-
Ok fixed should show up on upcoming snaps.
Thank you for the help.
-
@ermal:
Ok fixed should show up on upcoming snaps.
Well, the smp plugin is loaded OK now and charon.xml socket is created in /var/run. (I note on the StronSwan plugins wiki page, the smp plugin is still classified as 'in development / incomplete'). There are still some issues:
- gui still shows that ipsec is stopped
- I still get the "unable to load 6 plugin features (5 due to unmet dependencies)" in the ipsec log
- Log level setting changes from the gui are not honored (but I do get the 'changes have been successfully applied' banner).
- Strangely, each line in the log is duplicated; not initially, but only after "12[CFG] received stroke: loglevel 1 for cfg" line [1]
[1] Actually the lines for negotiation are not exact duplicates: one line is preceded by the logging level like so:
May 7 13:33:44 pfsense charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 7 13:33:44 pfsense charon: 08[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
But this is far enough along for me to dig deeper and try to figure out why the negotiation is failing.
Thanks for looking into this.
-
As of: Current version: 2.2-ALPHA Built On: Sun May 11 03:46:29 CDT 2014
- gui still shows that ipsec is stopped
This one is fixed
- I still get the "unable to load 6 plugin features (5 due to unmet dependencies)" in the ipsec log
This one is still there
- Log level setting changes from the gui are not honored (but I do get the 'changes have been successfully applied' banner).
This one is fixed
- Strangely, each line in the log is duplicated; not initially, but only after "12[CFG] received stroke: loglevel 1 for cfg" line [1]
This one is still there
To date I've not been able to get Ipsec to work; I'm trying to get PSK mode working in road warrior mode, and charon is claiming to not find a shared key. Configuration was working with 2.1.2, though by now I've tried lots of different configs. Could be the 'ipseckey plugin is disabled' that's causing the issue?:
May 11 23:35:01 pfsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, FreeBSD 10.0-STABLE, amd64)
May 11 23:35:01 pfsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
May 11 23:35:01 pfsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
May 11 23:35:01 pfsense charon: 00[CFG] ipseckey plugin is disabled
May 11 23:35:01 pfsense charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
May 11 23:35:01 pfsense charon: 00[CFG] loaded ca certificate "C=US, ST=xxxxxxxxxxx CN=internal-ca" from '/var/etc/ipsec/ipsec.d/cacerts/067991fe.0'
May 11 23:35:01 pfsense charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
May 11 23:35:01 pfsense charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
May 11 23:35:01 pfsense charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
May 11 23:35:01 pfsense charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
May 11 23:35:01 pfsense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
May 11 23:35:01 pfsense charon: 00[CFG]** loaded IKE secret for vpnusers@no_place_special.com**
May 11 23:35:01 pfsense charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such fi
le or directory
May 11 23:35:01 pfsense charon: 00[CFG] loaded 0 RADIUS server configurations
May 11 23:35:01 pfsense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fip
s-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap
-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xaut
h-eap whitelist addrblock
May 11 23:35:01 pfsense charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
May 11 23:35:01 pfsense charon: 00[JOB] spawning 16 worker threadsFailing to find PSK:
May 12 16:48:01 pfsense charon: 11[IKE] IKE_SA con1-1[26] state change: CONNECTING => DESTROYING May 12 16:48:01 pfsense charon: 11[IKE] <con1-1|26>IKE_SA con1-1[26] state change: CONNECTING => DESTROYING May 12 16:48:06 pfsense charon: 11[NET] received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes) May 12 16:48:06 pfsense charon: 11[NET] <27> received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes) May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-00 vendor ID May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 12 16:48:06 pfsense charon: 11[IKE] received NAT-T (RFC 3947) vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <27> received NAT-T (RFC 3947) vendor