PFSense 2.1 IP-SEC & AT&T Netopia 3347-02 7.8.1r2



  • I have been working geting these to work together and i have made some headway, but it might require a more expert look as I have found no solid documentation on how to get it working.

    I have a current vpn with 5 sites with Dynamic IP's going to a Netopia 3387 at the main office where I have the pfsense box setup. I am using 1 site as a test site to see if I can get it working before redirecting the rest to the pfsense box. I have no success with the regular ip-sec setup. I get agressive mode not in any rmconf. When I use the mobile client, The site will authenticate, but will not pass traffic because the local subnet is not defined.

    Regular IPSEC

     <ipsec><enable><client><enable><user_source>Local Database</user_source>
    		<group_source>none</group_source></enable></client> 
    	 <phase1><ikeid>1</ikeid>
    		<interface>wan</interface>
    		<remote-gateway>anonymous</remote-gateway>
    		<mode>aggressive</mode>
    		<protocol>inet</protocol>
    		<myid_type>keyid tag</myid_type>
    		<myid_data>VPN5</myid_data>
    		<peerid_type>keyid tag</peerid_type>
    		<peerid_data>VPN5</peerid_data>
    		 <encryption-algorithm><name>des</name></encryption-algorithm> 
    		<hash-algorithm>md5</hash-algorithm>
    		<dhgroup>2</dhgroup>
    		<lifetime>28800</lifetime>
    		<pre-shared-key>PSK</pre-shared-key>
    		 <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
    		<generate_policy>off</generate_policy>
    		<proposal_check>obey</proposal_check>
    		 <descr><nat_traversal>off</nat_traversal>
    		<dpd_delay>10</dpd_delay>
    		<dpd_maxfail>5</dpd_maxfail></descr></caref></certref></private-key></phase1> 
    	 <phase2><ikeid>1</ikeid>
    		<mode>tunnel</mode>
    		 <localid><type>lan</type></localid> 
    		 <remoteid><type>network</type>
    
    <address>10.0.5.0</address>
    
    			<netbits>24</netbits></remoteid> 
    		<protocol>esp</protocol>
    		 <encryption-algorithm-option><name>des</name></encryption-algorithm-option> 
    		<hash-algorithm-option>hmac_md5</hash-algorithm-option>
    		<pfsgroup>2</pfsgroup>
    		<lifetime>3600</lifetime></phase2></enable></ipsec> 
    
    

    Mobile IPSEC

     <ipsec><enable><client><enable><user_source>Local Database</user_source>
    		<group_source>none</group_source></enable></client> 
    	 <phase1><ikeid>1</ikeid>
    		<interface>wan</interface>
    		 <mobile><mode>aggressive</mode>
    		<protocol>inet</protocol>
    		<myid_type>keyid tag</myid_type>
    		<myid_data>VPN5</myid_data>
    		<peerid_type>fqdn</peerid_type>
    		 <peerid_data><encryption-algorithm><name>des</name></encryption-algorithm> 
    		<hash-algorithm>md5</hash-algorithm>
    		<dhgroup>2</dhgroup>
    		<lifetime>28800</lifetime>
    		 <pre-shared-key><private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
    		<generate_policy>off</generate_policy>
    		<proposal_check>obey</proposal_check>
    		 <descr><nat_traversal>off</nat_traversal>
    		<dpd_delay>10</dpd_delay>
    		<dpd_maxfail>5</dpd_maxfail></descr></caref></certref></private-key></pre-shared-key></peerid_data></mobile></phase1> 
    	 <phase2><ikeid>1</ikeid>
    		<mode>tunnel</mode>
    		 <localid><type>lan</type></localid> 
    		 <remoteid><type>mobile</type></remoteid> 
    		<protocol>esp</protocol>
    		 <encryption-algorithm-option><name>des</name></encryption-algorithm-option> 
    		<hash-algorithm-option>hmac_md5</hash-algorithm-option>
    		<pfsgroup>2</pfsgroup>
    		<lifetime>3600</lifetime></phase2></enable></ipsec> 
    
    

