500
    Keep-alive packet rate: 15/Secs
    IKE Fragmentation: enable
    Maximum package size: 540 Bytes
    Enable Dead Peer Detection
    Enable Client Login Banner
    Name Resolution
    No WiINS/DNS server
    Authentication
    Local Identity
      Identification Type: Key Identifier
      Key ID String: vpnusers@example.com (or whatever you filled up for Peer identifier: User Distinguished Name when you set up pfSense server Phase1)
      Remote Identity
        Identification Type: IP Address
      Credentials
        Pre Shared Key:  aaabbbccc (or whatever you set up for Pre-Shared Key on the server side)
    Phase 1
      Exchange Type: aggressive
      DH Exchange: group 2
      Cipher Algorithm: aes
      Cipher Key Length: 128 Bits
      Hash Algorithm: sha1
      Key Life Time Limit: 86400 Secs
      Key Life Data limit: 0 KBytes
    Phase 2
      Transform Algorithm: esp-aes
      Transform Key Length: 128 Bits
      HMAC Algorithm: sha1
      PFS Exchange: disabled
      Compression Algorithm: disabled
      Key Life Time limit: 3600 Secs
      Key Life Data limit: 0 Kbytes
    Policy
    Policy Generation Level: unique
    Remote Network Resource
      0.0.0.0/0.0.0.0

    If you can verify this also works for you, it would be nice if someone could expand the Device Setup session of http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 to include Shrewd client.

    Hope this helps.

    Kang Sun</the>


Log in to reply