IPSEC + Mobile Client on 2.2.2

petruha5

После обновления с 2.1.5 на 2.2.2 (racoon -> strongswan) возникла проблема с авторизацией мобильных клиентов, соединяются с Вин платформ с помощью ShrewSoft VPN client on Windows тех, у кого логины-пароли записаны в Pre-Shared Keys. Нормально поднимается тоннель только у клиентов, чей идентификатор и pre-shared key описан в первой фазе.

Phase1 General Information:
Internet Protocol: IPv4
Interface: WAN
Description:

Phase1 proposal (Authentication):
Authentication method: “Mutual PSK + Xauth”
Negotiation mode: aggressive
My identifier: “My IP address”
Peer Identifier: “Distinguished name”: “user1”
Pre-Shared Key: “test121212”
Encryption algorithm: “AES-256”
Hash algorithm: “SHA1”
DH Group: “2(1024 bit)”
Lifetime: “28800”

Advanced Options:
NAT Traversal: “AUTO”
Dead Peer Detection: “Enabled”
–-------------------------------------------------
ipsec.secrets:

x.x.x.x user1 : PSK 0sMjU0NTG2NzE=
%any Directorat : PSK 0sRnJjPKV0SDdCMiRh
%any Users : PSK 0sUJJVCZTgKcGhlcEBL

, где x.x.x.x "белый" WAN IP моего шлюза

Похожая тема, но так и не решенная(
https://forum.pfsense.org/index.php?topic=90917.0

werter

Логи strongswan и клиентские можно увидеть ?

petruha5

ScrewSoft:

peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel …
gateway authentication error
tunnel disabled
detached from key daemon

Pfsense (01.01.01.01 - Pfsense IP, 01.01.01.01 - Client IP )

