IKEv1 aggresive mode with PSK fails on 2.2.4



  • Hi

    I can't make VPN connection with FritzBox (requires aggresive mode). I've set up IPSEC tunnel to IKEv1, with aggresive mode and shared password. In logs I can see it agrees on protocols, but pfSense brakes connection

    2015-08-31 10:18:53 94.32.123.49 charon 16[NET] <1> received packet: from 89.67.202.215[500] to 94.32.123.34[500] (653 bytes)
    2015-08-31 10:18:53 94.32.123.49 charon 16[ENC] <1> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
    2015-08-31 10:18:53 94.32.123.49 charon 16[IKE] <1> 89.67.202.215 is initiating a Aggressive Mode IKE_SA
    2015-08-31 10:18:53 94.32.123.49 charon 16[IKE] <1> 89.67.202.215 is initiating a Aggressive Mode IKE_SA
    2015-08-31 10:18:53 94.32.123.49 charon 16[CFG] <1> looking for pre-shared key peer configs matching 94.32.123.34…89.67.202.215[foo.bar.org]
    2015-08-31 10:18:53 94.32.123.49 charon 16[IKE] <1> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
    2015-08-31 10:18:53 94.32.123.49 charon 16[IKE] <1> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode

    2015-08-31 10:18:53 94.32.123.49 charon 16[ENC] <1> generating INFORMATIONAL_V1 request 3263738593 [ N(AUTH_FAILED) ]
    2015-08-31 10:18:53 94.32.123.49 charon 16[NET] <1> sending packet: from 94.32.123.34[500] to 89.67.202.215[500] (56 bytes)

    Configuration seems to be correct, as when I restart ipsec daemon I can see:

    2015-08-31 10:18:46 94.32.123.49 php-fpm /vpn_ipsec.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.

    Have anyone succeeded in VPN aggresive + PSK in 2.2.4 pfSense? It looks to me like a bug.



  • Hi lutel,

    I have to admit that I tried several things to get an IPSec tunnel up between pfsense 2.2.4 and Fritz (6.2 or 6.3, can't remember), with main and aggressive mode. No success up to now. And none of the instructions on the web really work.
    Everything worked well with 2.1.5 btw.

    Would be very grateful if you (or someone else) found a solution…

    Thanks.

    Cheers,

    Chris



  • Hi Connor,

    Thank you for reply, at least now I know the source of the problem is not between chair and keyboard. Hopefully pfSense devs will have a look at this issue…

    Cheers



  • There was a legit issue with Fritzboxes in 2.2.3, but that's been fixed in 2.2.4. There was one person with only one of many Fritzboxes that had a mismatched identifier somehow after the changes that are in 2.2.4, but that looked to be a problem with the Fritzbox as the strongswan config was correct, and worked for several other remote Fritzbox systems with the exact same configuration on them.



  • Hi Cmb!

    Thank you for pointing me to right direction! Indeed it was misconfiguration on Peer ID (it must be FQDN on both sides in this case). I lost lot of time on this because log (even most verbose) doesn't say anything about ID mismatch, and the "matching config, but none allows pre-shared key authentication using Aggressive Mode" message is totally misleading.

    Cheers



  • Good morning lutel,

    seems all is good for you now! Would you mind sharing your settings both on pfsense and Fritzbox side?

    Thanks!

    Cheers,

    Chris



  • Good morning Connor,

    I have FritzBox 7390, on this side I have pear-to-pear configuration, gateway is set as domain name. I also use duckdns on it ( foo.duckdns.org)

    On the pfSense side:
    VPN IPsec: V1, aggresive + mutual PSK, remote gateway: foo.duckdns.org, my and peer identifiers - distinguished names
    encryption phase 1: AES 256 bit, Hash: SHA1, DH: 2
    phase 2: mode: Tunnel, AES + SHA1, PFS: 2



  • Hello lutel, thanks!

    Just one last question: on Fritzbox side, did you use the web gui of the box for setting up VPN or did you use the AVM VPN Windows tool to create a config file?

    Cheers,

    Chris



  • Hello Chris,

    I used web gui for configuration on latest beta firmware (6.21), they had some issues on 6.20 with ssl connections.

    Cheers,
    Tomek