IPSEC ikev2 on PFS 2.2.6 connection problems DNS



  • I have been using pfsense for a long time now but not VPN. So i have been reading up on OPVN, IPSEC and thought I would installat a fresh 2.2.6 installation to make some labs to get everything working with the build in radius on my mac and iphone but I fail to even connect to the tunnel. I have been following the hangout video tutorial now to see if those setups would work but with no luck with ipsec. OPVN works just fine (with the same dns destination) but not IPSEC and I don't recieve any log entries either even though I rise logging to development. I have trying to do this now on 3 fresh installations so I hope someone could give me a hint what the problem might be here?

    The only error I get after a reboot in the logs that stands out is during boot:

    The mobile phone don't connect neither does my mac. I have tried to do this with 2.2.4 and there i get log entries but I didn't test further due to the fact that I wanted to run om 2.2.6 and therefore reinstalled the system again.

    Is there anything I can do to see that IPSEC is listening on the ports that it's configured on? The service is started and green but the behavior is if the PFS box drops the connection or is not listening on the default configured ports. I have not manually tried to add the default IPSEC ports because that shouldn't be nessesary.

    I get some strange errors when restarting the ipsec service: php-fpm[244]: /status_services.php: Warning: Missing CRL data for keepout

    BR,
    Kris

    ![Screen Shot 2016-01-12 at 22.10.33.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-12 at 22.10.33.png_thumb)
    ![Screen Shot 2016-01-12 at 22.10.33.png](/public/imported_attachments/1/Screen Shot 2016-01-12 at 22.10.33.png)
    ![Screen Shot 2016-01-12 at 22.11.02.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-12 at 22.11.02.png_thumb)
    ![Screen Shot 2016-01-12 at 22.11.02.png](/public/imported_attachments/1/Screen Shot 2016-01-12 at 22.11.02.png)
    ![Screen Shot 2016-01-12 at 22.06.13.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-12 at 22.06.13.png_thumb)
    ![Screen Shot 2016-01-12 at 22.06.13.png](/public/imported_attachments/1/Screen Shot 2016-01-12 at 22.06.13.png)
    ![Screen Shot 2016-01-12 at 21.53.03.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-12 at 21.53.03.png_thumb)
    ![Screen Shot 2016-01-12 at 21.53.03.png](/public/imported_attachments/1/Screen Shot 2016-01-12 at 21.53.03.png)



  • It's clearly not crashing. No logs means no traffic is reaching the daemon. Most often in that case where a client is actually sending traffic, it's because something upstream (modem usually) is blocking it. Could be a port forward or 1:1 NAT overlapping so the traffic doesn't get to it. You can check 'sockstat -4' to confirm it's really listening. That won't really be telling though, find why no traffic's reaching it.



  • Thank you for such a quick response. I have doublechecked the socks now and I can see that there are listening ports för :500 and :4500 so it can't be that. I have mostly tested from my iphone via mobile internet to be sure I didn't have something that interfered localy. But now i'm sharing my internetconnection via my mobile phone to test the connection from my laptop and I get 4 entries in the log so it seems there is a reaction after all that I just have missed.

    I want for now focus on the laptop to get this working because the phone doesn't even give me a connection rejection. The login is set to diag and I was hoping there would be some more info but I presume due to the early disconnect it's handshake related? Are there any logs were i can follow the connection attempt like kernel logging via the gui or another suggestion how to adress troubleshooting on the connection?

    BR,
    Kris

    ![Screen Shot 2016-01-13 at 11.18.41.png](/public/imported_attachments/1/Screen Shot 2016-01-13 at 11.18.41.png)
    ![Screen Shot 2016-01-13 at 11.18.41.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-13 at 11.18.41.png_thumb)
    ![Screen Shot 2016-01-13 at 12.32.53.png](/public/imported_attachments/1/Screen Shot 2016-01-13 at 12.32.53.png)
    ![Screen Shot 2016-01-13 at 12.32.53.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-13 at 12.32.53.png_thumb)
    ![Screen Shot 2016-01-13 at 12.44.54.png](/public/imported_attachments/1/Screen Shot 2016-01-13 at 12.44.54.png)
    ![Screen Shot 2016-01-13 at 12.44.54.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-13 at 12.44.54.png_thumb)



  • The vici logs there are just from checking the status output, no indication of any client trying to connect there. Try packet capturing on WAN, filtered on port 500, when trying to connect. Get any output from that?



