Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec mobile clients not working in PFS 2.1 working in PFS 1.2.3

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      boujid
      last edited by

      Hi
      we have been using IPSec mobile clients (mutual psk) with version 1.2.3 without problem
      after upgrade to version 2.1, we got a problem

      to be sure, i installed the version 2.1 to an old pentium 3, so it's not an upgrade, then i configured manually the same configuration, so it's a clean configuration and not an imported one, the result is the same

      in brief, all is ok, the tunnel is up, but there is no communication even if the firewall logs display the correct entries with green (pass)
      it seems like all is ok, all is logged, but the tunnel interface cannot communicate with the LAN one

      i've been looking for this problem the last 3 days in vain

      my configuration :
      pfsense lan : 192.168.1.1/24
      pfsense wan : 192.168.2.1/24, gateway 192.168.2.254
      lan & wan static address with block blogon networks

      lan ftp server : 192.168.1.3/24, gateway 192.168.1.1
      wan servers (antivirus, wsus, ntp) : 192.168.2.10,11,12/24
      wan administrator : 192.168.2.20/24
      vpn users : 192.168.3.33/24, 192.168.3.84/24, 192.168.4.12/24, 192.168.5.39/24
      vpn address : 172.16.20.33/32, 172.16.20.84/32, 172.16.20.12/32, 172.16.20.39/32
      each vpn user with ip 192.168.x.y configure his vpn with 172.16.20.y

      nat :
      no global nat
      i deleted all automatic outband nat
      1:1 nat configured
      lan ftp server : 192.168.1.3/32 <–> 192.168.2.3/32

      virtual ip:
      192.168.2.3/32 (proxy arp)

      firewall rules:
      lan
      lan ftp server : 192.168.1.3/32 --> wan servers 192.168.2.10,11,12 (icmp)
      lan ftp server : 192.168.1.3/32 --> wan server 192.168.2.10/32 (udp-ntp)
      lan ftp server : 192.168.1.3/32 --> wan server 192.168.2.11/32 (tcp-http)
      lan ftp server : 192.168.1.3/32 --> wan server 192.168.2.12/32 (udp&tcp ports for antivirus)

      wan
      wan administrator 192.168.2.20/32 --> pfsense wan 192.168.2.1 (tcp-https)
      wan server 192.168.2.12/32 --> lan ftp server : 192.168.1.3/32 (udp&tcp ports for antivirus)
      vpnusers --> pfsense wan 192.168.2.1 (udp500,4500 ike,isakmp + ESP)

      ipsec : (log enabled for both rules)
      vpn address --> lan ftp server : 192.168.1.3/32 (icmp)
      vpn address --> lan ftp server : 192.168.1.3/32 (tcp-ftp)

      IPSec :
      VPN: IPSec: Mobile
      IPSec mobile clients support Enabled
      VPN: IPSec: Keys
      Identifier :  group1 <--> Pre-shared key : theateam
      VPN: IPSec:
      phase 1 :
      mutual psk, aggressive, my ip address, default, default, 3des, sha1, 2 (1024 bit), 3600
      nat-t enabled, dpd enabled 10 sec, 5 retries
      phase 2 :
      mode tunnel ipv4, local network : address : 192.168.1.3/32, nat/binat : none
      esp, 3des, sha1, 2 (1024 bit), 3600

      configuration of shew soft vpn client ver 2.2.2 & ver 2.1.7. on vpn users pc :
      ip address : 192.168.2.1, port 500, autoconfig disabled
      mtu 1380, use virtual adapter and assigned address : 172.16.20.y/255.255.255.255
      nat-t enabled, port 4500, keepalive 15s, ike frag enabled, max packet size 540
      enable dpd, enable isakmp failure
      no dns, no wins
      authentication : mutual psk
      local identity
      key Identifier :  group1 <--> key id : theateam
      remote identity
      ip addres <--> 192.168.2.1
      phase 1
      aggressive, group 2, 3des, -- bits, sha1, 3600 secs, 0 kbytes
      phase 2
      esp-3des, -- bits, sha1, group 2, disabled, 3600 secs, 0 kbytes
      policy
      auto : 192.168.1.3/255.255.255.255