ID May 12 16:48:06 pfsense charon: 11[IKE] received FRAGMENTATION vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <27> received FRAGMENTATION vendor ID May 12 16:48:06 pfsense charon: 11[IKE] received Cisco Unity vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <27> received Cisco Unity vendor ID May 12 16:48:06 pfsense charon: 11[IKE] 173.xx.yy.zzz is initiating a Aggressive Mode IKE_SA May 12 16:48:06 pfsense charon: 11[IKE] <27> 173.xx.yy.zzz is initiating a Aggressive Mode IKE_SA May 12 16:48:06 pfsense charon: 11[IKE] IKE_SA (unnamed)[27] state change: CREATED => CONNECTING May 12 16:48:06 pfsense charon: 11[IKE] <27> IKE_SA (unnamed)[27] state change: CREATED => CONNECTING May 12 16:48:06 pfsense charon: 11[CFG] looking for pre-shared key peer configs matching 24.aa.bb.ccc...173.xx.yy.zzz[vpnusers@no_place_special.com] May 12 16:48:06 pfsense charon: 11[CFG] <27> looking for pre-shared key peer configs matching 24.aa.bb.ccc...173.xx.yy.zzz[vpnusers@no_place_special.com] May 12 16:48:06 pfsense charon: 11[CFG] selected peer config "con1-1" May 12 16:48:06 pfsense charon: 11[CFG] <27> selected peer config "con1-1" May 12 16:48:06 pfsense charon: 11[IKE] sending XAuth vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending XAuth vendor ID May 12 16:48:06 pfsense charon: 11[IKE] sending DPD vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending DPD vendor ID May 12 16:48:06 pfsense charon: 11[IKE] sending FRAGMENTATION vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending FRAGMENTATION vendor ID May 12 16:48:06 pfsense charon: 11[IKE] sending NAT-T (RFC 3947) vendor ID May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending NAT-T (RFC 3947) vendor ID May 12 16:48:06 pfsense charon: 11[IKE] no shared key found for '24.aa.bb.ccc'[24.aa.bb.ccc] - 'vpnusers@no_place_special.com'[173.xx.yy.zzz] May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>no shared key found for '24.aa.bb.ccc'[24.aa.bb.ccc] - 'vpnusers@no_place_special.com'[173.xx.yy.zzz] May 12 16:48:06 pfsense charon: 11[IKE] queueing INFORMATIONAL task May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>queueing INFORMATIONAL task May 12 16:48:06 pfsense charon: 11[IKE] activating new tasks May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>activating new tasks May 12 16:48:06 pfsense charon: 11[IKE] activating INFORMATIONAL task May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>activating INFORMATIONAL task May 12 16:48:06 pfsense charon: 11[NET] sending packet: from 24.aa.bb.ccc[500] to 173.xx.yy.zzz[500] (56 bytes) May 12 16:48:06 pfsense charon: 11[NET] <con1-1|27>sending packet: from 24.aa.bb.ccc[500] to 173.xx.yy.zzz[500] (56 bytes) May 12 16:48:06 pfsense charon: 11[IKE] IKE_SA con1-1[27] state change: CONNECTING => DESTROYING May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>IKE_SA con1-1[27] state change: CONNECTING => DESTROYING May 12 16:48:11 pfsense charon: 11[NET] received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes) May 12 16:48:11 pfsense charon: 11[NET] <28> received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500]</con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|26>
-
Can you try next snapshots?
Also if you get issues on matching the ID try using an PSK with a name of 'allusers'.
-
Works for me now, thanks. I did add 'any' and 'allusers', and also changed the client to use ip address as remote identity rather than 'key identifier'. Not sure which did it.
-
Check the format of ipsec.secrets. I added some code yesterday to make it properly honor the mobile tunnel identifier when it otherwise wouldn't.
Using allusers can help but it sets up an anonymous PSK which may not be what you want for general mobile IPsec (but it would be what someone wants for L2TP+IPsec)
-
Yep, the image I'm using already has that commit. Just now I took out the anonymous allusers and any PSK, and added the remote IP address. It still connects OK with IP, I'll try to test key id later.
I'm seeing the connection being destroyed due to initiator not reauthenticating though, but that may well be a config problem on the client end (shrewsoft). Client is unaware that the connection is dropped. Not sure why a timeout is announced 9 minutes before it's scheduled, and then the connection is dropped immediately. What happened to the 9 minutes?