  • Hmm I don't get it.

    If I run a telnet session towards my public IP adress ex. x.x.x.x:500 i can capture the session through logging the wan interface.
    If I run a telnet session towards my public DNS name ex.my.dns.com:500 I can't capture anything on the wan interface. (This is the same DNS adress I user for OVPN and it works)
    If I run a telnet session towards my public DNS name ex. my.dns.com:1194 i can capture the session through logging the wan interface.

    For me this would normaly indicate DNS resolution problems but because I can resolve the dns name with open vpn port and capture it on the wan interface via logging so for me it really doesn't make sense? Am I missing something?

    Any suggestions?

    I have tried to configured the certificates and the ipsec tunnel with ip instead of DNS host name and now it works to connect but I det some authentication errors which i suppose are expected because i'm trying to connect with TLS-Radius and this is not working with IP adress because hte hostname has to be defined so Ineed DNS to work?
    https://doc.pfsense.org/index.php/Using_EAP_and_PEAP_with_FreeRADIUS



  • Anyone who has an suggestion if there exists a bug when using DNS as the VPN server address when initiating a connection attempt from IOS and MAC?



  • No issues along those lines. Something like that could be because of something to do with your certificates, like having the IP in the CN and hence it not accepting connecting to a FQDN, but that would happen much later in the process, you're not even getting the UDP 500 traffic to try to connect. There is nothing at the IPsec level responsible where the traffic isn't coming into your WAN at all, that's either the client not actually trying to send any traffic (DNS failing maybe), or the client sends traffic and it gets dropped somewhere between where the client sends it and before you receive it.



  • There is nothing at the IPsec level responsible where the traffic isn't coming into your WAN at all, that's either the client not actually trying to send any traffic (DNS failing maybe), or the client sends traffic and it gets dropped somewhere between where the client sends it and before you receive it.

    I totally agree. What I tried now is to share my mobile internet from my iphone 6 to my ipad 4 (Both run IOS 9.2) with the same certificate and vpn settings and it connects? I have to look into that later what may differ but that's very strange.

    So I thought I would solve the last piece of the puzzle but it seems authentication failes for my user in radius (not the password of the user). Not sure why failing. Tried to change several modes like PEAP but same problem must be something with the user but what!!!

    Jan 20 22:09:39 	charon: 11[CFG] <17> looking for peer configs matching x.x.x.x[vpn.test.com]...83.185.85.225[172.20.10.5]
    Jan 20 22:09:39 	charon: 11[CFG] <17> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Jan 20 22:09:39 	charon: 11[CFG] <17> candidate "con1", match: 20/1/1052 (me/other/ike)
    Jan 20 22:09:39 	charon: 11[CFG] <con1|17> selected peer config 'con1'
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> initiating EAP_IDENTITY method (id 0x00)
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> processing INTERNAL_IP4_ADDRESS attribute
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> processing INTERNAL_IP4_DHCP attribute
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> processing INTERNAL_IP4_DNS attribute
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> processing INTERNAL_IP4_NETMASK attribute
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> processing INTERNAL_IP6_ADDRESS attribute
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> processing INTERNAL_IP6_DHCP attribute
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> processing INTERNAL_IP6_DNS attribute
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> peer supports MOBIKE
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> authentication of 'rm.sasit.eu' (myself) with RSA signature successful
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> sending end entity cert "C=SE, ST=skane, L=lerberget, O=sasit, E=cert@test.com, CN=vpn.test.com"
    Jan 20 22:09:39 	charon: 11[ENC] <con1|17> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    Jan 20 22:09:39 	charon: 11[ENC] <con1|17> splitting IKE message with length of 1580 bytes into 4 fragments
    Jan 20 22:09:39 	charon: 11[ENC] <con1|17> generating IKE_AUTH response 1 [ EF(1/4) ]
    Jan 20 22:09:39 	charon: 11[ENC] <con1|17> generating IKE_AUTH response 1 [ EF(2/4) ]
    Jan 20 22:09:39 	charon: 11[ENC] <con1|17> generating IKE_AUTH response 1 [ EF(3/4) ]
    Jan 20 22:09:39 	charon: 11[ENC] <con1|17> generating IKE_AUTH response 1 [ EF(4/4) ]
    Jan 20 22:09:39 	charon: 11[NET] <con1|17> sending packet: from x.x.x.x[4500] to 83.185.85.225[22275] (544 bytes)
    Jan 20 22:09:39 	charon: 11[NET] <con1|17> sending packet: from x.x.x.x[4500] to 83.185.85.225[22275] (544 bytes)
    Jan 20 22:09:39 	charon: 11[NET] <con1|17> sending packet: from x.x.x.x[4500] to 83.185.85.225[22275] (544 bytes)
    Jan 20 22:09:39 	charon: 11[NET] <con1|17> sending packet: from x.x.x.x[4500] to 83.185.85.225[22275] (128 bytes)
    Jan 20 22:09:39 	charon: 11[NET] <con1|17> received packet: from 83.185.85.225[22275] to x.x.x.x[4500] (68 bytes)
    Jan 20 22:09:39 	charon: 11[ENC] <con1|17> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> received EAP identity 'krm'
    Jan 20 22:09:39 	charon: 11[CFG] <con1|17> RADIUS server 'primary' is candidate: 210
    Jan 20 22:09:39 	charon: 11[CFG] <con1|17> sending RADIUS Access-Request to server 'primary'
    Jan 20 22:09:39 	charon: 11[CFG] <con1|17> received RADIUS Access-Challenge from server 'primary'
    Jan 20 22:09:39 	charon: 11[IKE] <con1|17> initiating EAP_MD5 method (id 0x01)
    Jan 20 22:09:39 	charon: 11[ENC] <con1|17> generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
    Jan 20 22:09:39 	charon: 11[NET] <con1|17> sending packet: from x.x.x.x[4500] to 83.185.85.225[22275] (84 bytes)
    Jan 20 22:09:39 	charon: 12[NET] <con1|17> received packet: from 83.185.85.225[22275] to x.x.x.x[4500] (68 bytes)
    Jan 20 22:09:39 	charon: 12[ENC] <con1|17> parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
    Jan 20 22:09:39 	charon: 12[CFG] <con1|17> sending RADIUS Access-Request to server 'primary'
    Jan 20 22:09:39 	charon: 12[CFG] <con1|17> received RADIUS Access-Challenge from server 'primary'
    Jan 20 22:09:39 	charon: 12[ENC] <con1|17> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
    Jan 20 22:09:39 	charon: 12[NET] <con1|17> sending packet: from x.x.x.x[4500] to 83.185.85.225[22275] (92 bytes)
    Jan 20 22:09:39 	charon: 12[NET] <con1|17> received packet: from 83.185.85.225[22275] to x.x.x.x[4500] (124 bytes)
    Jan 20 22:09:39 	charon: 12[ENC] <con1|17> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
    Jan 20 22:09:39 	charon: 12[CFG] <con1|17> sending RADIUS Access-Request to server 'primary'
    Jan 20 22:09:40 	charon: 12[CFG] <con1|17> received RADIUS Access-Reject from server 'primary'
    Jan 20 22:09:40 	charon: 12[IKE] <con1|17> RADIUS authentication of 'test' failed
    Jan 20 22:09:40 	charon: 12[IKE] <con1|17> EAP method EAP_MSCHAPV2 failed for peer 172.20.10.5
    Jan 20 22:09:40 	charon: 12[ENC] <con1|17> generating IKE_AUTH response 4 [ EAP/FAIL ]
    Jan 20 22:09:40 	charon: 12[NET] <con1|17> sending packet: from x.x.x.x[4500] to 83.185.85.225[22275] (68 bytes)
    Jan 20 22:09:40 	charon: 12[IKE] <con1|17> IKE_SA con1[17] state change: CONNECTING => DESTROYING</con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17>
    


  • Solved it myself

    So I thought I would solve the last piece of the puzzle but it seems authentication failes for my user in radius (not the password of the user). Not sure why failing. Tried to change several modes like PEAP but same problem must be something with the user but what!!!

    I hade choosen password encryption MD5 for my user in FreeRadius. Strangely i though this was how the password was stored in FreeRadius but it seems that IPSEC couldn't resolve my password when it was encrypted. Sound wrong needs to be investigated.


Log in to reply