Security Settings Problems.



  • I've playing around with IPSec the past couple of weeks. I've managed to find settings that will work with both the windows shrew soft client and my Android device. However the security of these settings is lower than I would like. When I try to increase the level of security my Android device fails to connect and my laptop client connects in with some settings and not with others. I have also been testing Mutual RSA + Xauth and can't seem to get it to work at all.

    When connecting through my laptop it is always through a remote network with Shrew Soft VPN Client version 2.2.2.
    My Android phone is currently running version 4.4.

    Here are the settings that work fine:

    
    pfSense
    
    Phase 1
    
    Internet Protocol: IPv4
    Interface: WAN
    Authentication Method: Mutual PSK + Xauth
    My Identifier: My IP address
    Peer Identifier: User distinguished name
    Pre-Shared Key: ***
    Policy Generation: Unique
    Proposal Checking: Obey
    Encryption Algorithm: AES 256
    Hash Algorithm: SHA1
    DH Key Group: 2 (1024)
    Lifetime: 3600
    NAT Traversal: Force
    Dead Peer Detection: disabled
    
    Phase 2
    
    Mode: Tunnel IPv4
    Local Network: LAN Subnet
    NAT/BINAT: None
    Protocol: ESP
    Encryption Algorithms: AES 256
    Hash Algorithms: SHA 1
    PFS key group 2 (1024 bit)
    Lifetime: 3600
    
    Mobile Clients
    
    IKE Extensions: Enabled
    User Authentication: Local Database
    Group Authentication: none
    Virtual Address Pool: 192.168.200.1/24
    DNS: 192.168.1.1
    
    Shrew Soft
    
    General
    
    Host Name: vpnhostname.info
    Port: 500
    Adapter Mode: Use a virtual adapter and assigned address
    MTU: 1380
    Address & Netmask: Obtain Automatically
    
    Client
    
    NAT Traversal: Force-rfc
    NAT Traversal Port: 4500
    Keep-alive packet rate: 15
    IKE Fragmentation: enable
    Maximum packet size: 540
    Dead Peer Detection: disabled
    ISAKMP Failure Notifications: enabled
    Client Login Banner: enabled
    
    Name Resolution
    
    Everything is set to default here
    
    Authentication
    
    Authentication Method: Mutual PSK + Xauth
    Local Identity: User Fully Qualified Domain Name
    Remote Identity: IP Address
    Use a discovered remote host address: enabled
    Pre Shared Key: ***
    
    Phase 1
    
    Exchange Type: aggressive
    DH Exchange: group 2
    Cipher Algorithm: aes
    Cipher Key Length: 256
    hash Algorithm: sha1
    Key Life Time Limit: 3600
    Key Life Data limit: 0
    Check Point Compatible Vendor ID: disabled
    
    Phase 2
    
    Transform Algorithm: esp-aes
    Transform Key Length: 254
    HMAC algorithm: sha1
    PFS Exchange: group 2
    Compress Algorithm: disabled
    Key Life Time Limit: 3600
    Key Life Data Limit: 0
    
    Policy
    
    Policy Generation Level: unique
    Maintain Persistent Security Associations: disabled
    Optain Topology Automatically or Tunnel All: enabled
    
    Phone Settings:
    
    Type: IPSec Xauth PSK
    Server Address: vpnhostname.info
    IPSec Identifier: vpnid
    IPSec pre-shared key: ***
    
    

    Using these settings I can connect fine with both my laptop client and my Android device. I can access my internal LAN and tunnel all traffic through my home network (as intended).

