Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec for mobile clients using vpnc on ubuntu, not working

    Scheduled Pinned Locked Moved IPsec
    8 Posts 2 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • belleraB Offline
      bellera
      last edited by

      The thread exists as General question, but I think it should be posted in this section

      http://forum.pfsense.org/index.php?topic=55365.0

      I tried network-manager-strongswan but it hangs when configuring the VPN.
      https://bugs.launchpad.net/ubuntu/+source/network-manager-strongswan/+bug/872824

      IPSec tunnel works fine from an Android 4 Tablet. My Android 4 has IPsec client built-in, like iOS devices.

      I installed strongswan in Android 4 but it seems not to support Mutual PSK + Xauth.

      I also tried l2tp-ipsec-vpn but hasn't network-manager integration and it seems not to support Mutual PSK + Xauth.

      Any idea for using network-manager-vpnc as mobile client for pfSense?

      Note: I'm using network-manager-openvpn for more than a year without problems. But I wanted to try working with IPsec, just for know-how.

      Thanks in advance,

      Josep

      1 Reply Last reply Reply Quote 0
      • belleraB Offline
        bellera
        last edited by

        Tried with ike-qtgui (Shrew Soft Client, http://www.shrew.net) without success.
        (no network-manager integration, only qt gui)

        Feb 26 11:17:48 	racoon: [AAA.BBB.CCC.DDD] ERROR: phase1 negotiation failed.
        Feb 26 11:17:48 	racoon: [AAA.BBB.CCC.DDD] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
        Feb 26 11:17:48 	racoon: [AAA.BBB.CCC.DDD] ERROR: failed to get valid proposal.
        Feb 26 11:17:48 	racoon: ERROR: no suitable proposal found.
        Feb 26 11:17:48 	racoon: [AAA.BBB.CCC.DDD] INFO: Selected NAT-T version: RFC 3947
        Feb 26 11:17:48 	racoon: INFO: received Vendor ID: CISCO-UNITY
        Feb 26 11:17:48 	racoon: INFO: received Vendor ID: DPD
        Feb 26 11:17:48 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
        Feb 26 11:17:48 	racoon: INFO: received Vendor ID: RFC 3947
        Feb 26 11:17:48 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
        Feb 26 11:17:48 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
        Feb 26 11:17:48 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
        Feb 26 11:17:48 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
        Feb 26 11:17:48 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
        Feb 26 11:17:48 	racoon: INFO: begin Aggressive mode.
        Feb 26 11:17:48 	racoon: [Self]: INFO: respond new phase 1 negotiation: 192.168.YYY.ZZZ[500]<=>AAA.BBB.CCC.DDD[6818]
        

        Something wrong with my phase 1 but I'm not capable to found the problem.

        1 Reply Last reply Reply Quote 0
        • belleraB Offline
          bellera
          last edited by

          Does anybody know if Shrew Soft client can be configured for Mutual PSK + Xauth?

          All tutorials that I found use only Mutual PSK:

          http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

          http://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth

          I tried the Windows client and I can't connect, like Ubuntu client.

          1 Reply Last reply Reply Quote 0
          • belleraB Offline
            bellera
            last edited by

            @bellera:

            Any idea for using network-manager-vpnc as mobile client for pfSense?

            After some hours testing & googling…

            I think is not possible to use vpnc with Mutual PSK + Xauth because:

            –auth-mode <psk cert="" hybrid="">Authentication mode:
                         ·      psk:    pre-shared key (default)
                         ·      cert:   server + client certificate (not implemented yet)
                         ·      hybrid: server certificate + xauth (if built with openssl
                                support)
                         Default: psk
                  conf-variable: IKE Authmode</psk>

            (from http://manpages.ubuntu.com/manpages/hardy/man8/vpnc.8.html)

            1 Reply Last reply Reply Quote 0
            • maxxerM Offline
              maxxer
              last edited by

              thanks for your report.
              have you tried asking on ubuntu's forums, or askubuntu.com?

              1 Reply Last reply Reply Quote 0
              • belleraB Offline
                bellera
                last edited by

                Have you tried asking on ubuntu's forums, or askubuntu.com?

                Not, I just tested & look at forums, bugs, manuals…

                Finally, Shrew Soft client works for Mutual PSK + Xauth !!!

                The problem was my Key Life Time Limit (phase 1). By default, pfSense puts it at 28800 seconds and Shrew at 86400 seconds.

                I configured 28800 seconds at Shrew client and tunnel worked. Tested with WinXP and Ubuntu 12.04 up-to-date.

                Conclusion: ike-qtgui (Shrew Soft VPN Access Manager) is the better solution for Linux (Ubuntu) clients. However, it hasn't network-manager applet.

                1 Reply Last reply Reply Quote 0
                • maxxerM Offline
                  maxxer
                  last edited by

                  thanks! it would be great if you could post this to the pfsense wiki as well!

                  1 Reply Last reply Reply Quote 0
                  • belleraB Offline
                    bellera
                    last edited by

                    I'm just the moderator for the Spanish sectior.

                    I don't have access to doc.pfsense.org

                    I'm sorry!

                    Josep

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.