May 16 13:14:29 pfsense charon: 05[IKE] <con1-1|19>initiator did not reauthenticate as requested May 16 13:14:29 pfsense charon: 05[IKE] IKE_SA con1-1[19] will timeout in 9 minutes May 16 13:14:29 pfsense charon: 05[IKE] <con1-1|19>IKE_SA con1-1[19] will timeout in 9 minutes May 16 13:14:56 pfsense charon: 07[IKE] <con1-1|19>delaying task initiation, QUICK_MODE exchange in progress May 16 13:15:00 pfsense charon: 07[IKE] giving up after 5 retransmits May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>giving up after 5 retransmits May 16 13:15:00 pfsense charon: 07[IKE] unable to reestablish IKE_SA due to asymmetric setup May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>unable to reestablish IKE_SA due to asymmetric setup May 16 13:15:00 pfsense charon: 07[IKE] IKE_SA con1-1[19] state change: ESTABLISHED => DESTROYING May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>IKE_SA con1-1[19] state change: ESTABLISHED => DESTROYING May 16 13:15:00 pfsense charon: 07[CFG] lease 192.168.3.1 by '10.5.60.58' went offline May 16 13:15:00 pfsense charon: 07[CFG] <con1-1|19>lease 192.168.3.1 by '10.5.60.58' went offline</con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19>
-
There are still some issues, some fixed by the commits made today (gitsync if you can't wait) but a couple more I'm about to create tickets for as they're not so simple.
-
In short:
- Snap from this morning can't have more than one concurrent user connected, fixed now
- "Provide a list of accessible networks to clients" doesn't seem to work, but it does work if you specify the policy on the client (Shrew, Android) or if the client ignores that and tunnels everything anyway (iOS).
- "Tunnel All" only works if you add a P2 with 0.0.0.0/0 as local
- If the same user connects twice, the first connection is cut off (good/intentional behavior, but may be different from 2.1)
-
[2.2-ALPHA][root@pfsense.localdomain]/root(4): cat /etc/version.buildtime Mon May 19 13:13:23 CDT 2014 [2.2-ALPHA][root@pfsense.localdomain]/root(5): ipsec pki exec: /usr/local/bin/pki: not found [2.2-ALPHA][root@pfsense.localdomain]/root(6): find / -iname pki [2.2-ALPHA][root@pfsense.localdomain]/root(7):
Is this intentional? Any valid reason not to include it?
-
Added mostly an oversight.
Though why would one need it in a GUI environment is out of me.
-
- Snap from this morning can't have more than one concurrent user connected, fixed now
Fixed on current snaps.
- "Provide a list of accessible networks to clients" doesn't seem to work, but it does work if you specify the policy on the client (Shrew, Android) or if the client ignores that and tunnels everything anyway (iOS).
Should be fixed on the next new snaps.
- "Tunnel All" only works if you add a P2 with 0.0.0.0/0 as local
That appears to be a difference in how strongswan and racoon operate mobile connections. It's going to be required to add that manually unless we add an option to automatically add it.
Also L2TP+IPsec is almost working. More on that later.
-
@ermal:
Though why would one need it in a GUI environment is out of me.
So newbies like me can follow how-tos on the 'net, trying to learn :)
-
Thanks for working on this. I'm seeing the following (ask for more details if needed):
- banner doesn't appear (shrewsoft client, banner appeared with racoon)
- re-auth fails, client is oblivious (psk road warrior config)
- No SAs or SPs appear on the web gui when connected
- connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )
Let me know if there is any particular testing or other info you need! I'm pretty new to IPSEC, just trying to get my 2.1 config working under 2.2.
BTW, the change to weakswan under psk aggressive is a strong motivator to learn a proper config ….
-
- banner doesn't appear (shrewsoft client, banner appeared with racoon)
It shows up for me. Are you sure you're on a current snapshot?
Though it appears to only allow a single line banner, where racoon allowed a multi-line banner.- re-auth fails, client is oblivious (psk road warrior config)
re-auth when? When the P1 expires? Or when the server restarts?
- No SAs or SPs appear on the web gui when connected
That's expected at the moment, there's a ticket open. Those tabs may go away, all the info is on the first tab there's a button under each connection to view the child SAs.
- connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )
What does that mean? Using the key id or IP address where on the client/server?
-
- banner doesn't appear (shrewsoft client, banner appeared with racoon)
It shows up for me. Are you sure you're on a current snapshot?
Though it appears to only allow a single line banner, where racoon allowed a multi-line banner.Current as of last night
- re-auth fails, client is oblivious (psk road warrior config)
re-auth when? When the P1 expires? Or when the server restarts?
