I wanted to try first with the PSK, figuring it it’s easier.
Well, I am stumped by the local ID and remote ID fields. If I leave them empty, or I put in something there, there is no connection.
On the explanations it says: “See requirement for client”. I am trying this with Android first.
The network field I populated it with 0.0.0.0/0.
This is the log:
12:16:04 charon: 10[NET] received packet: from 172.58.240.224[41861] to 108.26.xxx.xxx1[500] (652 bytes)
12:16:04 charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
12:16:04 charon: 10[IKE] 172.58.240.224 is initiating an IKE_SA
12:16:04 charon: 10[IKE] 172.58.240.224 is initiating an IKE_SA
12:16:04 charon: 10[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
12:16:04 charon: 10[IKE] remote host is behind NAT
12:16:04 charon: 10[IKE] DH group MODP_2048_256 unacceptable, requesting ECP_384
12:16:04 charon: 10[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
12:16:04 charon: 10[NET] sending packet: from 108.26.126.121[500] to 172.58.240.224[41861] (38 bytes)
12:16:04 charon: 15[NET] received packet: from 172.58.240.224[41861] to 108.26.126.121[500] (492 bytes)
12:16:04 charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
12:16:04 charon: 15[IKE] 172.58.240.224 is initiating an IKE_SA
12:16:04 charon: 15[IKE] 172.58.240.224 is initiating an IKE_SA
12:16:04 charon: 15[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
12:16:04 charon: 15[IKE] remote host is behind NAT
12:16:04 charon: 15[IKE] sending cert request for "C=US, ST=VA, L=xxxxxxxxx, O=xxxxx, CN=xxx CA, E=xxxx@xxxx.com"
12:16:04 charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
12:16:04 charon: 15[NET] sending packet: from 108.26.xxx.xxx[500] to 172.58.240.224[41861] (321 bytes)
if you are trying to connect from your IPFire IPSec to your Handy within mobile Network it would not Work. You don’t get a publicly accessible IP on the mobile Network.
Those are identifications for your server and for your remote client.
I believe that some clients such as MAC OS expect to have the ID defined. You can use any name for the ID, it just needs to start with an @
I have set up the IPSec RW with PSK for my Linux Laptop, using Network Manager with the Strongswan IPSec plugin.
With that client, I was able to leave the Local and Remote ID’s blank on the server and also on the client. The Network Manager client just uses the name or IP of the server that you specify and the username or hostname.
The IPSec VPN connection worked fine.
I also then added an @ID for the local and remote on the server configuration. If you do that then you must enter those ID values into your client if you want the connection to be made successfully. I added them into my Network Manager client and the IPSec PSK connection was again successfully made.
You need to identify if the client you are using accepts blank ID’s and fills them with default values or if you need to specify them on the server.
The simplest would be to always specify them.
One thing I have realised while checking some of this is that the bug fix I did for the IPSec PSK in CU190 has a slight bug in it. If you go into the edit page for the PSK connection then if you press the Save button, it should only do a Base 64 Encoding of the password that was previously entered if it is defined as not yet being encoded via a variable.
That appears not to be working as if you go into the edit page and change nothing but press the Save button, in all cases it converts the PSK via Base 64 Encoding. This means that each time you press the Save button the PSK is changed into another PSK by being Base 64 Encoded again.
So the workaround for this in the short term is that if you go into the edit page and want to press the Save button then before doing so, copy your original PSK back into the PSK entry box and then press the Save button. This way you get the correct Base 64 Encoded PSK saved in the ipsec.config file.
I will raise a bug report for myself to have a look at what is not working right under which situations and fix it.
I don’t understand this. I don’t try to access my phone from “outside”, but to access my ipfire VPN from my phone.
The server ipfire is on landline fiber.
Also, the OpenVPN works on my phone data, so why the IPSec VPN won’t work?
In Core Update 170 (Sept 2022) MODP-2048 was removed from the IPFire IPSec code as that Diffie Hellman group (2048 bits) was at that time considered to be too weak as it was too short.
In your log from the setup with your laptop you can see that your laptop IPSec client was proposing to use MODP-1024 (1024 bits) with all its ciphers and that is even shorter, and therefore more vulnerable, than the modp-2048, which is also no longer accepted.
Therefore there was no overlap between the proposed groups and ciphers from your laptop and the ones that are available on IPFire.
Is your laptop running with Windows. I have seen other people on this forum having problems with older versions of windows as their DH groups and ciphers have not been updated from the older vulnerable versions.
If you are using Windows, what version are you using?
If it is not Windows, what OS is on your laptop and at what version or update status?
I suspect because the IPSec client on your Android phone is using older, vulnerable ciphers etc.
Maybe try installing the StrongSwan app on your Android phone. StrongSwan is the IPSec package running in IPFire and that StrongSwan app is kept up to date.