Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense 2.1 IP-SEC & AT&T Netopia 3347-02 7.8.1r2

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      starkiller
      last edited by

      I have been working geting these to work together and i have made some headway, but it might require a more expert look as I have found no solid documentation on how to get it working.

      I have a current vpn with 5 sites with Dynamic IP's going to a Netopia 3387 at the main office where I have the pfsense box setup. I am using 1 site as a test site to see if I can get it working before redirecting the rest to the pfsense box. I have no success with the regular ip-sec setup. I get agressive mode not in any rmconf. When I use the mobile client, The site will authenticate, but will not pass traffic because the local subnet is not defined.

      Regular IPSEC

       <ipsec><enable><client><enable><user_source>Local Database</user_source>
      		<group_source>none</group_source></enable></client> 
      	 <phase1><ikeid>1</ikeid>
      		<interface>wan</interface>
      		<remote-gateway>anonymous</remote-gateway>
      		<mode>aggressive</mode>
      		<protocol>inet</protocol>
      		<myid_type>keyid tag</myid_type>
      		<myid_data>VPN5</myid_data>
      		<peerid_type>keyid tag</peerid_type>
      		<peerid_data>VPN5</peerid_data>
      		 <encryption-algorithm><name>des</name></encryption-algorithm> 
      		<hash-algorithm>md5</hash-algorithm>
      		<dhgroup>2</dhgroup>
      		<lifetime>28800</lifetime>
      		<pre-shared-key>PSK</pre-shared-key>
      		 <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
      		<generate_policy>off</generate_policy>
      		<proposal_check>obey</proposal_check>
      		 <descr><nat_traversal>off</nat_traversal>
      		<dpd_delay>10</dpd_delay>
      		<dpd_maxfail>5</dpd_maxfail></descr></caref></certref></private-key></phase1> 
      	 <phase2><ikeid>1</ikeid>
      		<mode>tunnel</mode>
      		 <localid><type>lan</type></localid> 
      		 <remoteid><type>network</type>
      
      <address>10.0.5.0</address>
      
      			<netbits>24</netbits></remoteid> 
      		<protocol>esp</protocol>
      		 <encryption-algorithm-option><name>des</name></encryption-algorithm-option> 
      		<hash-algorithm-option>hmac_md5</hash-algorithm-option>
      		<pfsgroup>2</pfsgroup>
      		<lifetime>3600</lifetime></phase2></enable></ipsec> 
      
      

      Mobile IPSEC

       <ipsec><enable><client><enable><user_source>Local Database</user_source>
      		<group_source>none</group_source></enable></client> 
      	 <phase1><ikeid>1</ikeid>
      		<interface>wan</interface>
      		 <mobile><mode>aggressive</mode>
      		<protocol>inet</protocol>
      		<myid_type>keyid tag</myid_type>
      		<myid_data>VPN5</myid_data>
      		<peerid_type>fqdn</peerid_type>
      		 <peerid_data><encryption-algorithm><name>des</name></encryption-algorithm> 
      		<hash-algorithm>md5</hash-algorithm>
      		<dhgroup>2</dhgroup>
      		<lifetime>28800</lifetime>
      		 <pre-shared-key><private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
      		<generate_policy>off</generate_policy>
      		<proposal_check>obey</proposal_check>
      		 <descr><nat_traversal>off</nat_traversal>
      		<dpd_delay>10</dpd_delay>
      		<dpd_maxfail>5</dpd_maxfail></descr></caref></certref></private-key></pre-shared-key></peerid_data></mobile></phase1> 
      	 <phase2><ikeid>1</ikeid>
      		<mode>tunnel</mode>
      		 <localid><type>lan</type></localid> 
      		 <remoteid><type>mobile</type></remoteid> 
      		<protocol>esp</protocol>
      		 <encryption-algorithm-option><name>des</name></encryption-algorithm-option> 
      		<hash-algorithm-option>hmac_md5</hash-algorithm-option>
      		<pfsgroup>2</pfsgroup>
      		<lifetime>3600</lifetime></phase2></enable></ipsec> 
      
      

