2.2.4 upgrade from 2.1.5 - ipsec now disconnects mobile clients.



  • I've been reviewing the logs and nothing seems to jump at me.

    clients connect for 10 minutes or so and then disconnect. This config ran well for 3 years.
    Free pizza for whoever helps me figure this out!

    pfsense 2.2.4 on my hardware  - IKE1, aggressive, mutual psk
    clients are windows 7/8 using latest shrew client

    Here's the ipsec log:
    Aug 3 22:07:27 charon: 14[CFG] <con1|5>lease 192.168.253.1 by 'scott@nci-mn.com' went offline
    Aug 3 22:07:27 charon: 14[NET] <con1|5>sending packet: from 67.139.181.194[4500] to 173.160.119.193[4500] (84 bytes)
    Aug 3 22:07:27 charon: 14[ENC] <con1|5>generating INFORMATIONAL_V1 request 4183509262 [ HASH D ]
    Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for IKE_SA con1[5]
    Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for IKE_SA con1[5]
    Aug 3 22:07:27 charon: 14[IKE] <con1|5>deleting IKE_SA con1[5] between 67.139.181.194[mobile@nci-mn.com]…173.160.119.193[scott@nci-mn.com]
    Aug 3 22:07:27 charon: 14[IKE] <con1|5>deleting IKE_SA con1[5] between 67.139.181.194[mobile@nci-mn.com]…173.160.119.193[scott@nci-mn.com]
    Aug 3 22:07:27 charon: 14[NET] <con1|5>sending packet: from 67.139.181.194[4500] to 173.160.119.193[4500] (76 bytes)
    Aug 3 22:07:27 charon: 14[ENC] <con1|5>generating INFORMATIONAL_V1 request 3823818640 [ HASH D ]
    Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for ESP CHILD_SA with SPI c95903eb
    Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for ESP CHILD_SA with SPI c95903eb
    Aug 3 22:07:27 charon: 14[IKE] <con1|5>closing CHILD_SA con1{12} with SPIs c95903eb_i (0 bytes) 27870ce9_o (110600 bytes) and TS 0.0.0.0/0|/0 === 192.168.253.1/32|/0
    Aug 3 22:07:27 charon: 14[IKE] <con1|5>closing CHILD_SA con1{12} with SPIs c95903eb_i (0 bytes) 27870ce9_o (110600 bytes) and TS 0.0.0.0/0|/0 === 192.168.253.1/32|/0
    Aug 3 22:07:27 charon: 14[NET] <con1|5>sending packet: from 67.139.181.194[4500] to 173.160.119.193[4500] (76 bytes)
    Aug 3 22:07:27 charon: 14[ENC] <con1|5>generating INFORMATIONAL_V1 request 2282457310 [ HASH D ]
    Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for ESP CHILD_SA with SPI c9da6911</con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5>



  • Consider Windows built in Agile VPN (scroll down a lot) which works well using IKEv2.  The password policy with Shrewsoft is annoying enough as it is to try something else.


  • Rebel Alliance Developer Netgate

    Not enough of the log there to say for sure what's happening.
    Set the logs for debugging as suggested at https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29

    Consider switching to a newer style VPN such as https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 if your clients are all Windows 7 or later.



  • jimp,
    Thanks a ton for your recommendation - I went ahead with ikev2 implementation with eap per your recommendation.
    I really appreciate your help, and pizza can be yours when you are ready!

    I do have an existing issue:
    Basic setup is 10.0.0.0/8 local network. Vpn is for remote users to access a local voip server. Remote users should not redirect other internet traffic through vpn. All other routing to internet should continue on the mobile users internet connection.
    I have enabled the "provide a list of accessible networks to clients"  feature.
    Virtual address pool is setup (192.168.250.0/24)

    When I connect using a windows 8.1 client, it continues to route all internet traffic to the VPN host, and since that is not allowed, all other internet traffic dies.  Traffic to the 10.0.0.0/8 through the vpn then works correctly.

    What I want to do is route only 10.0.0.0/8 through the vpn.

    If I go to the vpn network adapter in window 8 and uncheck "use default gateway on remote network"  then internet access on mobile end works fine, but i cannot ping the 10.0.0.0/8 network.

    Something I am missing here??
    I hope to push the config from the firewall and limit the amount of hand tuning on the windows 8.1 remotes
    You have my email if you want some pizza!



