PFSense 2.1 IP-SEC & AT&T Netopia 3347-02 7.8.1r2

starkiller

I have been working geting these to work together and i have made some headway, but it might require a more expert look as I have found no solid documentation on how to get it working.

I have a current vpn with 5 sites with Dynamic IP's going to a Netopia 3387 at the main office where I have the pfsense box setup. I am using 1 site as a test site to see if I can get it working before redirecting the rest to the pfsense box. I have no success with the regular ip-sec setup. I get agressive mode not in any rmconf. When I use the mobile client, The site will authenticate, but will not pass traffic because the local subnet is not defined.

Regular IPSEC

 <ipsec><enable><client><enable><user_source>Local Database</user_source>
		<group_source>none</group_source></enable></client> 
	 <phase1><ikeid>1</ikeid>
		<interface>wan</interface>
		<remote-gateway>anonymous</remote-gateway>
		<mode>aggressive</mode>
		<protocol>inet</protocol>
		<myid_type>keyid tag</myid_type>
		<myid_data>VPN5</myid_data>
		<peerid_type>keyid tag</peerid_type>
		<peerid_data>VPN5</peerid_data>
		 <encryption-algorithm><name>des</name></encryption-algorithm> 
		<hash-algorithm>md5</hash-algorithm>
		<dhgroup>2</dhgroup>
		<lifetime>28800</lifetime>
		<pre-shared-key>PSK</pre-shared-key>
		 <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
		<generate_policy>off</generate_policy>
		<proposal_check>obey</proposal_check>
		 <descr><nat_traversal>off</nat_traversal>
		<dpd_delay>10</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail></descr></caref></certref></private-key></phase1> 
	 <phase2><ikeid>1</ikeid>
		<mode>tunnel</mode>
		 <localid><type>lan</type></localid> 
		 <remoteid><type>network</type>

<address>10.0.5.0</address>

			<netbits>24</netbits></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>des</name></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_md5</hash-algorithm-option>
		<pfsgroup>2</pfsgroup>
		<lifetime>3600</lifetime></phase2></enable></ipsec> 

Mobile IPSEC

 <ipsec><enable><client><enable><user_source>Local Database</user_source>
		<group_source>none</group_source></enable></client> 
	 <phase1><ikeid>1</ikeid>
		<interface>wan</interface>
		 <mobile><mode>aggressive</mode>
		<protocol>inet</protocol>
		<myid_type>keyid tag</myid_type>
		<myid_data>VPN5</myid_data>
		<peerid_type>fqdn</peerid_type>
		 <peerid_data><encryption-algorithm><name>des</name></encryption-algorithm> 
		<hash-algorithm>md5</hash-algorithm>
		<dhgroup>2</dhgroup>
		<lifetime>28800</lifetime>
		 <pre-shared-key><private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
		<generate_policy>off</generate_policy>
		<proposal_check>obey</proposal_check>
		 <descr><nat_traversal>off</nat_traversal>
		<dpd_delay>10</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail></descr></caref></certref></private-key></pre-shared-key></peerid_data></mobile></phase1> 
	 <phase2><ikeid>1</ikeid>
		<mode>tunnel</mode>
		 <localid><type>lan</type></localid> 
		 <remoteid><type>mobile</type></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>des</name></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_md5</hash-algorithm-option>
		<pfsgroup>2</pfsgroup>
		<lifetime>3600</lifetime></phase2></enable></ipsec> 

Netopia Config

set security ipsec tunnels name "VPN1" tun-enable on
set security ipsec tunnels name "VPN1" dest-ext-address 8.8.8.8
set security ipsec tunnels name "VPN1" dest-int-network 10.0.1.0
set security ipsec tunnels name "VPN1" dest-int-netmask 255.255.255.0
set security ipsec tunnels name "VPN1" encrypt-protocol ESP
set security ipsec tunnels name "VPN1" auth-protocol ESP
set security ipsec tunnels name "VPN1" nat-enable off
set security ipsec tunnels name "VPN1" IKE-mode pre-shared-key-type ascii
set security ipsec tunnels name "VPN1" IKE-mode pre-shared-key "PSK"
set security ipsec tunnels name "VPN1" IKE-mode neg-method aggressive
set security ipsec tunnels name "VPN1" IKE-mode local-id-type ASCII
set security ipsec tunnels name "VPN1" IKE-mode local-id "VPN5"
set security ipsec tunnels name "VPN1" IKE-mode remote-id-type ASCII
set security ipsec tunnels name "VPN1" IKE-mode remote-id "VPN5"
set security ipsec tunnels name "VPN1" IKE-mode DH-group 2
set security ipsec tunnels name "VPN1" IKE-mode isakmp-SA-encrypt DES
set security ipsec tunnels name "VPN1" IKE-mode isakmp-SA-hash MD5
set security ipsec tunnels name "VPN1" IKE-mode PFS-enable on
set security ipsec tunnels name "VPN1" IKE-mode invalid-spi-recovery on
set security ipsec tunnels name "VPN1" IKE-mode ipsec-soft-mbytes 1000
set security ipsec tunnels name "VPN1" IKE-mode ipsec-soft-seconds 82800
set security ipsec tunnels name "VPN1" IKE-mode ipsec-hard-mbytes 1200
set security ipsec tunnels name "VPN1" IKE-mode ipsec-hard-seconds 86400
set security ipsec tunnels name "VPN1" IKE-mode ipsec-mtu 1500
set security ipsec tunnels name "VPN1" xauth enable off

I was thinking mabye a dirty hack by backing up the vpn config file, but there has to be a cleaner way that works?

starkiller

I tried some config file modification and it did not work. I think I will try going back to pfsense 2.0X series and see if this still occurs given the amount of forum posts concerning 2.1 and ipsec issues

starkiller

I was able to do some testing, and 2.0.1 doesn't support this either. I am pretty sure racoon does via the anonymous remote type which pfsense only seems to support 1 host via. I am going to work on a manual config and will post it if i get it working. Hopefully the developers can make a mobile config page that supports this type of config, if I get it working.

starkiller

Well, I can get them talking, but not passing traffic yet.

# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/ipsec/psk.txt";

path certificate  "/var/etc/ipsec";

listen
{
        adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
        isakmp x.x.x.x [500];
        isakmp_natt x.x.x.x [4500];
}

mode_cfg
{
        auth_source external;
        group_source system;
}

extcfg { script "/var/etc/ipsec/ipsec.php" }

remote anonymous
{
        ph1id 1;
        exchange_mode aggressive;
        my_identifier keyid tag "VPN";
        peers_identifier keyid tag "VPN";

        ike_frag on;
        generate_policy = unique;
        initial_contact = on;
        nat_traversal = on;

        dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check strict;

        proposal
        {
                authentication_method pre_shared_key;
                encryption_algorithm des;
                hash_algorithm md5;
                dh_group 2;
                lifetime time 82800 secs;
        }
}

sainfo subnet 10.0.1.0/24 any subnet 10.0.4.0/24 any
{
        remoteid 1;
        encryption_algorithm des;
        authentication_algorithm hmac_md5;
        pfs_group 2;
        lifetime time 86400 secs;
        compression_algorithm deflate;
}

I can't create this config via the gui because it doesn't support it. Raccoon does though. I just have to find the right params to let it pass traffic.

vbentley

@starkiller:

        my_identifier keyid tag "VPN";
        peers_identifier keyid tag "VPN";

I know this a reply to an old post but I think the my_Identifier KeyID tag should be different to the peers_Identifier KeyID tag.