      Netopia Config

      set security ipsec tunnels name "VPN1" tun-enable on
      set security ipsec tunnels name "VPN1" dest-ext-address 8.8.8.8
      set security ipsec tunnels name "VPN1" dest-int-network 10.0.1.0
      set security ipsec tunnels name "VPN1" dest-int-netmask 255.255.255.0
      set security ipsec tunnels name "VPN1" encrypt-protocol ESP
      set security ipsec tunnels name "VPN1" auth-protocol ESP
      set security ipsec tunnels name "VPN1" nat-enable off
      set security ipsec tunnels name "VPN1" IKE-mode pre-shared-key-type ascii
      set security ipsec tunnels name "VPN1" IKE-mode pre-shared-key "PSK"
      set security ipsec tunnels name "VPN1" IKE-mode neg-method aggressive
      set security ipsec tunnels name "VPN1" IKE-mode local-id-type ASCII
      set security ipsec tunnels name "VPN1" IKE-mode local-id "VPN5"
      set security ipsec tunnels name "VPN1" IKE-mode remote-id-type ASCII
      set security ipsec tunnels name "VPN1" IKE-mode remote-id "VPN5"
      set security ipsec tunnels name "VPN1" IKE-mode DH-group 2
      set security ipsec tunnels name "VPN1" IKE-mode isakmp-SA-encrypt DES
      set security ipsec tunnels name "VPN1" IKE-mode isakmp-SA-hash MD5
      set security ipsec tunnels name "VPN1" IKE-mode PFS-enable on
      set security ipsec tunnels name "VPN1" IKE-mode invalid-spi-recovery on
      set security ipsec tunnels name "VPN1" IKE-mode ipsec-soft-mbytes 1000
      set security ipsec tunnels name "VPN1" IKE-mode ipsec-soft-seconds 82800
      set security ipsec tunnels name "VPN1" IKE-mode ipsec-hard-mbytes 1200
      set security ipsec tunnels name "VPN1" IKE-mode ipsec-hard-seconds 86400
      set security ipsec tunnels name "VPN1" IKE-mode ipsec-mtu 1500
      set security ipsec tunnels name "VPN1" xauth enable off
      

      I was thinking mabye a dirty hack by backing up the vpn config file, but there has to be a cleaner way that works?

      1 Reply Last reply Reply Quote 0
      • S
        starkiller
        last edited by

        I tried some config file modification and it did not work. I think I will try going back to pfsense 2.0X series and see if this still occurs given the amount of forum posts concerning 2.1 and ipsec issues

        1 Reply Last reply Reply Quote 0
        • S
          starkiller
          last edited by

          I was able to do some testing, and 2.0.1 doesn't support this either. I am pretty sure racoon does via the anonymous remote type which pfsense only seems to support 1 host via. I am going to work on a manual config and will post it if i get it working. Hopefully the developers can make a mobile config page that supports this type of config, if I get it working.

          1 Reply Last reply Reply Quote 0
          • S
            starkiller
            last edited by

            Well, I can get them talking, but not passing traffic yet.

            # This file is automatically generated. Do not edit
            path pre_shared_key "/var/etc/ipsec/psk.txt";
            
            path certificate  "/var/etc/ipsec";
            
            listen
            {
                    adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
                    isakmp x.x.x.x [500];
                    isakmp_natt x.x.x.x [4500];
            }
            
            mode_cfg
            {
                    auth_source external;
                    group_source system;
            }
            
            extcfg { script "/var/etc/ipsec/ipsec.php" }
            
            remote anonymous
            {
                    ph1id 1;
                    exchange_mode aggressive;
                    my_identifier keyid tag "VPN";
                    peers_identifier keyid tag "VPN";
            
                    ike_frag on;
                    generate_policy = unique;
                    initial_contact = on;
                    nat_traversal = on;
            
                    dpd_delay = 10;
                    dpd_maxfail = 5;
                    support_proxy on;
                    proposal_check strict;
            
                    proposal
                    {
                            authentication_method pre_shared_key;
                            encryption_algorithm des;
                            hash_algorithm md5;
                            dh_group 2;
                            lifetime time 82800 secs;
                    }
            }
            
            sainfo subnet 10.0.1.0/24 any subnet 10.0.4.0/24 any
            {
                    remoteid 1;
                    encryption_algorithm des;
                    authentication_algorithm hmac_md5;
                    pfs_group 2;
                    lifetime time 86400 secs;
                    compression_algorithm deflate;
            }
            

            I can't create this config via the gui because it doesn't support it. Raccoon does though. I just have to find the right params to let it pass traffic.

            1 Reply Last reply Reply Quote 0
            • V
              vbentley
              last edited by

              @starkiller:

              
                      my_identifier keyid tag "VPN";
                      peers_identifier keyid tag "VPN";
              
              

              I know this a reply to an old post but I think the my_Identifier KeyID tag should be different to the peers_Identifier KeyID tag.

              Trademark Attribution and Credit
              pfSense® and pfSense Certified® are registered trademarks of Electric Sheep Fencing, LLC in the United States and other countries.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.