IPSEC ShrewSoft VPN Woes

Sacrilegious

Hello Chaps,

Firstly I would like to thank you for making a ace product and those that contribute with the awesome guides.

I am in the process of replacing my Cisco 1841 with a PFSensed Watchguard x750e, due the Cisco not been able to NAT and do packet inspection beyond 40Mb.

I have become a bit stuck in my efforts to get a IPSEC VPN Set up, from the logs it is evident that the Shrewsoft VPN configuration is incorrect, my IPAD can VPN with no problems, being able to ping all the remote LAN and being able to browse the internet through the VPN.

I can connect with with my ShrewSoft VPN connection, but i am unable to ping the PFsense box, or any machines on the Lan, would anyone the kind enough to offer some advice as to why this may be?

Successful VPN connect and disconnect with IPAD:

Oct 24 10:40:54 racoon: INFO: Released port 0
Oct 24 10:40:54 racoon: [Self]: INFO: ISAKMP-SA deleted PFSENSE_PUBLIC_ADD[4500]-CLIENT_ADD[4500] spi:8dd95b8b34515e25:e7497b1fada304c0
Oct 24 10:40:54 racoon: INFO: purged ISAKMP-SA spi=8dd95b8b34515e25:e7497b1fada304c0:00004bac.
Oct 24 10:40:54 racoon: INFO: purged IPsec-SA spi=147830056.
Oct 24 10:40:54 racoon: INFO: purging ISAKMP-SA spi=8dd95b8b34515e25:e7497b1fada304c0:00004bac.
Oct 24 10:40:54 racoon: INFO: purged IPsec-SA proto_id=ESP spi=199313569.
Oct 24 10:40:54 racoon: INFO: deleting a generated policy.
Oct 24 10:40:36 racoon: [Self]: INFO: IPsec-SA established: ESP PFSENSE_PUBLIC_ADD[500]->CLIENT_ADD[500] spi=199313569(0xbe148a1)
Oct 24 10:40:36 racoon: [Self]: INFO: IPsec-SA established: ESP PFSENSE_PUBLIC_ADD[500]->CLIENT_ADD[500] spi=147830056(0x8cfb528)
Oct 24 10:40:36 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Oct 24 10:40:36 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Oct 24 10:40:36 racoon: INFO: no policy found, try to generate the policy : 10.173.201.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Oct 24 10:40:36 racoon: [Self]: INFO: respond new phase 2 negotiation: PFSENSE_PUBLIC_ADD[4500]<=>CLIENT_ADD[4500]
Oct 24 10:40:36 racoon: WARNING: Ignored attribute 28683
Oct 24 10:40:36 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Oct 24 10:40:35 racoon: INFO: login succeeded for user "VPN_NG"
Oct 24 10:40:35 racoon: INFO: Using port 0
Oct 24 10:40:31 racoon: [Self]: INFO: ISAKMP-SA established PFSENSE_PUBLIC_ADD[4500]-CLIENT_ADD[4500] spi:8dd95b8b34515e25:e7497b1fada304c0
Oct 24 10:40:31 racoon: INFO: Sending Xauth request
Oct 24 10:40:31 racoon: INFO: NAT detected: ME PEER
Oct 24 10:40:31 racoon: [CLIENT_ADD] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Oct 24 10:40:31 racoon: INFO: NAT-D payload #1 doesn't match
Oct 24 10:40:31 racoon: INFO: NAT-D payload #0 doesn't match
Oct 24 10:40:31 racoon: [Self]: INFO: NAT-T: ports changed to: CLIENT_ADD[4500]<->PFSENSE_PUBLIC_ADD[4500]
Oct 24 10:40:31 racoon: INFO: Adding xauth VID payload.
Oct 24 10:40:31 racoon: [Self]: [PFSENSE_PUBLIC_ADD] INFO: Hashing PFSENSE_PUBLIC_ADD[500] with algo #2 (NAT-T forced)
Oct 24 10:40:31 racoon: [CLIENT_ADD] INFO: Hashing CLIENT_ADD[500] with algo #2 (NAT-T forced)
Oct 24 10:40:31 racoon: INFO: Adding remote and local NAT-D payloads.
Oct 24 10:40:31 racoon: [CLIENT_ADD] INFO: Selected NAT-T version: RFC 3947
Oct 24 10:40:31 racoon: INFO: received Vendor ID: DPD
Oct 24 10:40:31 racoon: INFO: received Vendor ID: CISCO-UNITY
Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Oct 24 10:40:31 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Oct 24 10:40:31 racoon: INFO: received Vendor ID: RFC 3947
Oct 24 10:40:31 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Oct 24 10:40:31 racoon: INFO: begin Aggressive mode.
Oct 24 10:40:31 racoon: [Self]: INFO: respond new phase 1 negotiation: PFSENSE_PUBLIC_ADD[500]<=>CLIENT_ADD[500]

