IPSec mobile clients not working in PFS 2.1 working in PFS 1.2.3

boujid

Hi
we have been using IPSec mobile clients (mutual psk) with version 1.2.3 without problem
after upgrade to version 2.1, we got a problem

to be sure, i installed the version 2.1 to an old pentium 3, so it's not an upgrade, then i configured manually the same configuration, so it's a clean configuration and not an imported one, the result is the same

in brief, all is ok, the tunnel is up, but there is no communication even if the firewall logs display the correct entries with green (pass)
it seems like all is ok, all is logged, but the tunnel interface cannot communicate with the LAN one

i've been looking for this problem the last 3 days in vain

my configuration :
pfsense lan : 192.168.1.1/24
pfsense wan : 192.168.2.1/24, gateway 192.168.2.254
lan & wan static address with block blogon networks

lan ftp server : 192.168.1.3/24, gateway 192.168.1.1
wan servers (antivirus, wsus, ntp) : 192.168.2.10,11,12/24
wan administrator : 192.168.2.20/24
vpn users : 192.168.3.33/24, 192.168.3.84/24, 192.168.4.12/24, 192.168.5.39/24
vpn address : 172.16.20.33/32, 172.16.20.84/32, 172.16.20.12/32, 172.16.20.39/32
each vpn user with ip 192.168.x.y configure his vpn with 172.16.20.y

nat :
no global nat
i deleted all automatic outband nat
1:1 nat configured
lan ftp server : 192.168.1.3/32 <–> 192.168.2.3/32

virtual ip:
192.168.2.3/32 (proxy arp)

firewall rules:
lan
lan ftp server : 192.168.1.3/32 --> wan servers 192.168.2.10,11,12 (icmp)
lan ftp server : 192.168.1.3/32 --> wan server 192.168.2.10/32 (udp-ntp)
lan ftp server : 192.168.1.3/32 --> wan server 192.168.2.11/32 (tcp-http)
lan ftp server : 192.168.1.3/32 --> wan server 192.168.2.12/32 (udp&tcp ports for antivirus)

wan
wan administrator 192.168.2.20/32 --> pfsense wan 192.168.2.1 (tcp-https)
wan server 192.168.2.12/32 --> lan ftp server : 192.168.1.3/32 (udp&tcp ports for antivirus)
vpnusers --> pfsense wan 192.168.2.1 (udp500,4500 ike,isakmp + ESP)

ipsec : (log enabled for both rules)
vpn address --> lan ftp server : 192.168.1.3/32 (icmp)
vpn address --> lan ftp server : 192.168.1.3/32 (tcp-ftp)

IPSec :
VPN: IPSec: Mobile
IPSec mobile clients support Enabled
VPN: IPSec: Keys
Identifier : group1 <--> Pre-shared key : theateam
VPN: IPSec:
phase 1 :
mutual psk, aggressive, my ip address, default, default, 3des, sha1, 2 (1024 bit), 3600
nat-t enabled, dpd enabled 10 sec, 5 retries
phase 2 :
mode tunnel ipv4, local network : address : 192.168.1.3/32, nat/binat : none
esp, 3des, sha1, 2 (1024 bit), 3600

configuration of shew soft vpn client ver 2.2.2 & ver 2.1.7. on vpn users pc :
ip address : 192.168.2.1, port 500, autoconfig disabled
mtu 1380, use virtual adapter and assigned address : 172.16.20.y/255.255.255.255
nat-t enabled, port 4500, keepalive 15s, ike frag enabled, max packet size 540
enable dpd, enable isakmp failure
no dns, no wins
authentication : mutual psk
local identity
key Identifier : group1 <--> key id : theateam
remote identity
ip addres <--> 192.168.2.1
phase 1
aggressive, group 2, 3des, -- bits, sha1, 3600 secs, 0 kbytes
phase 2
esp-3des, -- bits, sha1, group 2, disabled, 3600 secs, 0 kbytes
policy
auto : 192.168.1.3/255.255.255.255

Now, i can connect, tunnel is enabled, in windows the route print command display the vpn route
192.168.1.3 255.255.255.255 On-link 172.16.20.y 31
172.16.20.y 255.255.255.255 On-link 172.16.20.y 286
224.0.0.0 240.0.0.0 On-link 172.16.20.y 286
255.255.255.255 255.255.255.255 On-link 172.16.20.y 286

BUT, i CAN NOT ping 192.168.1.3 nor do ftp to 192.168.1.3

in firewall, system logs, i can find this entries
Act, Time, If, Source, Destination, Proto
Pass, Mar 1 11:30:28, enc0, 172.16.20.y, 192.168.1.3, ICMP
Pass, Mar 1 11:30:48, enc0, 172.16.20.y:53870, 192.168.1.3:21, TCP:S

Why all is OK, tunnel OK, logs OK and traffic Not OK ?

i tried to change policy from auto to (require, unique, shared), nothing happened
i tried also change local identity to userFQDN, nothing happened
i tried also change remote identity to any, nothing happened

in all above cases, client connected, tunnel up, but no connection for ping and ftp

for test purpose i added a wan rule :
wan administrator 192.168.2.20/32 --> lan ftp server 192.168.2.1 (tcp-ftp)
then ftp pass from administrator 192.168.2.20 to 192.168.2.3

i also disabled the 1:1 nat, in vain

any hints ?
any ideas ?

please help me, i dont want to revert to the old 1.2.3 version
one thing is sure, the same hardware worked for the 1.2.3 version
i also tried the greenbow vpn client, i got the same problem
i also tried aes128 instead of 3des
some clients are XP some are Seven, same issue for both of them

why tunnel interface doesnt communicate with the LAN one ?

