IPSEC + Mobile Client on 2.2.2



  • После обновления с 2.1.5 на 2.2.2 (racoon -> strongswan) возникла проблема с авторизацией мобильных клиентов, соединяются с Вин платформ с помощью ShrewSoft VPN client on Windows тех, у кого логины-пароли записаны в Pre-Shared Keys. Нормально поднимается тоннель только у клиентов, чей идентификатор и pre-shared key описан в первой фазе.

    Phase1 General Information:
    Internet Protocol: IPv4
    Interface: WAN
    Description:

    Phase1 proposal (Authentication):
    Authentication method: “Mutual PSK + Xauth”
    Negotiation mode: aggressive
    My identifier: “My IP address”
    Peer Identifier: “Distinguished name”: “user1”
    Pre-Shared Key: “test121212”
    Encryption algorithm: “AES-256”
    Hash algorithm: “SHA1”
    DH Group: “2(1024 bit)”
    Lifetime: “28800”

    Advanced Options:
    NAT Traversal: “AUTO”
    Dead Peer Detection: “Enabled”
    –-------------------------------------------------
    ipsec.secrets:

    x.x.x.x user1 : PSK 0sMjU0NTG2NzE=
    %any Directorat : PSK 0sRnJjPKV0SDdCMiRh
    %any Users : PSK 0sUJJVCZTgKcGhlcEBL

    , где x.x.x.x "белый" WAN IP моего шлюза

    Похожая тема, но так и не решенная(
    https://forum.pfsense.org/index.php?topic=90917.0



  • Логи strongswan и клиентские можно увидеть ?



  • ScrewSoft:

    peer configured
    iskamp proposal configured
    esp proposal configured
    client configured
    local id configured
    remote id configured
    pre-shared key configured
    bringing up tunnel …
    gateway authentication error
    tunnel disabled
    detached from key daemon

    Pfsense (01.01.01.01 - Pfsense IP, 01.01.01.01 - Client IP )