    Netopia Config

    set security ipsec tunnels name "VPN1" tun-enable on
    set security ipsec tunnels name "VPN1" dest-ext-address 8.8.8.8
    set security ipsec tunnels name "VPN1" dest-int-network 10.0.1.0
    set security ipsec tunnels name "VPN1" dest-int-netmask 255.255.255.0
    set security ipsec tunnels name "VPN1" encrypt-protocol ESP
    set security ipsec tunnels name "VPN1" auth-protocol ESP
    set security ipsec tunnels name "VPN1" nat-enable off
    set security ipsec tunnels name "VPN1" IKE-mode pre-shared-key-type ascii
    set security ipsec tunnels name "VPN1" IKE-mode pre-shared-key "PSK"
    set security ipsec tunnels name "VPN1" IKE-mode neg-method aggressive
    set security ipsec tunnels name "VPN1" IKE-mode local-id-type ASCII
    set security ipsec tunnels name "VPN1" IKE-mode local-id "VPN5"
    set security ipsec tunnels name "VPN1" IKE-mode remote-id-type ASCII
    set security ipsec tunnels name "VPN1" IKE-mode remote-id "VPN5"
    set security ipsec tunnels name "VPN1" IKE-mode DH-group 2
    set security ipsec tunnels name "VPN1" IKE-mode isakmp-SA-encrypt DES
    set security ipsec tunnels name "VPN1" IKE-mode isakmp-SA-hash MD5
    set security ipsec tunnels name "VPN1" IKE-mode PFS-enable on
    set security ipsec tunnels name "VPN1" IKE-mode invalid-spi-recovery on
    set security ipsec tunnels name "VPN1" IKE-mode ipsec-soft-mbytes 1000
    set security ipsec tunnels name "VPN1" IKE-mode ipsec-soft-seconds 82800
    set security ipsec tunnels name "VPN1" IKE-mode ipsec-hard-mbytes 1200
    set security ipsec tunnels name "VPN1" IKE-mode ipsec-hard-seconds 86400
    set security ipsec tunnels name "VPN1" IKE-mode ipsec-mtu 1500
    set security ipsec tunnels name "VPN1" xauth enable off
    

    I was thinking mabye a dirty hack by backing up the vpn config file, but there has to be a cleaner way that works?



  • I tried some config file modification and it did not work. I think I will try going back to pfsense 2.0X series and see if this still occurs given the amount of forum posts concerning 2.1 and ipsec issues



  • I was able to do some testing, and 2.0.1 doesn't support this either. I am pretty sure racoon does via the anonymous remote type which pfsense only seems to support 1 host via. I am going to work on a manual config and will post it if i get it working. Hopefully the developers can make a mobile config page that supports this type of config, if I get it working.



  • Well, I can get them talking, but not passing traffic yet.

    # This file is automatically generated. Do not edit
    path pre_shared_key "/var/etc/ipsec/psk.txt";
    
    path certificate  "/var/etc/ipsec";
    
    listen
    {
            adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
            isakmp x.x.x.x [500];
            isakmp_natt x.x.x.x [4500];
    }
    
    mode_cfg
    {
            auth_source external;
            group_source system;
    }
    
    extcfg { script "/var/etc/ipsec/ipsec.php" }
    
    remote anonymous
    {
            ph1id 1;
            exchange_mode aggressive;
            my_identifier keyid tag "VPN";
            peers_identifier keyid tag "VPN";
    
            ike_frag on;
            generate_policy = unique;
            initial_contact = on;
            nat_traversal = on;
    
            dpd_delay = 10;
            dpd_maxfail = 5;
            support_proxy on;
            proposal_check strict;
    
            proposal
            {
                    authentication_method pre_shared_key;
                    encryption_algorithm des;
                    hash_algorithm md5;
                    dh_group 2;
                    lifetime time 82800 secs;
            }
    }
    
    sainfo subnet 10.0.1.0/24 any subnet 10.0.4.0/24 any
    {
            remoteid 1;
            encryption_algorithm des;
            authentication_algorithm hmac_md5;
            pfs_group 2;
            lifetime time 86400 secs;
            compression_algorithm deflate;
    }
    

    I can't create this config via the gui because it doesn't support it. Raccoon does though. I just have to find the right params to let it pass traffic.



  • @starkiller:

    
            my_identifier keyid tag "VPN";
            peers_identifier keyid tag "VPN";
    
    

    I know this a reply to an old post but I think the my_Identifier KeyID tag should be different to the peers_Identifier KeyID tag.


Log in to reply