F1, F1, F1 !!!!

Thanks

eureka

Hi All,
I have created a new tutorial that is updated for release 2.1. I am sending this to boujld to test. If it works for him I will post the updated tutorial in the sticky link at the top of the page.

-E

doktornotor

@boujid:

firewall rules:
ipsec : (log enabled for both rules)
vpn address –> lan ftp server : 192.168.1.3/32 (icmp)
vpn address --> lan ftp server : 192.168.1.3/32 (tcp-ftp)

Cannot see how's this right. Should be the IPsec subnet at minimum. Not VPN address.

boujid

@eureka
Thank you a lot for your time and tutorial
yes it worked ! but …. there are many differences with my setup

you have opted for mutual-psk + xauth instead of mutual-psk only
you have opted for a Client configuration mode instead of auto configuration disabled
[ipsec address dynamic(auto) vs static(manual)]
phase 2, you have opted for LAN subnet instead of the address of the server only
[auto discovery of Policy Generation Level and Obtain Topology Automatically]

the other changes are OK (policy generation, proposal checking, Hash algorithm, nat traversal )

so, really i am glad it worked, but i am still feeling bitter because i still don't know what is the problem with my own setup, and i can affirm that this same setup was working with the old version

i haven't tested the rsa one, but i am sure it will work also, thank you for your contribution, your new tutorial will save many people

–--------------------------------------------------

@doktornotor
thank you for your answer, i am feeling curious about what you mean
in my case, there is no auto configuration, so there is just static address configured for vpn users, which IPSec subnet i must configure ?

i haven't changed anything in firewall rules while testing @eureka new tutorial, so the tutorial succeeded with the same rules in your quote

do you insinuate that auto configuration is mandatory in PFS 2.1 ?

i am still confused
with my initial setup, i can control security with :
source address of vpn users, their ipsec address, pre-shared key

the new tutorial of @eureka, i can control security with :
source address of vpn users, pre-shared key

yes ! the xauth user/login is a good thing, but i can not find how to configure the xauth username as a source in firewall rules !!!

another thing, the LAN subnet hosts more than one server, each vpn user will have access to a specified server and not all of them (not the LAN subnet)
all vpn users will have the same config except for the remote address

how can i differentiate users in firewall ipsec rules if i am using auto config ?

why a working configuration in PFS 1.2.3 is no more working in PFS 2.1 ?

Thank you a lot

boujid

as @eureka tutorial worked, it gave me the idea to change some parameters in my initial configuration (mutual-psk only)
so i decided to test different combinations :

Policy Generation PFS/VPNClient;Proposal Checking;NAT Traversal;Result
–-----------------------------;-----------------;-------------;------
Default/auto;Default;Enable;"Tunnel up ; Traffic Down"
unique/unique;Default;Enable;"Tunnel up ; Traffic Down"
unique/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
Default/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
require/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
require/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
on/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
on/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
Default/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
Default/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
Default/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
require/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
unique/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
require/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
unique/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
unique/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
Default/require;Default;force/enable;"Tunnel up ; Traffic up"
Default/require;Default;enable/force-rfc;"Tunnel up ; Traffic Down"

in brief, the old configuration present in PFS 1.2.3 can work in PFS 2.1 if and only if this two points are satisfied :

point 1
NAT Traversal in PFS must be configured as "force" , VPN client can be configured as "force-rfc" or "enable"

point 2
Policy Generation in PFS must be either Default, unique or require while the same policy in the vpn client (shrew soft) must be either unique or require

there is other combinations not tested, but i believe that the above two points are mandatory

i dont know what changed in the racoon daemon, but for sure, the parameters of NAT Traversal dont behave in version 2.1 as in the version 1.2.3

i hope that my journey will be beneficial for other persons

that's all folks !

eureka

@boujid:

as @eureka tutorial worked, it gave me the idea to change some parameters in my initial configuration (mutual-psk only)
so i decided to test different combinations :

Policy Generation PFS/VPNClient;Proposal Checking;NAT Traversal;Result
–-----------------------------;-----------------;-------------;------
Default/auto;Default;Enable;"Tunnel up ; Traffic Down"
unique/unique;Default;Enable;"Tunnel up ; Traffic Down"
unique/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
Default/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
require/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
require/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
on/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
on/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
Default/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
Default/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
Default/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
require/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
unique/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
require/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
unique/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
unique/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
Default/require;Default;force/enable;"Tunnel up ; Traffic up"
Default/require;Default;enable/force-rfc;"Tunnel up ; Traffic Down"

in brief, the old configuration present in PFS 1.2.3 can work in PFS 2.1 if and only if this two points are satisfied :

point 1
NAT Traversal in PFS must be configured as "force" , VPN client can be configured as "force-rfc" or "enable"

point 2
Policy Generation in PFS must be either Default, unique or require while the same policy in the vpn client (shrew soft) must be either unique or require

there is other combinations not tested, but i believe that the above two points are mandatory

i dont know what changed in the racoon daemon, but for sure, the parameters of NAT Traversal dont behave in version 2.1 as in the version 1.2.3

i hope that my journey will be beneficial for other persons

that's all folks !

Boujld,
Very good investigation! I will do some testing myself and see if there is possibly a bug or something.
I do know that in version 1.2.3 NAT-T was only kind of working and caused some issues at random. It is likely that it has changed since then.

I will finalize the tutorial I re-wrote and get it online this weekend, making special note of your post on the requirements for nat-t/etc.

I will look into also doing a few others with different methods like what you are requesting.

Thanks!
-E