ShrewSoft:

Oct 24 10:46:51 racoon: WARNING: Short payload
Oct 24 10:46:51 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
Oct 24 10:46:51 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
Oct 24 10:46:46 racoon: WARNING: Short payload
Oct 24 10:46:46 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
Oct 24 10:46:46 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
Oct 24 10:46:46 racoon: [Self]: INFO: ISAKMP-SA established PFSENSE_PUBLIC_ADD[4500]-CLIENT_ADD[1147] spi:cda024940f8fa319:b5bac1a5968617ca
Oct 24 10:46:46 racoon: INFO: Sending Xauth request
Oct 24 10:46:46 racoon: INFO: NAT detected: ME PEER
Oct 24 10:46:46 racoon: INFO: NAT-D payload #1 doesn't match
Oct 24 10:46:46 racoon: INFO: NAT-D payload #0 doesn't match
Oct 24 10:46:46 racoon: INFO: Adding xauth VID payload.
Oct 24 10:46:46 racoon: [Self]: [PFSENSE_PUBLIC_ADD] INFO: Hashing PFSENSE_PUBLIC_ADD[4500] with algo #2 (NAT-T forced)
Oct 24 10:46:46 racoon: [CLIENT_ADD] INFO: Hashing CLIENT_ADD[1147] with algo #2 (NAT-T forced)
Oct 24 10:46:46 racoon: INFO: Adding remote and local NAT-D payloads.
Oct 24 10:46:46 racoon: [CLIENT_ADD] INFO: Selected NAT-T version: RFC 3947
Oct 24 10:46:46 racoon: INFO: received Vendor ID: CISCO-UNITY
Oct 24 10:46:46 racoon: INFO: received Vendor ID: DPD
Oct 24 10:46:46 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Oct 24 10:46:46 racoon: INFO: received Vendor ID: RFC 3947
Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Oct 24 10:46:46 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Oct 24 10:46:46 racoon: INFO: begin Aggressive mode.
Oct 24 10:46:46 racoon: [Self]: INFO: respond new phase 1 negotiation: PFSENSE_PUBLIC_ADD[4500]<=>CLIENT_ADD[1147]
Oct 24 10:46:43 racoon: INFO: login succeeded for user "VPN_NG"
Oct 24 10:46:43 racoon: INFO: Using port 0
Oct 24 10:46:43 racoon: [CLIENT_ADD] INFO: received INITIAL-CONTACT
Oct 24 10:46:43 racoon: [Self]: INFO: ISAKMP-SA established PFSENSE_PUBLIC_ADD[4500]-CLIENT_ADD[1147] spi:5d41d4152c5f4ce1:a3c3bb8aa2dac3de
Oct 24 10:46:43 racoon: INFO: Sending Xauth request
Oct 24 10:46:43 racoon: INFO: NAT detected: ME PEER
Oct 24 10:46:43 racoon: INFO: NAT-D payload #1 doesn't match
Oct 24 10:46:43 racoon: INFO: NAT-D payload #0 doesn't match
Oct 24 10:46:43 racoon: [Self]: INFO: NAT-T: ports changed to: CLIENT_ADD[1147]<->PFSENSE_PUBLIC_ADD[4500]
Oct 24 10:46:43 racoon: INFO: Adding xauth VID payload.
Oct 24 10:46:43 racoon: [Self]: [PFSENSE_PUBLIC_ADD] INFO: Hashing PFSENSE_PUBLIC_ADD[500] with algo #2 (NAT-T forced)
Oct 24 10:46:43 racoon: [CLIENT_ADD] INFO: Hashing CLIENT_ADD[500] with algo #2 (NAT-T forced)
Oct 24 10:46:43 racoon: INFO: Adding remote and local NAT-D payloads.
Oct 24 10:46:43 racoon: [CLIENT_ADD] INFO: Selected NAT-T version: RFC 3947
Oct 24 10:46:43 racoon: INFO: received Vendor ID: CISCO-UNITY
Oct 24 10:46:43 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Oct 24 10:46:43 racoon: INFO: received Vendor ID: RFC 3947
Oct 24 10:46:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 24 10:46:43 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 24 10:46:43 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Oct 24 10:46:43 racoon: INFO: begin Aggressive mode.
Oct 24 10:46:43 racoon: [Self]: INFO: respond new phase 1 negotiation: PFSENSE_PUBLIC_ADD[500]<=>CLIENT_ADD[500]

Any help would be appreciated

Many Thanks Neil

jimp

In Shew Soft, don't specify "auto" for all of the cipher and related values. Specify exactly what you have on the server config.