When P1 expires:
May 21 10:33:46 pfsense charon: 01[IKE] <con1-1|4>IKE_SA con1-1[4] established between 24.74.xx.yy[24.74.xx.yy]…173.15.aa.bb[10.5.60.58]
May 21 10:33:46 pfsense charon: 01[IKE] scheduling reauthentication in 2828s
May 21 10:33:46 pfsense charon: 01[IKE] <con1-1|4>scheduling reauthentication in 2828s</con1-1|4>
May 21 10:33:46 pfsense charon: 01[IKE] maximum IKE_SA lifetime 3368s
.
.
.
May 21 11:20:06 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:26 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:26 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:46 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:46 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:20:54 pfsense charon: 16[IKE] initiator did not reauthenticate as requested <== 2828 sec expires here
May 21 11:20:54 pfsense charon: 16[IKE] <con1-1|4>initiator did not reauthenticate as requested
May 21 11:20:54 pfsense charon: 16[IKE] IKE_SA con1-1[4] will timeout in 9 minutes
May 21 11:20:54 pfsense charon: 16[IKE] <con1-1|4>IKE_SA con1-1[4] will timeout in 9 minutes
May 21 11:20:54 pfsense charon: 11[KNL] creating rekey job for ESP CHILD_SA with SPI c3d88eca and reqid {1}
May 21 11:20:54 pfsense charon: 11[ENC] generating QUICK_MODE request 2100136337 [ HASH SA No ID ID ]
May 21 11:20:54 pfsense charon: 11[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:20:58 pfsense charon: 16[IKE] sending retransmit 1 of request message ID 2100136337, seq 1
May 21 11:20:58 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 1 of request message ID 2100136337, seq 1
May 21 11:20:58 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:21:06 pfsense charon: 16[IKE] sending retransmit 2 of request message ID 2100136337, seq 1
May 21 11:21:06 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 2 of request message ID 2100136337, seq 1
May 21 11:21:06 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:21:19 pfsense charon: 16[IKE] sending retransmit 3 of request message ID 2100136337, seq 1
May 21 11:21:19 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 3 of request message ID 2100136337, seq 1
May 21 11:21:19 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:21:38 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:21:38 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:21:42 pfsense charon: 16[IKE] sending retransmit 4 of request message ID 2100136337, seq 1
May 21 11:21:42 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 4 of request message ID 2100136337, seq 1
May 21 11:21:42 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:21:42 pfsense charon: 16[KNL] creating rekey job for ESP CHILD_SA with SPI c71c158f and reqid {1}
May 21 11:22:01 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:01 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:21 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:21 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:24 pfsense charon: 01[IKE] sending retransmit 5 of request message ID 2100136337, seq 1
May 21 11:22:24 pfsense charon: 01[IKE] <con1-1|4>sending retransmit 5 of request message ID 2100136337, seq 1
May 21 11:22:24 pfsense charon: 01[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
May 21 11:22:43 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:22:43 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:03 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:03 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:23 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:23 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
May 21 11:23:39 pfsense charon: 16[IKE] giving up after 5 retransmits
May 21 11:23:39 pfsense charon: 16[IKE] <con1-1|4>giving up after 5 retransmits
May 21 11:23:39 pfsense charon: 16[IKE] unable to reestablish IKE_SA due to asymmetric setup
May 21 11:23:39 pfsense charon: 16[IKE] <con1-1|4>unable to reestablish IKE_SA due to asymmetric setup
May 21 11:23:39 pfsense charon: 16[KNL] unable to delete SAD entry with SPI ca40ad92: No such file or directory (2)
May 21 11:23:39 pfsense charon: 16[CFG] lease 192.168.3.2 by '10.5.60.58' went offline</con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4>- connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )
What does that mean? Using the key id or IP address where on the client/server?
On pfSense I have to configure PSK entries for the ip addresses , and configure the shrewsoft client to use 'ip address (discovered remote host address)'. Can't get 'key id' to work. I'll pay more attention and give better details, or set up proper certs.
-
It works for me using an ID, though I use "User FQDN" as the type. My "mobile" config is the same as what we have documented on the doc wiki for mobile IPsec on 2.x, since we are trying to ensure a smooth transition using the same settings as before.
The reauth bit looks like the client didn't do what it should. I'm not sure what the server can do there to help, if anything.