Text only | Text with Images

OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: logreg on December 13, 2018, 12:19:32 PM

Title: *SOLVED* (upgrading). IPsec mobile clients with DH2 (modp1024) can't connect.
Post by: logreg on December 13, 2018, 12:19:32 PM
Privet everybody,

Android clients support DH2 (modp1024) and not support DH14(2048).

in OPNsense web settings: VPN: IPsec: Tunnel Settings for VPN:  DH key group = 2(1024 bits)

but in IPsec log:

Dec 13 15:10:05    charon: 16[IKE] <146> negotiated DH group not supported

How to enable DH2 support?

OPNsense 18.7.4-amd64
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: mimugmail on December 13, 2018, 01:18:30 PM
Do you have a different setting in mobile vpn page?
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: logreg on December 14, 2018, 06:05:08 AM
settings
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: mimugmail on December 14, 2018, 06:28:48 AM
For Android always use AES256, a mix of SHA1 and 256 and DH2.
I tested this successfully.
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: logreg on December 14, 2018, 06:42:39 AM
I tried that, but still "Dec 14 09:37:26   charon: 05[IKE] <160> negotiated DH group not supported"
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: mimugmail on December 14, 2018, 07:23:26 AM
contents of /usr/local/etc/ipsec.conf please ...
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: logreg on December 14, 2018, 07:30:24 AM
root@OPNsense:~ # cat /usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
  uniqueids = yes
  charondebug=""
conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = yes
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 10s
  dpdtimeout = 60s
  left = xx.xx.xx.xx
  right = %any
  leftid = xx.xx.xx.xx
  ikelifetime = 86400s
  lifetime = 28800s
  rightsourceip = 192.168.254.0/24
  ike = aes256-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-generic
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha1!
  auto = add
root@OPNsense:~ #
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: logreg on December 14, 2018, 07:50:59 AM
I found that DH2 disabled in new versions of Strongswan (because insecure). And now it is impossible to connect Android devices with DH2? Or it is possible to enable DH2?
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: mimugmail on December 14, 2018, 08:50:01 AM
No, it looks good, DH2 = MODP1024.
Can you show some more logs and not just this line?
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: logreg on December 14, 2018, 09:07:02 AM
root@OPNsense:~ # cat /var/log/ipsec.log
...
Dec 14 10:27:19 OPNsense charon: 14[CFG] added configuration 'con1'
Dec 14 11:51:30 OPNsense charon: 14[NET] <205> received packet: from Android_IP[406] to opnsense_IP[500] (476 bytes)
Dec 14 11:51:30 OPNsense charon: 14[ENC] <205> parsed ID_PROT request 0 [ SA V V V V V V V V ]
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received NAT-T (RFC 3947) vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received XAuth vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received Cisco Unity vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received FRAGMENTATION vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received DPD vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> Android_IP is initiating a Main Mode IKE_SA
Dec 14 11:51:30 OPNsense charon: 14[ENC] <205> generating ID_PROT response 0 [ SA V V V V ]
Dec 14 11:51:30 OPNsense charon: 14[NET] <205> sending packet: from opnsense_IP[500] to Android_IP[406] (160 bytes)
Dec 14 11:51:31 OPNsense charon: 14[NET] <205> received packet: from Android_IP[406] to opnsense_IP[500] (228 bytes)
Dec 14 11:51:31 OPNsense charon: 14[ENC] <205> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 14 11:51:31 OPNsense charon: 14[IKE] <205> negotiated DH group not supported
Dec 14 11:51:31 OPNsense charon: 14[ENC] <205> generating INFORMATIONAL_V1 request 2040954333 [ N(INVAL_KE) ]
Dec 14 11:51:31 OPNsense charon: 14[NET] <205> sending packet: from opnsense_IP[500] to Android_IP[406] (56 bytes)
root@OPNsense:~ #
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: mimugmail on December 14, 2018, 09:30:48 AM
In Phase1, can you set SHA1+SHA256 and DH2+DH14?
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: logreg on December 14, 2018, 09:38:19 AM
How?
in web-interface i can choise only one of them.
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: mimugmail on December 14, 2018, 09:39:10 AM
Then you're not on the latest version ...
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: logreg on December 14, 2018, 10:22:02 AM
Really, after upgrading 18.7.4 -> 18.7.9  android with DH2 was able to connect (charon: 11[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024)
Thanks a lot.
Topic can be deleted.
Title: Re: IPsec mobile clients. DH2 (modp1024) supported by OPNsense?
Post by: mimugmail on December 14, 2018, 10:28:46 AM
You can add *SOLVED* in the topic :)
Text only | Text with Images