IPSec mobile clients not working in PFS 2.1 working in PFS 1.2.3



  • Hi
    we have been using IPSec mobile clients (mutual psk) with version 1.2.3 without problem
    after upgrade to version 2.1, we got a problem

    to be sure, i installed the version 2.1 to an old pentium 3, so it's not an upgrade, then i configured manually the same configuration, so it's a clean configuration and not an imported one, the result is the same

    in brief, all is ok, the tunnel is up, but there is no communication even if the firewall logs display the correct entries with green (pass)
    it seems like all is ok, all is logged, but the tunnel interface cannot communicate with the LAN one

    i've been looking for this problem the last 3 days in vain

    my configuration :
    pfsense lan : 192.168.1.1/24
    pfsense wan : 192.168.2.1/24, gateway 192.168.2.254
    lan & wan static address with block blogon networks

    lan ftp server : 192.168.1.3/24, gateway 192.168.1.1
    wan servers (antivirus, wsus, ntp) : 192.168.2.10,11,12/24
    wan administrator : 192.168.2.20/24
    vpn users : 192.168.3.33/24, 192.168.3.84/24, 192.168.4.12/24, 192.168.5.39/24
    vpn address : 172.16.20.33/32, 172.16.20.84/32, 172.16.20.12/32, 172.16.20.39/32
    each vpn user with ip 192.168.x.y configure his vpn with 172.16.20.y

    nat :
    no global nat
    i deleted all automatic outband nat
    1:1 nat configured
    lan ftp server : 192.168.1.3/32 <–> 192.168.2.3/32

    virtual ip:
    192.168.2.3/32 (proxy arp)

    firewall rules:
    lan
    lan ftp server : 192.168.1.3/32 --> wan servers 192.168.2.10,11,12 (icmp)
    lan ftp server : 192.168.1.3/32 --> wan server 192.168.2.10/32 (udp-ntp)
    lan ftp server : 192.168.1.3/32 --> wan server 192.168.2.11/32 (tcp-http)
    lan ftp server : 192.168.1.3/32 --> wan server 192.168.2.12/32 (udp&tcp ports for antivirus)

    wan
    wan administrator 192.168.2.20/32 --> pfsense wan 192.168.2.1 (tcp-https)
    wan server 192.168.2.12/32 --> lan ftp server : 192.168.1.3/32 (udp&tcp ports for antivirus)
    vpnusers --> pfsense wan 192.168.2.1 (udp500,4500 ike,isakmp + ESP)

    ipsec : (log enabled for both rules)
    vpn address --> lan ftp server : 192.168.1.3/32 (icmp)
    vpn address --> lan ftp server : 192.168.1.3/32 (tcp-ftp)

    IPSec :
    VPN: IPSec: Mobile
    IPSec mobile clients support Enabled
    VPN: IPSec: Keys
    Identifier :  group1 <--> Pre-shared key : theateam
    VPN: IPSec:
    phase 1 :
    mutual psk, aggressive, my ip address, default, default, 3des, sha1, 2 (1024 bit), 3600
    nat-t enabled, dpd enabled 10 sec, 5 retries
    phase 2 :
    mode tunnel ipv4, local network : address : 192.168.1.3/32, nat/binat : none
    esp, 3des, sha1, 2 (1024 bit), 3600

    configuration of shew soft vpn client ver 2.2.2 & ver 2.1.7. on vpn users pc :
    ip address : 192.168.2.1, port 500, autoconfig disabled
    mtu 1380, use virtual adapter and assigned address : 172.16.20.y/255.255.255.255
    nat-t enabled, port 4500, keepalive 15s, ike frag enabled, max packet size 540
    enable dpd, enable isakmp failure
    no dns, no wins
    authentication : mutual psk
    local identity
    key Identifier :  group1 <--> key id : theateam
    remote identity
    ip addres <--> 192.168.2.1
    phase 1
    aggressive, group 2, 3des, -- bits, sha1, 3600 secs, 0 kbytes
    phase 2
    esp-3des, -- bits, sha1, group 2, disabled, 3600 secs, 0 kbytes
    policy
    auto : 192.168.1.3/255.255.255.255