(Or ditch IPsec for windows clients, OpenVPN is much better all around for that)

dhatz

Also ensure that the Phase-2 lifetimes match.

Sacrilegious

Hello Guy's.

Thank you, I will insure all values match, and report back

Sacrilegious

Hi Guy's

All values match, but i am still getting the same:

Oct 26 13:52:51 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
Oct 26 13:52:51 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
Oct 26 13:52:46 racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
Oct 26 13:52:46 racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange

Is there any way to get any more detailed logs?

jimp

if it says that xauth failed, my first guess would be the username/password used for auth, or perhaps the account you're trying to use doesn't have the IPsec xauth privilege.

Sacrilegious

I thought that to, but my ipad works fine with the same credentials

Effective Privileges
Inherited From Name Description
Remote Workers User - VPN - IPsec xauth Dialin Indicates whether the user is allowed to dial in via IPsec xauth (Note: Does not allow shell access, but may allow the user to create ssh tunnels)

It is definitely a Shrewsoft issue than a PFsense issue, im actually surprised how much i can muck about the IPSEC config on the PFsensebox and the IPAD still connects and works every time.

I would rather use IPSEC than OpenVPN, but that just as I understand it a little more,

Im currently using the nano version installed on a CF card, which (i believe) to be causing me other issues, so as soon as i get around to getting a PITA ssd i will be doing another install, so starting with a clean slate may help.

Neil

jimp

When I was updating the IPsec chapter in the book the other day I had Shrew Soft talking to the server fine using Xauth so I know it works. If it's an issue in Shrew Soft, it's in your settings.

OpenVPN is much, much, much better for mobile clients. There really is no contest there.

Sacrilegious

Hello Jimp,

As you suggested I used Open VPN, very easy to use, and scalable. Doesnt link windows 8 much though, but i can live with it.

regards Neil

ksun6868

Well, it is probably too late for you, but I thought I should share my experience with pfSense and Shrewd VPN Client.

On the pfSense side, I simply followed the exact instruction of http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0.

On Windows7 I downloaded http://www.shrew.net/download/vpn/vpn-client-2.1.7-release.exe.

Here are the configurations on the shrewd side,

General
Hostname: <the server's="" ip="" address="">Port: 500
Auto Configuration: ike config pull
Address Method: Use a virtual adapter and assigned address
MTU: Obtain automatically
Client
NAT Traversal: force-rfc
NAT Traversal Port: 4500
Keep-alive packet rate: 15/Secs
IKE Fragmentation: enable
Maximum package size: 540 Bytes
Enable Dead Peer Detection
Enable Client Login Banner
Name Resolution
No WiINS/DNS server
Authentication
Local Identity
  Identification Type: Key Identifier
  Key ID String: vpnusers@example.com (or whatever you filled up for Peer identifier: User Distinguished Name when you set up pfSense server Phase1)
  Remote Identity
    Identification Type: IP Address
  Credentials
    Pre Shared Key:  aaabbbccc (or whatever you set up for Pre-Shared Key on the server side)
Phase 1
  Exchange Type: aggressive
  DH Exchange: group 2
  Cipher Algorithm: aes
  Cipher Key Length: 128 Bits
  Hash Algorithm: sha1
  Key Life Time Limit: 86400 Secs
  Key Life Data limit: 0 KBytes
Phase 2
  Transform Algorithm: esp-aes
  Transform Key Length: 128 Bits
  HMAC Algorithm: sha1
  PFS Exchange: disabled
  Compression Algorithm: disabled
  Key Life Time limit: 3600 Secs
  Key Life Data limit: 0 Kbytes
Policy
Policy Generation Level: unique
Remote Network Resource
  0.0.0.0/0.0.0.0

If you can verify this also works for you, it would be nice if someone could expand the Device Setup session of http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 to include Shrewd client.

Hope this helps.

Kang Sun</the>