    Here is a successful connection by phone

    
    Nov 28 18:45:13 	racoon: [Self]: INFO: respond new phase 1 negotiation: (pfsense wan ip)[500]<=>(phone ip)[8237]
    Nov 28 18:45:13 	racoon: INFO: begin Aggressive mode.
    Nov 28 18:45:13 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Nov 28 18:45:13 	racoon: INFO: received Vendor ID: RFC 3947
    Nov 28 18:45:13 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Nov 28 18:45:13 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Nov 28 18:45:13 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Nov 28 18:45:13 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Nov 28 18:45:13 	racoon: INFO: received Vendor ID: CISCO-UNITY
    Nov 28 18:45:13 	racoon: INFO: received Vendor ID: DPD
    Nov 28 18:45:13 	racoon: [phone ip] INFO: Selected NAT-T version: RFC 3947
    Nov 28 18:45:13 	racoon: INFO: Adding remote and local NAT-D payloads.
    Nov 28 18:45:13 	racoon: [phone ip] INFO: Hashing (phone ip)[8237] with algo #2 (NAT-T forced)
    Nov 28 18:45:13 	racoon: [Self]: [pfsense wan ip] INFO: Hashing (pfsense wan ip)[500] with algo #2 (NAT-T forced)
    Nov 28 18:45:13 	racoon: INFO: Adding xauth VID payload.
    Nov 28 18:45:13 	racoon: [Self]: INFO: NAT-T: ports changed to: (phone ip)[15601]<->(pfsense wan ip)[4500]
    Nov 28 18:45:13 	racoon: INFO: NAT-D payload #0 doesn't match
    Nov 28 18:45:13 	racoon: INFO: NAT-D payload #1 doesn't match
    Nov 28 18:45:13 	racoon: INFO: NAT detected: ME PEER
    Nov 28 18:45:13 	racoon: INFO: Sending Xauth request
    Nov 28 18:45:13 	racoon: [Self]: INFO: ISAKMP-SA established (pfsense wan ip)[4500]-(phone ip)[15601] spi:1a0bbe0d907bba5c:4919b5bbd93d4598
    Nov 28 18:45:13 	racoon: [phone ip] INFO: received INITIAL-CONTACT
    Nov 28 18:45:13 	racoon: INFO: Using port 0
    Nov 28 18:45:13 	racoon: user 'matt' authenticated
    Nov 28 18:45:13 	racoon: INFO: login succeeded for user "matt"
    Nov 28 18:45:15 	racoon: [Self]: INFO: respond new phase 2 negotiation: (pfsense wan ip)[4500]<=>(phone ip)[15601]
    Nov 28 18:45:15 	racoon: INFO: no policy found, try to generate the policy : 192.168.200.2/32[0] 0.0.0.0/0[0] proto=any dir=in
    Nov 28 18:45:15 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Nov 28 18:45:15 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
    Nov 28 18:45:16 	racoon: [Self]: INFO: IPsec-SA established: ESP (pfsense wan ip)[500]->(phone ip)[500] spi=189654654(0xb4de67e)
    Nov 28 18:45:16 	racoon: [Self]: INFO: IPsec-SA established: ESP (pfsense wan ip)[500]->(phone ip)[500] spi=127100297(0x7936589)
    
    

    If I change negotiation mode to main I receive this error with my phone:

    racoon: [phone ip] ERROR: exchange Aggressive not allowed in any applicable rmconf.
    
    

    As far as I can tell there is no way to change the negotiation type on my phone. This seems to be a poor implementation of IPSec by Google.

    When I connect with my laptop set to main I receive this error:

    
    Nov 29 10:46:04 	racoon: [laptop ip] ERROR: couldn't find the pskey for laptop ip.
    Nov 29 10:46:04 	racoon: [laptop ip] ERROR: failed to process ph1 packet (side: 1, status: 4).
    Nov 29 10:46:04 	racoon: [laptop ip] ERROR: phase1 negotiation failed.
    Nov 29 10:46:08 	racoon: [laptop ip] ERROR: unknown Informational exchange received
    
    

    If I have negotiation set to aggressive and Phase 1 DH Group set to anything higher than group 2 my phone fails to connect but my laptop works fine.

    Here is the error when my phone attempts to connect:

    Nov 29 11:00:35 	racoon: ERROR: no suitable proposal found.
    Nov 29 11:00:35 	racoon: [phone ip] ERROR: failed to get valid proposal.
    Nov 29 11:00:35 	racoon: [phone ip] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
    Nov 29 11:00:35 	racoon: [phone ip] ERROR: phase1 negotiation failed.
    

    If I set Phase 1 DH group to group 2 and proposal checking to Exact my laptop successfully establishes a phase 1 tunnel but fails to establish a phase 2 tunnel. Here is the error I receive:

    Nov 29 11:05:21 	racoon: [Self]: INFO: respond new phase 2 negotiation: (pfsenes wan ip)[4500]<=>(laptop ip)[4500]
    Nov 29 11:05:21 	racoon: INFO: Update the generated policy : 192.168.200.2/32[0] 0.0.0.0/0[0] proto=any dir=in
    Nov 29 11:05:21 	racoon: ERROR: lifebyte mismatched: my:2147483647 peer:0
    Nov 29 11:05:21 	racoon: ERROR: not matched
    Nov 29 11:05:21 	racoon: ERROR: no suitable policy found.
    Nov 29 11:05:21 	racoon: [laptop ip] ERROR: no proposal chosen [Check Phase 2 settings, algorithm].
    Nov 29 11:05:21 	racoon: [laptop ip]RROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    

    The error seems to stem from the lifebyte mismatch in Phase 2. However I cannot find a place in the pfsense webGUI to set the lifebyte size. Shrew Soft will not let me enter 2147483647 as a value because it is too large.

    With these settings my phone doesn't get past Phase 1 with the same error above when set to DH group 5 or higher.

    Setting proposal checking to Claim results with the same Phase 1 error on my phone. My laptop works fine.

    Setting proposal checking to Strict results with the same Phase 1 error on my phone. My laptop works fine.

    The problem with using Obey is it allows the client to propose less strict security settings than the server is configured to use.

