4. PFSense 2.1 IP-SEC & AT&T Netopia 3347-02 7.8.1r2

PFSense 2.1 IP-SEC & AT&T Netopia 3347-02 7.8.1r2

  • S

    I have been working geting these to work together and i have made some headway, but it might require a more expert look as I have found no solid documentation on how to get it working.

    I have a current vpn with 5 sites with Dynamic IP's going to a Netopia 3387 at the main office where I have the pfsense box setup. I am using 1 site as a test site to see if I can get it working before redirecting the rest to the pfsense box. I have no success with the regular ip-sec setup. I get agressive mode not in any rmconf. When I use the mobile client, The site will authenticate, but will not pass traffic because the local subnet is not defined.

    Regular IPSEC

     <ipsec><enable><client><enable><user_source>Local Database</user_source>
		<group_source>none</group_source></enable></client> 
	 <phase1><ikeid>1</ikeid>
		<interface>wan</interface>
		<remote-gateway>anonymous</remote-gateway>
		<mode>aggressive</mode>
		<protocol>inet</protocol>
		<myid_type>keyid tag</myid_type>
		<myid_data>VPN5</myid_data>
		<peerid_type>keyid tag</peerid_type>
		<peerid_data>VPN5</peerid_data>
		 <encryption-algorithm><name>des</name></encryption-algorithm> 
		<hash-algorithm>md5</hash-algorithm>
		<dhgroup>2</dhgroup>
		<lifetime>28800</lifetime>
		<pre-shared-key>PSK</pre-shared-key>
		 <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
		<generate_policy>off</generate_policy>
		<proposal_check>obey</proposal_check>
		 <descr><nat_traversal>off</nat_traversal>
		<dpd_delay>10</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail></descr></caref></certref></private-key></phase1> 
	 <phase2><ikeid>1</ikeid>
		<mode>tunnel</mode>
		 <localid><type>lan</type></localid> 
		 <remoteid><type>network</type>

<address>10.0.5.0</address>

			<netbits>24</netbits></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>des</name></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_md5</hash-algorithm-option>
		<pfsgroup>2</pfsgroup>
		<lifetime>3600</lifetime></phase2></enable></ipsec>

    Mobile IPSEC

     <ipsec><enable><client><enable><user_source>Local Database</user_source>
		<group_source>none</group_source></enable></client> 
	 <phase1><ikeid>1</ikeid>
		<interface>wan</interface>
		 <mobile><mode>aggressive</mode>
		<protocol>inet</protocol>
		<myid_type>keyid tag</myid_type>
		<myid_data>VPN5</myid_data>
		<peerid_type>fqdn</peerid_type>
		 <peerid_data><encryption-algorithm><name>des</name></encryption-algorithm> 
		<hash-algorithm>md5</hash-algorithm>
		<dhgroup>2</dhgroup>
		<lifetime>28800</lifetime>
		 <pre-shared-key><private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
		<generate_policy>off</generate_policy>
		<proposal_check>obey</proposal_check>
		 <descr><nat_traversal>off</nat_traversal>
		<dpd_delay>10</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail></descr></caref></certref></private-key></pre-shared-key></peerid_data></mobile></phase1> 
	 <phase2><ikeid>1</ikeid>
		<mode>tunnel</mode>
		 <localid><type>lan</type></localid> 
		 <remoteid><type>mobile</type></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>des</name></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_md5</hash-algorithm-option>
		<pfsgroup>2</pfsgroup>
		<lifetime>3600</lifetime></phase2></enable></ipsec>

