OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.7 Legacy Series »
  • *SOLVED* (upgrading). IPsec mobile clients with DH2 (modp1024) can't connect.
« previous next »
  • Print
Pages: [1]

Author Topic: *SOLVED* (upgrading). IPsec mobile clients with DH2 (modp1024) can't connect.  (Read 6312 times)

logreg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
*SOLVED* (upgrading). IPsec mobile clients with DH2 (modp1024) can't connect.
« on: December 13, 2018, 12:19:32 pm »
Privet everybody,

Android clients support DH2 (modp1024) and not support DH14(2048).

in OPNsense web settings: VPN: IPsec: Tunnel Settings for VPN:  DH key group = 2(1024 bits)

but in IPsec log:

Dec 13 15:10:05    charon: 16[IKE] <146> negotiated DH group not supported

How to enable DH2 support?

OPNsense 18.7.4-amd64
« Last Edit: December 14, 2018, 10:31:57 am by logreg »
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6479
  • Karma: 449
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #1 on: December 13, 2018, 01:18:30 pm »
Do you have a different setting in mobile vpn page?
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

logreg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #2 on: December 14, 2018, 06:05:08 am »
settings
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6479
  • Karma: 449
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #3 on: December 14, 2018, 06:28:48 am »
For Android always use AES256, a mix of SHA1 and 256 and DH2.
I tested this successfully.
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

logreg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #4 on: December 14, 2018, 06:42:39 am »
I tried that, but still "Dec 14 09:37:26   charon: 05[IKE] <160> negotiated DH group not supported"
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6479
  • Karma: 449
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #5 on: December 14, 2018, 07:23:26 am »
contents of /usr/local/etc/ipsec.conf please ...
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

logreg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #6 on: December 14, 2018, 07:30:24 am »
root@OPNsense:~ # cat /usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
  uniqueids = yes
  charondebug=""
conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = yes
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 10s
  dpdtimeout = 60s
  left = xx.xx.xx.xx
  right = %any
  leftid = xx.xx.xx.xx
  ikelifetime = 86400s
  lifetime = 28800s
  rightsourceip = 192.168.254.0/24
  ike = aes256-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-generic
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha1!
  auto = add
root@OPNsense:~ #
« Last Edit: December 14, 2018, 07:38:36 am by logreg »
Logged

logreg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #7 on: December 14, 2018, 07:50:59 am »
I found that DH2 disabled in new versions of Strongswan (because insecure). And now it is impossible to connect Android devices with DH2? Or it is possible to enable DH2?
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6479
  • Karma: 449
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #8 on: December 14, 2018, 08:50:01 am »
No, it looks good, DH2 = MODP1024.
Can you show some more logs and not just this line?
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

logreg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #9 on: December 14, 2018, 09:07:02 am »
root@OPNsense:~ # cat /var/log/ipsec.log
...
Dec 14 10:27:19 OPNsense charon: 14[CFG] added configuration 'con1'
Dec 14 11:51:30 OPNsense charon: 14[NET] <205> received packet: from Android_IP[406] to opnsense_IP[500] (476 bytes)
Dec 14 11:51:30 OPNsense charon: 14[ENC] <205> parsed ID_PROT request 0 [ SA V V V V V V V V ]
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received NAT-T (RFC 3947) vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received XAuth vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received Cisco Unity vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received FRAGMENTATION vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received DPD vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> Android_IP is initiating a Main Mode IKE_SA
Dec 14 11:51:30 OPNsense charon: 14[ENC] <205> generating ID_PROT response 0 [ SA V V V V ]
Dec 14 11:51:30 OPNsense charon: 14[NET] <205> sending packet: from opnsense_IP[500] to Android_IP[406] (160 bytes)
Dec 14 11:51:31 OPNsense charon: 14[NET] <205> received packet: from Android_IP[406] to opnsense_IP[500] (228 bytes)
Dec 14 11:51:31 OPNsense charon: 14[ENC] <205> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 14 11:51:31 OPNsense charon: 14[IKE] <205> negotiated DH group not supported
Dec 14 11:51:31 OPNsense charon: 14[ENC] <205> generating INFORMATIONAL_V1 request 2040954333 [ N(INVAL_KE) ]
Dec 14 11:51:31 OPNsense charon: 14[NET] <205> sending packet: from opnsense_IP[500] to Android_IP[406] (56 bytes)
root@OPNsense:~ #
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6479
  • Karma: 449
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #10 on: December 14, 2018, 09:30:48 am »
In Phase1, can you set SHA1+SHA256 and DH2+DH14?
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

logreg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #11 on: December 14, 2018, 09:38:19 am »
How?
in web-interface i can choise only one of them.
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6479
  • Karma: 449
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #12 on: December 14, 2018, 09:39:10 am »
Then you're not on the latest version ...
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

logreg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #13 on: December 14, 2018, 10:22:02 am »
Really, after upgrading 18.7.4 -> 18.7.9  android with DH2 was able to connect (charon: 11[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024)
Thanks a lot.
Topic can be deleted.
« Last Edit: December 14, 2018, 10:24:10 am by logreg »
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6479
  • Karma: 449
    • View Profile
Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
« Reply #14 on: December 14, 2018, 10:28:46 am »
You can add *SOLVED* in the topic :)
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.7 Legacy Series »
  • *SOLVED* (upgrading). IPsec mobile clients with DH2 (modp1024) can't connect.
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2