PfS 2.2 / IPSec / Shrewsoft / Phase 2 Issues
-
I'm struggling to set-up a working IPSec connection for mobile clients.
UPDATE: I've crossed out the issues I've either sorted or worked around. I've laid out what I'm trying to achieve with current status in my most recent reply. I'd really appreciate a little help.
~~The furthest point I reach when doing a VPN Trace with Shrewsoft, is the transform on the phase 1 payload at which point the Shrewsoft client reports:
phase1 id type mismatch ( received asn1-dn but expected ipv4-host )
Within pfSense I currently
-> My Identifier -> IP Address -> set to pfSense gateway's current external IP*
-> Peer identifier -> User distinguished name -> vpnusers@some.domainWithin Shrewsoft I have:
-> Local identity -> User Fully Qualified Domain Name -> vpnusers@some.domain
-> Remote identity -> IP Address -> pfSense gateways external IP address*This isn't ideal because I'm on a dynamic IP and I'm unable to obtain a static IP address. I have tried other identifiers, then I don't even get this far
Incidentally, I have nothing in my /var/log/ipsec.log file from the time I tested the above connection. The logging seems sporadic - I've tried various components and different log levels - sometimes it seems to log in a given scenario and other times not.
What identifier should I use with Dynamic DNS? I have tried entering my dyndns hostname as distinguished name and dynamic DNS but neither seems to work (no policy found). Will the Dynamic DNS option even work given that the firewall isn't the edge device - it's behind an ethernet router.
If I can't get this working in the next couple of days, I'll have to look at downgrading to 2.1.5~~
-
Update:
~~Okay I've switched Negitiation mode from "Agressive" to "Main" and I'm getting as far as Shrewsoft bringing up the tunnel and then just hanging.
In the Shrewsoft VPN Trace I get "peer AUTHENTICATION-FAILED notification"
And in the ipsec.log file: no trusted RSA public key found for 'vpnusers@some.domain'So that's a little progress.~~
-
I gave up on mutual RSS. I also gave up on mutual PSK+XAUTH. I'm now only using mutual PSK. And it's still not working - I think I have NAT issues to contend with. -
Hai,
I'm trying to create an IPSEC VPN connection as a mobile user from a machine where I work to my home network. On my home network I have an ethernet router provided by my ISP which is connected to the WAN port of my pfSense firewall.
I have configured phase one and phase two as follows:
Configuration not ideal as I'm on dynamic IP, but let's get something working for now and then resolve dynamic IP problem later.
I can create the tunnel and everything seems almost hunky dory:
Even the security associations and policies get created:
But all is not well. I cannot interact with anything on either side of the VPN tunnel. I have created an IPSEC firewall rule allowing any to any. I have forced NAT-T wherever possible. I have automatic outbound NAT rules enabled. I suspect there is a NAT issue. But before I look at that, something else strikes me as odd:
Look again at the tunnel end points in those last two screen shots. They are using the WAN IP address of the firewall itself, not my external IP. Could this be the problem?
Or are the automatically generated outbound NAT rules over-writing some BINAT-iness?Please help
Yours royally confused
Afasoas -
Thankfully I now have this working. I bridged the ADSL router so the WAN interface had my actual external IP. I tweaked phase 2 entry to use 0.0.0.0/0 as local network. Finally I removed the auto generated NAT rules for port 500.
-
Thankfully I now have this working. I bridged the ADSL router so the WAN interface had my actual external IP. I tweaked phase 2 entry to use 0.0.0.0/0 as local network. Finally I removed the auto generated NAT rules for port 500.
That is normal if your modem did not forward port 500/4500 to pfSense!
Also you would need to configure properly identities in this case. -
I did have the ADSL router forwarding ports 500/4500.
Unfortunately I'm having phase 2 issues again. Although I'm intermittently getting a connection, the following is regularly logged:
15/02/11 08:47:44 ii : received config pull response 15/02/11 08:47:44 ii : - IP4 Address = 192.168.171.2 15/02/11 08:47:44 ii : - Unkown VARIABLE 28676 = 14 bytes 15/02/11 08:47:44 DB : config resend event canceled ( ref count = 1 ) 15/02/11 08:47:44 !! : invalid private netmask, defaulting to 255.255.255.0 15/02/11 08:47:44 ii : enabled adapter ROOT\VNET\0004 15/02/11 08:47:44 ii : apapter ROOT\VNET\0004 MTU is 1200 15/02/11 08:47:44 ii : generating IPSEC security policies at UNIQUE level 15/02/11 08:47:44 ii : creating NONE INBOUND policy ANY:2.97.51.104:* -> ANY:10.2.1.131:* 15/02/11 08:47:44 DB : policy added ( obj count = 2 ) 15/02/11 08:47:44 K> : send pfkey X_SPDADD UNSPEC message 15/02/11 08:47:44 ii : creating NONE OUTBOUND policy ANY:10.2.1.131:* -> ANY:2.97.51.104:* 15/02/11 08:47:44 K< : recv pfkey X_SPDADD UNSPEC message 15/02/11 08:47:44 DB : policy found 15/02/11 08:47:44 ii : created NONE policy route for 2.97.51.104/32 15/02/11 08:47:44 DB : policy added ( obj count = 3 ) 15/02/11 08:47:44 K> : send pfkey X_SPDADD UNSPEC message 15/02/11 08:47:44 K< : recv pfkey X_SPDADD UNSPEC message 15/02/11 08:47:44 DB : policy found 15/02/11 08:47:44 ii : calling init phase2 for nailed policy 15/02/11 08:47:44 DB : policy found 15/02/11 08:47:44 DB : policy not found 15/02/11 08:47:44 !! : unable to locate inbound policy for init phase2 15/02/11 08:47:44 ii : creating NONE INBOUND policy ANY:10.2.0.1:* ->
I thought I'd red somewhere the network mask for the client's virtual address range assigned to the client should match the subnet mask for the local subnet?
On a different note, I've just had a connection for about five minutes. Then it looks like DPD decided the gateway was down. And sure enough when I try and reconnect phase 1 is timing out. I'll have to investigate what happened to the gateway when I get home. Tres frustrating!
-
Disable reauthentication from the GUI and just keep rekey to maybe solve your last issue.
-
Okay, questions:
1. Does ShrewSoft support IKE v2? I'm currently using IKE v1 because I didn't think Shrewsoft supported v2.
2. The GUI states "Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done."
So checking the box might not actually change anything? … please correct me if I'm wrong.
Thanks
A