    May 13 23:08:15 charon: 11[JOB] <con1|75>deleting half open IKE_SA after timeout
    May 13 23:08:09 charon: 11[NET] <con1|75>sending packet: from 01.01.01.01[500] to 02.02.02.02[500] (436 bytes)
    May 13 23:08:09 charon: 11[IKE] <con1|75>sending retransmit 3 of response message ID 0, seq 1
    May 13 23:08:09 charon: 11[IKE] <con1|75>sending retransmit 3 of response message ID 0, seq 1
    May 13 23:07:56 charon: 11[NET] <con1|75>sending packet: from 01.01.01.01[500] to 02.02.02.02[500] (436 bytes)
    May 13 23:07:56 charon: 11[IKE] <con1|75>sending retransmit 2 of response message ID 0, seq 1
    May 13 23:07:56 charon: 11[IKE] <con1|75>sending retransmit 2 of response message ID 0, seq 1
    May 13 23:07:49 charon: 11[NET] <con1|75>sending packet: from 01.01.01.01[500] to 02.02.02.02[500] (436 bytes)
    May 13 23:07:49 charon: 11[IKE] <con1|75>sending retransmit 1 of response message ID 0, seq 1
    May 13 23:07:49 charon: 11[IKE] <con1|75>sending retransmit 1 of response message ID 0, seq 1
    May 13 23:07:45 charon: 11[IKE] <con1|75>INFORMATIONAL_V1 request with message ID 112631362 processing failed
    May 13 23:07:45 charon: 11[IKE] <con1|75>INFORMATIONAL_V1 request with message ID 112631362 processing failed
    May 13 23:07:45 charon: 11[IKE] <con1|75>ignore malformed INFORMATIONAL request
    May 13 23:07:45 charon: 11[IKE] <con1|75>ignore malformed INFORMATIONAL request
    May 13 23:07:45 charon: 11[IKE] <con1|75>message parsing failed
    May 13 23:07:45 charon: 11[IKE] <con1|75>message parsing failed
    May 13 23:07:45 charon: 11[ENC] <con1|75>could not decrypt payloads
    May 13 23:07:45 charon: 11[ENC] <con1|75>invalid HASH_V1 payload length, decryption failed?
    May 13 23:07:45 charon: 11[NET] <con1|75>received packet: from 02.02.02.02[4500] to 01.01.01.01[4500] (92 bytes)
    May 13 23:07:45 charon: 06[IKE] <con1|75>AGGRESSIVE request with message ID 0 processing failed
    May 13 23:07:45 charon: 06[IKE] <con1|75>AGGRESSIVE request with message ID 0 processing failed
    May 13 23:07:45 charon: 06[NET] <con1|75>sending packet: from 01.01.01.01[500] to 02.02.02.02[500] (76 bytes)
    May 13 23:07:45 charon: 06[ENC] <con1|75>generating INFORMATIONAL_V1 request 1042202228 [ HASH N(PLD_MAL) ]
    May 13 23:07:45 charon: 06[IKE] <con1|75>message parsing failed
    May 13 23:07:45 charon: 06[IKE] <con1|75>message parsing failed
    May 13 23:07:45 charon: 06[ENC] <con1|75>could not decrypt payloads
    May 13 23:07:45 charon: 06[ENC] <con1|75>invalid HASH_V1 payload length, decryption failed?
    May 13 23:07:45 charon: 06[NET] <con1|75>received packet: from 02.02.02.02[4500] to 01.01.01.01[4500] (108 bytes)
    May 13 23:07:45 charon: 06[NET] <con1|75>sending packet: from 01.01.01.01[500] to 02.02.02.02[500] (436 bytes)
    May 13 23:07:45 charon: 06[ENC] <con1|75>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
    May 13 23:07:45 charon: 06[CFG] <75> selected peer config "con1"
    May 13 23:07:45 charon: 06[CFG] <75> looking for XAuthInitPSK peer configs matching 01.01.01.01…02.02.02.02[Users]
    May 13 23:07:45 charon: 06[IKE] <75> 02.02.02.02 is initiating a Aggressive Mode IKE_SA
    May 13 23:07:45 charon: 06[IKE] <75> 02.02.02.02 is initiating a Aggressive Mode IKE_SA
    May 13 23:07:45 charon: 06[IKE] <75> received Cisco Unity vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received Cisco Unity vendor ID
    May 13 23:07:45 charon: 06[ENC] <75> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
    May 13 23:07:45 charon: 06[ENC] <75> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
    May 13 23:07:45 charon: 06[ENC] <75> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
    May 13 23:07:45 charon: 06[ENC] <75> received unknown vendor ID: 3b:90:31:dc:e4:fc:f8:8b:48:9a:92:39:63:dd:0c:49
    May 13 23:07:45 charon: 06[IKE] <75> received DPD vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received DPD vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received FRAGMENTATION vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received FRAGMENTATION vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received NAT-T (RFC 3947) vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received NAT-T (RFC 3947) vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 13 23:07:45 charon: 06[ENC] <75> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
    May 13 23:07:45 charon: 06[IKE] <75> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received XAuth vendor ID
    May 13 23:07:45 charon: 06[IKE] <75> received XAuth vendor ID

    Для сравнения - лог клиента от Cisco

    Cisco Systems VPN Client Version 5.0.07.0410
    Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 6.1.7601 Service Pack 1
    Config file directory: C:\Program Files\Cisco Systems\VPN Client\

    1      23:14:16.872  05/13/15  Sev=Warning/3 IKE/0xE3000057
    The received HASH payload cannot be verified

    2      23:14:16.872  05/13/15  Sev=Warning/2 IKE/0xE300007E
    Hash verification failed… may be configured with invalid group password.

    3      23:14:16.872  05/13/15  Sev=Warning/2 IKE/0xE300009B
    Failed to authenticate peer (Navigator:915)

    4      23:14:16.872  05/13/15  Sev=Warning/2 IKE/0xE30000A7
    Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)</con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75></con1|75>



  • Поправочка
    Pfsense (01.01.01.01 - Pfsense IP, 02.02.02.02 - Client IP )

    Еще заметил, что Peer identifier, который описан в первой фазе, у клиента во внимание не берется, т.е. туннель поднимается с любым идентификатором, главное, чтоб пароль(Pre-Shared Key) совпадал.



  • same error !  >:(



  • Обновился до 2.2.3.  Проблему с Pre-Shared Keys решили с точностью до наоборот. Теперь не проходит авторизация с ключем из первой фазы (
    Заметил, что изменился ipsec.secrets, к ключу из первой фазы добавился знак @, здесь ошибка видимо…

    ipsec.secrets:

    х.х.х.х @user1 : PSK 0sMjU0NTM2NzE=
    х.х.х.х Directorat : PSK 0sRnVjP3V0SDdCMiRh


Log in to reply