Ipsec for mobile clients using vpnc on ubuntu, not working
-
The thread exists as General question, but I think it should be posted in this section
http://forum.pfsense.org/index.php?topic=55365.0
I tried network-manager-strongswan but it hangs when configuring the VPN.
https://bugs.launchpad.net/ubuntu/+source/network-manager-strongswan/+bug/872824IPSec tunnel works fine from an Android 4 Tablet. My Android 4 has IPsec client built-in, like iOS devices.
I installed strongswan in Android 4 but it seems not to support Mutual PSK + Xauth.
I also tried l2tp-ipsec-vpn but hasn't network-manager integration and it seems not to support Mutual PSK + Xauth.
Any idea for using network-manager-vpnc as mobile client for pfSense?
Note: I'm using network-manager-openvpn for more than a year without problems. But I wanted to try working with IPsec, just for know-how.
Thanks in advance,
Josep
-
Tried with ike-qtgui (Shrew Soft Client, http://www.shrew.net) without success.
(no network-manager integration, only qt gui)Feb 26 11:17:48 racoon: [AAA.BBB.CCC.DDD] ERROR: phase1 negotiation failed. Feb 26 11:17:48 racoon: [AAA.BBB.CCC.DDD] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1). Feb 26 11:17:48 racoon: [AAA.BBB.CCC.DDD] ERROR: failed to get valid proposal. Feb 26 11:17:48 racoon: ERROR: no suitable proposal found. Feb 26 11:17:48 racoon: [AAA.BBB.CCC.DDD] INFO: Selected NAT-T version: RFC 3947 Feb 26 11:17:48 racoon: INFO: received Vendor ID: CISCO-UNITY Feb 26 11:17:48 racoon: INFO: received Vendor ID: DPD Feb 26 11:17:48 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Feb 26 11:17:48 racoon: INFO: received Vendor ID: RFC 3947 Feb 26 11:17:48 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Feb 26 11:17:48 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 26 11:17:48 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01 Feb 26 11:17:48 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 Feb 26 11:17:48 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Feb 26 11:17:48 racoon: INFO: begin Aggressive mode. Feb 26 11:17:48 racoon: [Self]: INFO: respond new phase 1 negotiation: 192.168.YYY.ZZZ[500]<=>AAA.BBB.CCC.DDD[6818]
Something wrong with my phase 1 but I'm not capable to found the problem.
-
Does anybody know if Shrew Soft client can be configured for Mutual PSK + Xauth?
All tutorials that I found use only Mutual PSK:
http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To
http://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth
I tried the Windows client and I can't connect, like Ubuntu client.
-
Any idea for using network-manager-vpnc as mobile client for pfSense?
After some hours testing & googling…
I think is not possible to use vpnc with Mutual PSK + Xauth because:
–auth-mode <psk cert="" hybrid="">Authentication mode:
· psk: pre-shared key (default)
· cert: server + client certificate (not implemented yet)
· hybrid: server certificate + xauth (if built with openssl
support)
Default: psk
conf-variable: IKE Authmode</psk>(from http://manpages.ubuntu.com/manpages/hardy/man8/vpnc.8.html)
-
thanks for your report.
have you tried asking on ubuntu's forums, or askubuntu.com? -
Have you tried asking on ubuntu's forums, or askubuntu.com?
Not, I just tested & look at forums, bugs, manuals…
Finally, Shrew Soft client works for Mutual PSK + Xauth !!!
The problem was my Key Life Time Limit (phase 1). By default, pfSense puts it at 28800 seconds and Shrew at 86400 seconds.
I configured 28800 seconds at Shrew client and tunnel worked. Tested with WinXP and Ubuntu 12.04 up-to-date.
Conclusion: ike-qtgui (Shrew Soft VPN Access Manager) is the better solution for Linux (Ubuntu) clients. However, it hasn't network-manager applet.
-
thanks! it would be great if you could post this to the pfsense wiki as well!
-
I'm just the moderator for the Spanish sectior.
I don't have access to doc.pfsense.org
I'm sorry!
Josep