    Now, i can connect, tunnel is enabled, in windows the route print command display the vpn route
          192.168.1.3  255.255.255.255        On-link      172.16.20.y    31
      172.16.20.y  255.255.255.255        On-link      172.16.20.y    286
          224.0.0.0        240.0.0.0        On-link      172.16.20.y    286
    255.255.255.255  255.255.255.255        On-link      172.16.20.y    286

    BUT, i CAN NOT ping 192.168.1.3 nor do ftp to 192.168.1.3

    in firewall, system logs, i can find this entries
    Act, Time, If, Source, Destination, Proto
    Pass, Mar 1 11:30:28, enc0, 172.16.20.y, 192.168.1.3, ICMP
    Pass, Mar 1 11:30:48, enc0, 172.16.20.y:53870, 192.168.1.3:21, TCP:S

    Why all is OK, tunnel OK, logs OK and traffic Not OK ?

    i tried to change policy from auto to (require, unique, shared), nothing happened
    i tried also change local identity to userFQDN, nothing happened
    i tried also change remote identity to any, nothing happened

    in all above cases, client connected, tunnel up, but no connection for ping and ftp

    for test purpose i added a wan rule :
    wan administrator 192.168.2.20/32 --> lan ftp server 192.168.2.1 (tcp-ftp)
    then ftp pass from administrator 192.168.2.20 to 192.168.2.3

    i also disabled the 1:1 nat, in vain

    any hints ?
    any ideas ?

    please help me, i dont want to revert to the old 1.2.3 version
    one thing is sure, the same hardware worked for the 1.2.3 version
    i also tried the greenbow vpn client, i got the same problem
    i also tried aes128 instead of 3des
    some clients are XP some are Seven, same issue for both of them

    why tunnel interface doesnt communicate with the LAN one ?

    F1, F1, F1 !!!!

    Thanks



  • Hi All,
    I have created a new tutorial that is updated for release 2.1. I am sending this to boujld to test. If it works for him I will post the updated tutorial in the sticky link at the top of the page.

    -E


  • Banned

    @boujid:

    firewall rules:
    ipsec : (log enabled for both rules)
    vpn address –> lan ftp server : 192.168.1.3/32 (icmp)
    vpn address --> lan ftp server : 192.168.1.3/32 (tcp-ftp)

    Cannot see how's this right. Should be the IPsec subnet at minimum. Not VPN address.



  • @eureka
    Thank you a lot for your time and tutorial
    yes it worked ! but …. there are many differences with my setup

    you have opted for mutual-psk + xauth instead of mutual-psk only
    you have opted for a Client configuration mode instead of auto configuration disabled
    [ipsec address dynamic(auto) vs static(manual)]
    phase 2, you have opted for LAN subnet instead of the address of the server only
    [auto discovery of Policy Generation Level and Obtain Topology Automatically]

    the other changes are OK (policy generation, proposal checking, Hash algorithm, nat traversal )

    so, really i am glad it worked, but i am still feeling bitter because i still don't know what is the problem with my own setup, and i can affirm that this same setup was working with the old version

    i haven't tested the rsa one, but i am sure it will work also, thank you for your contribution, your new tutorial will save many people

    –--------------------------------------------------

    @doktornotor
    thank you for your answer, i am feeling curious about what you mean
    in my case, there is no auto configuration, so there is just static address configured for vpn users, which IPSec subnet i must configure ?

    i haven't changed anything in firewall rules while testing @eureka new tutorial, so the tutorial succeeded with the same rules in your quote

    do you  insinuate that auto configuration is mandatory in PFS 2.1 ?


    i am still confused
    with my initial setup, i can control security with :
    source address of vpn users, their ipsec address, pre-shared key

    the new tutorial of @eureka, i can control security with :
    source address of vpn users, pre-shared key

    yes ! the xauth user/login is a good thing, but i can not find how to configure the xauth username as a source in firewall rules !!!

    another thing, the LAN subnet hosts more than one server, each vpn user will have access to a specified server and not all of them (not the LAN subnet)
    all vpn users will have the same config except for the remote address

    how can i differentiate users in firewall ipsec rules if i am using auto config ?


    why a working configuration in PFS 1.2.3 is no more working in PFS 2.1 ?