    Netopia Config

    set security ipsec tunnels name "VPN1" tun-enable on
set security ipsec tunnels name "VPN1" dest-ext-address 8.8.8.8
set security ipsec tunnels name "VPN1" dest-int-network 10.0.1.0
set security ipsec tunnels name "VPN1" dest-int-netmask 255.255.255.0
set security ipsec tunnels name "VPN1" encrypt-protocol ESP
set security ipsec tunnels name "VPN1" auth-protocol ESP
set security ipsec tunnels name "VPN1" nat-enable off
set security ipsec tunnels name "VPN1" IKE-mode pre-shared-key-type ascii
set security ipsec tunnels name "VPN1" IKE-mode pre-shared-key "PSK"
set security ipsec tunnels name "VPN1" IKE-mode neg-method aggressive
set security ipsec tunnels name "VPN1" IKE-mode local-id-type ASCII
set security ipsec tunnels name "VPN1" IKE-mode local-id "VPN5"
set security ipsec tunnels name "VPN1" IKE-mode remote-id-type ASCII
set security ipsec tunnels name "VPN1" IKE-mode remote-id "VPN5"
set security ipsec tunnels name "VPN1" IKE-mode DH-group 2
set security ipsec tunnels name "VPN1" IKE-mode isakmp-SA-encrypt DES
set security ipsec tunnels name "VPN1" IKE-mode isakmp-SA-hash MD5
set security ipsec tunnels name "VPN1" IKE-mode PFS-enable on
set security ipsec tunnels name "VPN1" IKE-mode invalid-spi-recovery on
set security ipsec tunnels name "VPN1" IKE-mode ipsec-soft-mbytes 1000
set security ipsec tunnels name "VPN1" IKE-mode ipsec-soft-seconds 82800
set security ipsec tunnels name "VPN1" IKE-mode ipsec-hard-mbytes 1200
set security ipsec tunnels name "VPN1" IKE-mode ipsec-hard-seconds 86400
set security ipsec tunnels name "VPN1" IKE-mode ipsec-mtu 1500
set security ipsec tunnels name "VPN1" xauth enable off

    I was thinking mabye a dirty hack by backing up the vpn config file, but there has to be a cleaner way that works?

    0
  • S

    I tried some config file modification and it did not work. I think I will try going back to pfsense 2.0X series and see if this still occurs given the amount of forum posts concerning 2.1 and ipsec issues

    0
  • S

    I was able to do some testing, and 2.0.1 doesn't support this either. I am pretty sure racoon does via the anonymous remote type which pfsense only seems to support 1 host via. I am going to work on a manual config and will post it if i get it working. Hopefully the developers can make a mobile config page that supports this type of config, if I get it working.

    0
  • S

    Well, I can get them talking, but not passing traffic yet.

    # This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/ipsec/psk.txt";

path certificate  "/var/etc/ipsec";

listen
{
        adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
        isakmp x.x.x.x [500];
        isakmp_natt x.x.x.x [4500];
}

mode_cfg
{
        auth_source external;
        group_source system;
}

extcfg { script "/var/etc/ipsec/ipsec.php" }

remote anonymous
{
        ph1id 1;
        exchange_mode aggressive;
        my_identifier keyid tag "VPN";
        peers_identifier keyid tag "VPN";

        ike_frag on;
        generate_policy = unique;
        initial_contact = on;
        nat_traversal = on;

        dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check strict;

        proposal
        {
                authentication_method pre_shared_key;
                encryption_algorithm des;
                hash_algorithm md5;
                dh_group 2;
                lifetime time 82800 secs;
        }
}

sainfo subnet 10.0.1.0/24 any subnet 10.0.4.0/24 any
{
        remoteid 1;
        encryption_algorithm des;
        authentication_algorithm hmac_md5;
        pfs_group 2;
        lifetime time 86400 secs;
        compression_algorithm deflate;
}

    I can't create this config via the gui because it doesn't support it. Raccoon does though. I just have to find the right params to let it pass traffic.

    0
  • V

    @starkiller:

    
        my_identifier keyid tag "VPN";
        peers_identifier keyid tag "VPN";

    I know this a reply to an old post but I think the my_Identifier KeyID tag should be different to the peers_Identifier KeyID tag.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy