Reply to IPsec configuration to support both aggressive and main IKE negotiation modes? on Tue, 21 Apr 2015 01:53:42 GMT

ShutterBC — Tue, 21 Apr 2015 01:53:42 GMT

Thanks jimp.

Unfortunately my results appear to be slightly different. I get this "none allows XAuthInitPSK authentication using Main Mode" error.


Apr 20 21:23:21	charon: 09[IKE] <24> 166.xx.xx.xx is initiating a Main Mode IKE_SA
Apr 20 21:23:21	charon: 09[ENC] <24> generating ID_PROT response 0 [ SA V V V V V ]
Apr 20 21:23:21	charon: 09[NET] <24> sending packet: from 72.xx.xx.xx[500] to 166.xx.xx.xx[500] (180 bytes)
Apr 20 21:23:21	charon: 09[NET] <24> received packet: from 166.xx.xx.xx[500] to 72.xx.xx.xx[500] (228 bytes)
Apr 20 21:23:21	charon: 09[ENC] <24> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 20 21:23:21	charon: 09[IKE] <24> remote host is behind NAT
Apr 20 21:23:21	charon: 09[IKE] <24> remote host is behind NAT
Apr 20 21:23:21	charon: 09[ENC] <24> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 20 21:23:21	charon: 09[NET] <24> sending packet: from 72.xx.xx.xx[500] to 166.xx.xx.xx[500] (244 bytes)
Apr 20 21:23:22	charon: 09[NET] <24> received packet: from 166.xx.xx.xx[4500] to 72.xx.xx.xx[4500] (92 bytes)
Apr 20 21:23:22	charon: 09[ENC] <24> parsed ID_PROT request 0 [ ID HASH ]
Apr 20 21:23:22	charon: 09[CFG] <24> looking for XAuthInitPSK peer configs matching 72.xx.xx.xx...166.xx.xx.xx[10.104.175.66]
Apr 20 21:23:22	charon: 09[IKE] <24> found 2 matching configs, but none allows XAuthInitPSK authentication using Main Mode
Apr 20 21:23:22	charon: 09[IKE] <24> found 2 matching configs, but none allows XAuthInitPSK authentication using Main Mode
Apr 20 21:23:22	charon: 09[ENC] <24> generating INFORMATIONAL_V1 request 3999605427 [ HASH N(AUTH_FAILED) ]

Android client is the main mode initiator, pfsense is the aggressive mode responder.

The "auto" mode that I can find on my settings is the IKE version, not negotiation mode. I'm sticking with V1 due to the clients I'm using for road warrior use.

I'm using IP address for the identifier. I think this is OK, right? Under the following guide it mentions that the identifier should match, but then I think I wouldn't get "found 2 matching configs" right?
https://doc.pfsense.org/index.php/Upgrade_Guide#IPsec_Changes

(and yes, I have a site to site configuration and a road warrior configuration, hence 2 configs)

Thanks!

Reply to IPsec configuration to support both aggressive and main IKE negotiation modes? on Fri, 17 Apr 2015 19:41:38 GMT

jimp — Fri, 17 Apr 2015 19:41:38 GMT

If Phase 1 is set to Aggressive, strongSwan will still allow a main mode client to negotiate. Or at least it has in my testing. See https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29

When the two sites were mismatched on one main and one on aggressive, if the main side initiated, the tunnel would still come up.

Reply to IPsec configuration to support both aggressive and main IKE negotiation modes? on Tue, 14 Apr 2015 10:26:40 GMT

eri-- — Tue, 14 Apr 2015 10:26:40 GMT

Yes there is on 2.2.1 you can select auto on your IKE phase1 configuration.
Hopefully that will allow you to connect.

Reply to IPsec configuration to support both aggressive and main IKE negotiation modes? on Mon, 13 Apr 2015 21:41:25 GMT

doktornotor — Mon, 13 Apr 2015 21:41:25 GMT

No, not ATM.