  • routes without VPN connected:
    C:\Windows\system32>route print -4

    Interface List
      6…1e b5 7d 1a a7 3a ......Microsoft Wi-Fi Direct Virtual Adapter
      5...ac b5 7d 1a a7 3a ......Qualcomm Atheros AR9485 Wireless Network Adapter
      3...f8 a9 63 fe ad 2d ......Realtek PCIe FE Family Controller
      1...........................Software Loopback Interface 1
      7...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.50.1  192.168.50.113    25
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        192.168.50.0    255.255.254.0        On-link    192.168.50.113    281
      192.168.50.113  255.255.255.255        On-link    192.168.50.113    281
      192.168.51.255  255.255.255.255        On-link    192.168.50.113    281
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link    192.168.50.113    281
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link    192.168.50.113    281

    Persistent Routes:
      None

    Routes with VPN connected with vpn adapter settings set to not user remote gateway:

    Interface List
    48...........................northerncapital-mn.com
      6...1e b5 7d 1a a7 3a ......Microsoft Wi-Fi Direct Virtual Adapter
      5...ac b5 7d 1a a7 3a ......Qualcomm Atheros AR9485 Wireless Network Adapter
      3...f8 a9 63 fe ad 2d ......Realtek PCIe FE Family Controller
      1...........................Software Loopback Interface 1
      7...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
    13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.50.1  192.168.50.113    25
      45.137.181.194  255.255.255.255    192.168.50.1  192.168.50.113    26
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        192.168.50.0    255.255.254.0        On-link    192.168.50.113    281
      192.168.50.113  255.255.255.255        On-link    192.168.50.113    281
      192.168.51.255  255.255.255.255        On-link    192.168.50.113    281
        192.168.250.0    255.255.255.0        On-link    192.168.250.1    26
        192.168.250.1  255.255.255.255        On-link    192.168.250.1    281
      192.168.250.255  255.255.255.255        On-link    192.168.250.1    281
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link    192.168.50.113    281
            224.0.0.0        240.0.0.0        On-link    192.168.250.1    281
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link    192.168.50.113    281
      255.255.255.255  255.255.255.255        On-link    192.168.250.1    281

    Persistent Routes:
      None

    And finally this is the routes when VPN is connected and routes to 10.0.0.0/8 network correctly.
    C:\Windows\system32>route print -4

    Interface List
    48...........................northerncapital-mn.com
      6...1e b5 7d 1a a7 3a ......Microsoft Wi-Fi Direct Virtual Adapter
      5...ac b5 7d 1a a7 3a ......Qualcomm Atheros AR9485 Wireless Network Adapter
      3...f8 a9 63 fe ad 2d ......Realtek PCIe FE Family Controller
      1...........................Software Loopback Interface 1
      7...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
    13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.50.1  192.168.50.113  4250
              0.0.0.0          0.0.0.0        On-link    192.168.250.1    26
      45.137.181.194  255.255.255.255    192.168.50.1  192.168.50.113  4251
            127.0.0.0        255.0.0.0        On-link        127.0.0.1  4531
            127.0.0.1  255.255.255.255        On-link        127.0.0.1  4531
      127.255.255.255  255.255.255.255        On-link        127.0.0.1  4531
        192.168.50.0    255.255.254.0        On-link    192.168.50.113  4506
      192.168.50.113  255.255.255.255        On-link    192.168.50.113  4506
      192.168.51.255  255.255.255.255        On-link    192.168.50.113  4506
        192.168.250.1  255.255.255.255        On-link    192.168.250.1    281
            224.0.0.0        240.0.0.0        On-link        127.0.0.1  4531
            224.0.0.0        240.0.0.0        On-link    192.168.50.113  4506
            224.0.0.0        240.0.0.0        On-link    192.168.250.1    26
      255.255.255.255  255.255.255.255        On-link        127.0.0.1  4531
      255.255.255.255  255.255.255.255        On-link    192.168.50.113  4506
      255.255.255.255  255.255.255.255        On-link    192.168.250.1    281

    Persistent Routes:
      None

    SO, if strongwan is providing a list of accessible networks, should it not be telling the windows 8.1 client that 10.0.0.0/8 network should route to VPN and all other networks access through remote sites internet connection?



  • Hey Jimp,
    So I was able to uncheck the box on the windows 8.1 vpn connection to not use the default gateway on the vpn router. This allows mobile clients to continue using their own ISP for internet traffic.
    Then I manually added a route for the 10.0.0.0/8 network and that allows them to use the VOIP system at the office.

    However, I really don't want to have to train all the users to connect windows 8 vpn, then run a .cmd file to add the route.
    Since pfsense 2.2.4 option to "provide a list of accessible networks" is checked, I'm not sure why this isn't working.

    I really appreciate anyone's help.

    thanks,
    scott



  • So adding:

    push "route 10.0.0.0 255.0.0.0";

    in the Advanced configuration didn't work?



  • sorry, not sure I understand.
    Advanced configuration of the vpn or the client?



  • or are you thinking of push routes in openvpn?


  • Rebel Alliance Developer Netgate

    For others following this thread, the (new) issue of split-tunnel/routing with IKEv2 was moved to this thread: https://forum.pfsense.org/index.php?topic=97627.0