IPsec configuration to support both aggressive and main IKE negotiation modes?



  • I'm not sure this particular combination has been posted before, so sorry if this is a dupe. Here's my situation:

    I can get a Road Warrior configuration working with Android using the following guide:
    https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

    However I ran into an issue where Android 5.x doesn't work properly using IKE aggressive negotiation mode, so changed it to main mode. (as described in this post https://forum.pfsense.org/index.php?topic=87655.30)

    Now I have another problem – I can't get my Mac OS X Mavericks system to connect using Main mode, and it wants to work using aggressive mode.

    Is there a way I can support a road warrior configuration for both IKE negotiation methods?


  • Banned

    No, not ATM.



  • Yes there is on 2.2.1 you can select auto on your IKE phase1 configuration.
    Hopefully that will allow you to connect.


  • Rebel Alliance Developer Netgate

    If Phase 1 is set to Aggressive, strongSwan will still allow a main mode client to negotiate. Or at least it has in my testing. See https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29

    When the two sites were mismatched on one main and one on aggressive, if the main side initiated, the tunnel would still come up.



  • Thanks jimp.

    Unfortunately my results appear to be slightly different. I get this "none allows XAuthInitPSK authentication using Main Mode" error.

    
    Apr 20 21:23:21	charon: 09[IKE] <24> 166.xx.xx.xx is initiating a Main Mode IKE_SA
    Apr 20 21:23:21	charon: 09[ENC] <24> generating ID_PROT response 0 [ SA V V V V V ]
    Apr 20 21:23:21	charon: 09[NET] <24> sending packet: from 72.xx.xx.xx[500] to 166.xx.xx.xx[500] (180 bytes)
    Apr 20 21:23:21	charon: 09[NET] <24> received packet: from 166.xx.xx.xx[500] to 72.xx.xx.xx[500] (228 bytes)
    Apr 20 21:23:21	charon: 09[ENC] <24> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Apr 20 21:23:21	charon: 09[IKE] <24> remote host is behind NAT
    Apr 20 21:23:21	charon: 09[IKE] <24> remote host is behind NAT
    Apr 20 21:23:21	charon: 09[ENC] <24> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Apr 20 21:23:21	charon: 09[NET] <24> sending packet: from 72.xx.xx.xx[500] to 166.xx.xx.xx[500] (244 bytes)
    Apr 20 21:23:22	charon: 09[NET] <24> received packet: from 166.xx.xx.xx[4500] to 72.xx.xx.xx[4500] (92 bytes)
    Apr 20 21:23:22	charon: 09[ENC] <24> parsed ID_PROT request 0 [ ID HASH ]
    Apr 20 21:23:22	charon: 09[CFG] <24> looking for XAuthInitPSK peer configs matching 72.xx.xx.xx...166.xx.xx.xx[10.104.175.66]
    Apr 20 21:23:22	charon: 09[IKE] <24> found 2 matching configs, but none allows XAuthInitPSK authentication using Main Mode
    Apr 20 21:23:22	charon: 09[IKE] <24> found 2 matching configs, but none allows XAuthInitPSK authentication using Main Mode
    Apr 20 21:23:22	charon: 09[ENC] <24> generating INFORMATIONAL_V1 request 3999605427 [ HASH N(AUTH_FAILED) ]
    
    

    Android client is the main mode initiator, pfsense is the aggressive mode responder.

    The "auto" mode that I can find on my settings is the IKE version, not negotiation mode. I'm sticking with V1 due to the clients I'm using for road warrior use.

    I'm using IP address for the identifier. I think this is OK, right? Under the following guide it mentions that the identifier should match, but then I think I wouldn't get "found 2 matching configs" right?
    https://doc.pfsense.org/index.php/Upgrade_Guide#IPsec_Changes

    (and yes, I have a site to site configuration and a road warrior configuration, hence 2 configs)

    Thanks!


Log in to reply