      Now, i can connect, tunnel is enabled, in windows the route print command display the vpn route
            192.168.1.3  255.255.255.255        On-link      172.16.20.y    31
        172.16.20.y  255.255.255.255        On-link      172.16.20.y    286
            224.0.0.0        240.0.0.0        On-link      172.16.20.y    286
      255.255.255.255  255.255.255.255        On-link      172.16.20.y    286

      BUT, i CAN NOT ping 192.168.1.3 nor do ftp to 192.168.1.3

      in firewall, system logs, i can find this entries
      Act, Time, If, Source, Destination, Proto
      Pass, Mar 1 11:30:28, enc0, 172.16.20.y, 192.168.1.3, ICMP
      Pass, Mar 1 11:30:48, enc0, 172.16.20.y:53870, 192.168.1.3:21, TCP:S

      Why all is OK, tunnel OK, logs OK and traffic Not OK ?

      i tried to change policy from auto to (require, unique, shared), nothing happened
      i tried also change local identity to userFQDN, nothing happened
      i tried also change remote identity to any, nothing happened

      in all above cases, client connected, tunnel up, but no connection for ping and ftp

      for test purpose i added a wan rule :
      wan administrator 192.168.2.20/32 --> lan ftp server 192.168.2.1 (tcp-ftp)
      then ftp pass from administrator 192.168.2.20 to 192.168.2.3

      i also disabled the 1:1 nat, in vain

      any hints ?
      any ideas ?

      please help me, i dont want to revert to the old 1.2.3 version
      one thing is sure, the same hardware worked for the 1.2.3 version
      i also tried the greenbow vpn client, i got the same problem
      i also tried aes128 instead of 3des
      some clients are XP some are Seven, same issue for both of them

      why tunnel interface doesnt communicate with the LAN one ?

      F1, F1, F1 !!!!

      Thanks

      1 Reply Last reply Reply Quote 0
      • E
        eureka
        last edited by

        Hi All,
        I have created a new tutorial that is updated for release 2.1. I am sending this to boujld to test. If it works for him I will post the updated tutorial in the sticky link at the top of the page.

        -E

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          @boujid:

          firewall rules:
          ipsec : (log enabled for both rules)
          vpn address –> lan ftp server : 192.168.1.3/32 (icmp)
          vpn address --> lan ftp server : 192.168.1.3/32 (tcp-ftp)

          Cannot see how's this right. Should be the IPsec subnet at minimum. Not VPN address.

          1 Reply Last reply Reply Quote 0
          • B
            boujid
            last edited by

            @eureka
            Thank you a lot for your time and tutorial
            yes it worked ! but …. there are many differences with my setup

            you have opted for mutual-psk + xauth instead of mutual-psk only
            you have opted for a Client configuration mode instead of auto configuration disabled
            [ipsec address dynamic(auto) vs static(manual)]
            phase 2, you have opted for LAN subnet instead of the address of the server only
            [auto discovery of Policy Generation Level and Obtain Topology Automatically]

            the other changes are OK (policy generation, proposal checking, Hash algorithm, nat traversal )

            so, really i am glad it worked, but i am still feeling bitter because i still don't know what is the problem with my own setup, and i can affirm that this same setup was working with the old version

            i haven't tested the rsa one, but i am sure it will work also, thank you for your contribution, your new tutorial will save many people

            –--------------------------------------------------

            @doktornotor
            thank you for your answer, i am feeling curious about what you mean
            in my case, there is no auto configuration, so there is just static address configured for vpn users, which IPSec subnet i must configure ?

            i haven't changed anything in firewall rules while testing @eureka new tutorial, so the tutorial succeeded with the same rules in your quote

            do you  insinuate that auto configuration is mandatory in PFS 2.1 ?


            i am still confused
            with my initial setup, i can control security with :
            source address of vpn users, their ipsec address, pre-shared key

            the new tutorial of @eureka, i can control security with :
            source address of vpn users, pre-shared key

            yes ! the xauth user/login is a good thing, but i can not find how to configure the xauth username as a source in firewall rules !!!

            another thing, the LAN subnet hosts more than one server, each vpn user will have access to a specified server and not all of them (not the LAN subnet)
            all vpn users will have the same config except for the remote address

            how can i differentiate users in firewall ipsec rules if i am using auto config ?


            why a working configuration in PFS 1.2.3 is no more working in PFS 2.1 ?