    Thank you a lot



  • as @eureka tutorial worked, it gave me the idea to change some parameters in my initial configuration (mutual-psk only)
    so i decided to test different combinations :

    Policy Generation PFS/VPNClient;Proposal Checking;NAT Traversal;Result
    –-----------------------------;-----------------;-------------;------
    Default/auto;Default;Enable;"Tunnel up ; Traffic Down"
    unique/unique;Default;Enable;"Tunnel up ; Traffic Down"
    unique/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
    Default/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    require/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
    require/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    on/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    on/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    Default/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    Default/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
    Default/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
    require/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
    unique/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
    require/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    unique/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    unique/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    Default/require;Default;force/enable;"Tunnel up ; Traffic up"
    Default/require;Default;enable/force-rfc;"Tunnel up ; Traffic Down"

    in brief, the old configuration present in PFS 1.2.3 can work in PFS 2.1 if and only if this two points are satisfied :

    point 1
    NAT Traversal in PFS must be configured as "force" , VPN client can be configured as "force-rfc" or "enable"

    point 2
    Policy Generation in PFS must be either Default, unique or require while the same policy in the vpn client (shrew soft) must be either unique or require

    there is other combinations not tested, but i believe that the above two points are mandatory

    i dont know what changed in the racoon daemon, but for sure, the parameters of NAT Traversal dont behave in version 2.1 as in the version 1.2.3

    i hope that my journey will be beneficial for other persons

    that's all folks !



  • @boujid:

    as @eureka tutorial worked, it gave me the idea to change some parameters in my initial configuration (mutual-psk only)
    so i decided to test different combinations :

    Policy Generation PFS/VPNClient;Proposal Checking;NAT Traversal;Result
    –-----------------------------;-----------------;-------------;------
    Default/auto;Default;Enable;"Tunnel up ; Traffic Down"
    unique/unique;Default;Enable;"Tunnel up ; Traffic Down"
    unique/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
    Default/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    require/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
    require/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    on/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    on/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    Default/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    Default/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
    Default/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
    require/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
    unique/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
    require/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    unique/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    unique/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
    Default/require;Default;force/enable;"Tunnel up ; Traffic up"
    Default/require;Default;enable/force-rfc;"Tunnel up ; Traffic Down"

    in brief, the old configuration present in PFS 1.2.3 can work in PFS 2.1 if and only if this two points are satisfied :

    point 1
    NAT Traversal in PFS must be configured as "force" , VPN client can be configured as "force-rfc" or "enable"

    point 2
    Policy Generation in PFS must be either Default, unique or require while the same policy in the vpn client (shrew soft) must be either unique or require

    there is other combinations not tested, but i believe that the above two points are mandatory

    i dont know what changed in the racoon daemon, but for sure, the parameters of NAT Traversal dont behave in version 2.1 as in the version 1.2.3

    i hope that my journey will be beneficial for other persons

    that's all folks !

    Boujld,
    Very good investigation! I will do some testing myself and see if there is possibly a bug or something.
    I do know that in version 1.2.3 NAT-T was only kind of working and caused some issues at random. It is likely that it has changed since then.

    I will finalize the tutorial I re-wrote and get it online this weekend, making special note of your post on the requirements for nat-t/etc.

    I will look into also doing a few others with different methods like what you are requesting.

    Thanks!
    -E