May 13 23:08:15 charon: 11[JOB] <con1|75>deleting half open IKE_SA after timeout
May 13 23:08:09 charon: 11[NET] <con1|75>sending packet: from 01.01.01.01[500] to 02.02.02.02[500] (436 bytes)
May 13 23:08:09 charon: 11[IKE] <con1|75>sending retransmit 3 of response message ID 0, seq 1
May 13 23:08:09 charon: 11[IKE] <con1|75>sending retransmit 3 of response message ID 0, seq 1
May 13 23:07:56 charon: 11[NET] <con1|75>sending packet: from 01.01.01.01[500] to 02.02.02.02[500] (436 bytes)
May 13 23:07:56 charon: 11[IKE] <con1|75>sending retransmit 2 of response message ID 0, seq 1
May 13 23:07:56 charon: 11[IKE] <con1|75>sending retransmit 2 of response message ID 0, seq 1
May 13 23:07:49 charon: 11[NET] <con1|75>sending packet: from 01.01.01.01[500] to 02.02.02.02[500] (436 bytes)
May 13 23:07:49 charon: 11[IKE] <con1|75>sending retransmit 1 of response message ID 0, seq 1
May 13 23:07:49 charon: 11[IKE] <con1|75>sending retransmit 1 of response message ID 0, seq 1
May 13 23:07:45 charon: 11[IKE] <con1|75>INFORMATIONAL_V1 request with message ID 112631362 processing failed
May 13 23:07:45 charon: 11[IKE] <con1|75>INFORMATIONAL_V1 request with message ID 112631362 processing failed
May 13 23:07:45 charon: 11[IKE] <con1|75>ignore malformed INFORMATIONAL request
May 13 23:07:45 charon: 11[IKE] <con1|75>ignore malformed INFORMATIONAL request
May 13 23:07:45 charon: 11[IKE] <con1|75>message parsing failed
May 13 23:07:45 charon: 11[IKE] <con1|75>message parsing failed
May 13 23:07:45 charon: 11[ENC] <con1|75>could not decrypt payloads
May 13 23:07:45 charon: 11[ENC] <con1|75>invalid HASH_V1 payload length, decryption failed?
May 13 23:07:45 charon: 11[NET] <con1|75>received packet: from 02.02.02.02[4500] to 01.01.01.01[4500] (92 bytes)
May 13 23:07:45 charon: 06[IKE] <con1|75>AGGRESSIVE request with message ID 0 processing failed
May 13 23:07:45 charon: 06[IKE] <con1|75>AGGRESSIVE request with message ID 0 processing failed
May 13 23:07:45 charon: 06[NET] <con1|75>sending packet: from 01.01.01.01[500] to 02.02.02.02[500] (76 bytes)
May 13 23:07:45 charon: 06[ENC] <con1|75>generating INFORMATIONAL_V1 request 1042202228 [ HASH N(PLD_MAL) ]
May 13 23:07:45 charon: 06[IKE] <con1|75>message parsing failed
May 13 23:07:45 charon: 06[IKE] <con1|75>message parsing failed
May 13 23:07:45 charon: 06[ENC] <con1|75>could not decrypt payloads
May 13 23:07:45 charon: 06[ENC] <con1|75>invalid HASH_V1 payload length, decryption failed?
May 13 23:07:45 charon: 06[NET] <con1|75>received packet: from 02.02.02.02[4500] to 01.01.01.01[4500] (108 bytes)
May 13 23:07:45 charon: 06[NET] <con1|75>sending packet: from 01.01.01.01[500] to 02.02.02.02[500] (436 bytes)
May 13 23:07:45 charon: 06[ENC] <con1|75>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
May 13 23:07:45 charon: 06[CFG] <75> selected peer config "con1"
May 13 23:07:45 charon: 06[CFG] <75> looking for XAuthInitPSK peer configs matching 01.01.01.01…02.02.02.02[Users]
May 13 23:07:45 charon: 06[IKE] <75> 02.02.02.02 is initiating a Aggressive Mode IKE_SA
May 13 23:07:45 charon: 06[IKE] <75> 02.02.02.02 is initiating a Aggressive Mode IKE_SA
May 13 23:07:45 charon: 06[IKE] <75> received Cisco Unity vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received Cisco Unity vendor ID
May 13 23:07:45 charon: 06[ENC] <75> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
May 13 23:07:45 charon: 06[ENC] <75> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
May 13 23:07:45 charon: 06[ENC] <75> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
May 13 23:07:45 charon: 06[ENC] <75> received unknown vendor ID: 3b:90:31:dc:e4:fc:f8:8b:48:9a:92:39:63:dd:0c:49
May 13 23:07:45 charon: 06[IKE] <75> received DPD vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received DPD vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received FRAGMENTATION vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received FRAGMENTATION vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received NAT-T (RFC 3947) vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received NAT-T (RFC 3947) vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 13 23:07:45 charon: 06[ENC] <75> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
May 13 23:07:45 charon: 06[IKE] <75> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received XAuth vendor ID
May 13 23:07:45 charon: 06[IKE] <75> received XAuth vendor ID

Для сравнения - лог клиента от Cisco

Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      23:14:16.872  05/13/15  Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified

2      23:14:16.872  05/13/15  Sev=Warning/2 IKE/0xE300007E
Hash verification failed… may be configured with invalid group password.

3      23:14:16.872  05/13/15  Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:915)

4      23:14:16.872  05/13/15  Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)</con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75>

petruha5

Поправочка
Pfsense (01.01.01.01 - Pfsense IP, 02.02.02.02 - Client IP )

Еще заметил, что Peer identifier, который описан в первой фазе, у клиента во внимание не берется, т.е. туннель поднимается с любым идентификатором, главное, чтоб пароль(Pre-Shared Key) совпадал.

calvinw.hk

same error !  >:(

petruha5

Обновился до 2.2.3.  Проблему с Pre-Shared Keys решили с точностью до наоборот. Теперь не проходит авторизация с ключем из первой фазы (
Заметил, что изменился ipsec.secrets, к ключу из первой фазы добавился знак @, здесь ошибка видимо…

ipsec.secrets:

х.х.х.х @user1 : PSK 0sMjU0NTM2NzE=
х.х.х.х Directorat : PSK 0sRnVjP3V0SDdCMiRh