            Thank you a lot

            1 Reply Last reply Reply Quote 0
            • B
              boujid
              last edited by

              as @eureka tutorial worked, it gave me the idea to change some parameters in my initial configuration (mutual-psk only)
              so i decided to test different combinations :

              Policy Generation PFS/VPNClient;Proposal Checking;NAT Traversal;Result
              –-----------------------------;-----------------;-------------;------
              Default/auto;Default;Enable;"Tunnel up ; Traffic Down"
              unique/unique;Default;Enable;"Tunnel up ; Traffic Down"
              unique/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
              Default/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
              require/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
              require/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
              on/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
              on/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
              Default/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
              Default/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
              Default/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
              require/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
              unique/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
              require/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
              unique/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
              unique/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
              Default/require;Default;force/enable;"Tunnel up ; Traffic up"
              Default/require;Default;enable/force-rfc;"Tunnel up ; Traffic Down"

              in brief, the old configuration present in PFS 1.2.3 can work in PFS 2.1 if and only if this two points are satisfied :

              point 1
              NAT Traversal in PFS must be configured as "force" , VPN client can be configured as "force-rfc" or "enable"

              point 2
              Policy Generation in PFS must be either Default, unique or require while the same policy in the vpn client (shrew soft) must be either unique or require

              there is other combinations not tested, but i believe that the above two points are mandatory

              i dont know what changed in the racoon daemon, but for sure, the parameters of NAT Traversal dont behave in version 2.1 as in the version 1.2.3

              i hope that my journey will be beneficial for other persons

              that's all folks !

              1 Reply Last reply Reply Quote 0
              • E
                eureka
                last edited by

                @boujid:

                as @eureka tutorial worked, it gave me the idea to change some parameters in my initial configuration (mutual-psk only)
                so i decided to test different combinations :

                Policy Generation PFS/VPNClient;Proposal Checking;NAT Traversal;Result
                –-----------------------------;-----------------;-------------;------
                Default/auto;Default;Enable;"Tunnel up ; Traffic Down"
                unique/unique;Default;Enable;"Tunnel up ; Traffic Down"
                unique/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
                Default/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
                require/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
                require/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
                on/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
                on/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
                Default/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
                Default/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
                Default/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
                require/unique;Default;force/force-rfc;"Tunnel up ; Traffic up"
                unique/require;Default;force/force-rfc;"Tunnel up ; Traffic up"
                require/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
                unique/shared;Default;force/force-rfc;"Tunnel up ; Traffic Down"
                unique/auto;Default;force/force-rfc;"Tunnel up ; Traffic Down"
                Default/require;Default;force/enable;"Tunnel up ; Traffic up"
                Default/require;Default;enable/force-rfc;"Tunnel up ; Traffic Down"

                in brief, the old configuration present in PFS 1.2.3 can work in PFS 2.1 if and only if this two points are satisfied :

                point 1
                NAT Traversal in PFS must be configured as "force" , VPN client can be configured as "force-rfc" or "enable"

                point 2
                Policy Generation in PFS must be either Default, unique or require while the same policy in the vpn client (shrew soft) must be either unique or require

                there is other combinations not tested, but i believe that the above two points are mandatory

                i dont know what changed in the racoon daemon, but for sure, the parameters of NAT Traversal dont behave in version 2.1 as in the version 1.2.3

                i hope that my journey will be beneficial for other persons

                that's all folks !

                Boujld,
                Very good investigation! I will do some testing myself and see if there is possibly a bug or something.
                I do know that in version 1.2.3 NAT-T was only kind of working and caused some issues at random. It is likely that it has changed since then.

                I will finalize the tutorial I re-wrote and get it online this weekend, making special note of your post on the requirements for nat-t/etc.

                I will look into also doing a few others with different methods like what you are requesting.

                Thanks!
                -E

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.