    The problems with my phone appear to be a limitation with the vpn client built into Android. I don't imagine there is any way around this unless I use a third party app for Android. If anyone knows of good third party apps I'd appreciate it.

    I have also been trying out Mutual RSA + Xauth with little success. I followed this guide http://forum.pfsense.org/index.php?topic=47106.0

    Phase 1 is successful but Phase 2 fails to establish

    Here are my settings:

    
    pfSense
    
    Phase 1
    
    Internet Protocol: IPv4
    Interface: WAN
    Authentication Method: Mutual RSA + Xauth
    My Identifier: ASN. 1 distinguished name
    Peer Identifier: ASN. 1 distinguished name
    Policy Generation: Unique
    Proposal Checking: Obey
    Encryption Algorithm: AES 256
    Hash Algorithm: SHA1
    DH Key Group: 2 (1024)
    Lifetime: 3600
    My Certificate: IPSec Testing Server Cert
    My Certificate Authority: IPSec Testing CA
    NAT Traversal: Force
    Dead Peer Detection: disabled
    
    Phase 2
    
    same as above
    
    Mobile Clients
    
    same as above
    
    Shrew Soft
    
    Everything is the same except for the Authentication page
    
    Local Identity: ASN. 1 Distinguished Name
    Use the subject in the client certificate: enabled
    Remote Identity: ASN. 1 Distinguished Name
    Use the subject in the received certificate: enabled
    
    Credentials
    Server Certificate Authority File: IPSec Testing CA.crt
    Client Certificate File: ipsectestuser-IPSecTestUser.crt
    Client Private Key File: ipsectestuser-IPSecTestUser.key
    
    

    Here is the error I receive:

    Nov 29 11:42:20 	racoon: [Self]: INFO: respond new phase 1 negotiation: pfsense wan ip[500]<=>laptop ip[500]
    Nov 29 11:42:20 	racoon: INFO: begin Aggressive mode.
    Nov 29 11:42:20 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Nov 29 11:42:20 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Nov 29 11:42:20 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Nov 29 11:42:20 	racoon: INFO: received Vendor ID: RFC 3947
    Nov 29 11:42:20 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Nov 29 11:42:20 	racoon: INFO: received Vendor ID: CISCO-UNITY
    Nov 29 11:42:20 	racoon: [laptop ip] INFO: Selected NAT-T version: RFC 3947
    Nov 29 11:42:20 	racoon: INFO: Adding remote and local NAT-D payloads.
    Nov 29 11:42:20 	racoon: [laptop ip] INFO: Hashing laptop ip[500] with algo #2 (NAT-T forced)
    Nov 29 11:42:20 	racoon: [Self]: [pfsense wan ip] INFO: Hashing pfsense wan ip[500] with algo #2 (NAT-T forced)
    Nov 29 11:42:20 	racoon: INFO: Adding xauth VID payload.
    Nov 29 11:42:20 	racoon: [Self]: INFO: NAT-T: ports changed to: laptop ip[4500]<->pfsense wan ip[4500]
    Nov 29 11:42:20 	racoon: INFO: NAT-D payload #0 doesn't match
    Nov 29 11:42:20 	racoon: INFO: NAT-D payload #1 doesn't match
    Nov 29 11:42:20 	racoon: INFO: NAT detected: ME PEER
    Nov 29 11:42:20 	racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=CA/ST=Ontario/L=Toronto/O=mydomain/emailAddress=admin@mydomain.info/CN=ipsectestuser
    Nov 29 11:42:20 	racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=CA/ST=Ontario/L=Toronto/O=mydomain/emailAddress=admin@mydomain.info/CN=internal-ca
    Nov 29 11:42:20 	racoon: INFO: Sending Xauth request
    Nov 29 11:42:20 	racoon: [Self]: INFO: ISAKMP-SA established pfsense wan ip[4500]-laptop ip[4500] spi:932e2d58eaf8f51d:49e0fc0ff0161318
    Nov 29 11:42:20 	racoon: [laptop ip] INFO: received INITIAL-CONTACT
    Nov 29 11:42:20 	racoon: INFO: Using port 0
    Nov 29 11:42:20 	racoon: user 'ipsectestuser' authenticated
    Nov 29 11:42:20 	racoon: INFO: login succeeded for user "ipsectestuser"
    Nov 29 11:42:20 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Nov 29 11:42:20 	racoon: ERROR: Cannot open "/etc/motd"
    Nov 29 11:42:21 	racoon: [Self]: INFO: respond new phase 2 negotiation: pfsense wan ip[4500]<=>laptop ip[4500]
    Nov 29 11:42:21 	racoon: ERROR: failed to get sainfo.
    Nov 29 11:42:21 	racoon: ERROR: failed to get sainfo.
    Nov 29 11:42:21 	racoon: [laptop ip] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).