iPhone failing to connect to IPSec VPN after updating to 23.09-RELEASE (amd64)

jonsteinmetz

My VPN connections to my home network are no longer working after updating to 23.09. I am running pfSense on a Netgate SG-2440. VPN had been working fine before the update.

Here are the IPsec logs:

Nov 20 10:27:00	charon	6876	11[NET] <83> received packet: from 172.58.14.156[38352] to x.x.x.x[500] (783 bytes)
Nov 20 10:27:00	charon	6876	11[ENC] <83> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Nov 20 10:27:00	charon	6876	11[CFG] <83> looking for an IKEv1 config for x.x.x.x...172.58.14.156
Nov 20 10:27:00	charon	6876	11[CFG] <83> candidate: x.x.x.x...0.0.0.0/0, ::/0, prio 1052
Nov 20 10:27:00	charon	6876	11[CFG] <83> found matching ike config: x.x.x.x...0.0.0.0/0, ::/0 with prio 1052
Nov 20 10:27:00	charon	6876	11[IKE] <83> local endpoint changed from 0.0.0.0[500] to x.x.x.x[500]
Nov 20 10:27:00	charon	6876	11[IKE] <83> remote endpoint changed from 0.0.0.0 to 172.58.14.156[38352]
Nov 20 10:27:00	charon	6876	11[IKE] <83> received FRAGMENTATION vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received NAT-T (RFC 3947) vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received XAuth vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received Cisco Unity vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> received DPD vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <83> 172.58.14.156 is initiating a Aggressive Mode IKE_SA
Nov 20 10:27:00	charon	6876	11[IKE] <83> IKE_SA (unnamed)[83] state change: CREATED => CONNECTING
Nov 20 10:27:00	charon	6876	11[CFG] <83> selecting proposal:
Nov 20 10:27:00	charon	6876	11[CFG] <83> no acceptable INTEGRITY_ALGORITHM found
Nov 20 10:27:00	charon	6876	11[CFG] <83> selecting proposal:
Nov 20 10:27:00	charon	6876	11[CFG] <83> no acceptable INTEGRITY_ALGORITHM found
Nov 20 10:27:00	charon	6876	11[CFG] <83> selecting proposal:
Nov 20 10:27:00	charon	6876	11[CFG] <83> no acceptable INTEGRITY_ALGORITHM found
Nov 20 10:27:00	charon	6876	11[CFG] <83> selecting proposal:
Nov 20 10:27:00	charon	6876	11[CFG] <83> proposal matches
Nov 20 10:27:00	charon	6876	11[CFG] <83> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Nov 20 10:27:00	charon	6876	11[CFG] <83> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Nov 20 10:27:00	charon	6876	11[CFG] <83> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Nov 20 10:27:00	charon	6876	11[CFG] <83> looking for XAuthInitPSK peer configs matching x.x.x.x...172.58.14.156[vpnusers@steinmetz-home.net]
Nov 20 10:27:00	charon	6876	11[CFG] <83> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
Nov 20 10:27:00	charon	6876	11[CFG] <83> selected peer config "con-mobile"
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> sending XAuth vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> sending DPD vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> sending FRAGMENTATION vendor ID
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> sending NAT-T (RFC 3947) vendor ID
Nov 20 10:27:00	charon	6876	11[ENC] <con-mobile|83> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Nov 20 10:27:00	charon	6876	11[NET] <con-mobile|83> sending packet: from x.x.x.x[500] to 172.58.14.156[38352] (672 bytes)
Nov 20 10:27:00	charon	6876	11[NET] <con-mobile|83> received packet: from 172.58.14.156[18028] to x.x.x.x[4500] (232 bytes)
Nov 20 10:27:00	charon	6876	11[ENC] <con-mobile|83> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> local endpoint changed from x.x.x.x[500] to x.x.x.x[4500]
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> remote endpoint changed from 172.58.14.156[38352] to 172.58.14.156[18028]
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> queueing XAUTH task
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> local host is behind NAT, sending keep alives
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> remote host is behind NAT
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> activating new tasks
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> activating XAUTH task
Nov 20 10:27:00	charon	6876	11[ENC] <con-mobile|83> generating TRANSACTION request 1753144327 [ HASH CPRQ(X_USER X_PWD) ]
Nov 20 10:27:00	charon	6876	11[NET] <con-mobile|83> sending packet: from x.x.x.x[4500] to 172.58.14.156[18028] (124 bytes)
Nov 20 10:27:00	charon	6876	05[NET] <con-mobile|83> received packet: from 172.58.14.156[18028] to x.x.x.x[4500] (140 bytes)
Nov 20 10:27:00	charon	6876	05[ENC] <con-mobile|83> parsed INFORMATIONAL_V1 request 2207481420 [ HASH N(INITIAL_CONTACT) ]
Nov 20 10:27:00	charon	6876	05[NET] <con-mobile|83> received packet: from 172.58.14.156[18028] to x.x.x.x[4500] (156 bytes)
Nov 20 10:27:00	charon	6876	05[ENC] <con-mobile|83> parsed TRANSACTION response 1753144327 [ HASH CPRP(X_USER X_PWD) ]
Nov 20 10:27:00	charon	6966	05[IKE] <con-mobile|83> XAUTH-SCRIPT failed to execute script '/etc/inc/ipsec.auth-user.php'.
Nov 20 10:27:00	charon	6876	05[IKE] <con-mobile|83> XAuth-SCRIPT failed for user 'jon' with return status: -1.
Nov 20 10:27:00	charon	6876	05[IKE] <con-mobile|83> Could not authenticate with XAuth secrets for 'x.x.x.x' - 'jon'
Nov 20 10:27:00	charon	6876	05[IKE] <con-mobile|83> XAuth authentication of 'jon' failed
Nov 20 10:27:00	charon	6876	05[IKE] <con-mobile|83> reinitiating already active tasks
Nov 20 10:27:00	charon	6876	05[IKE] <con-mobile|83> XAUTH task
Nov 20 10:27:00	charon	6876	05[ENC] <con-mobile|83> generating TRANSACTION request 688022786 [ HASH CPS(X_STATUS) ]
Nov 20 10:27:00	charon	6876	05[NET] <con-mobile|83> sending packet: from x.x.x.x[4500] to 172.58.14.156[18028] (124 bytes)
Nov 20 10:27:00	charon	6876	11[NET] <con-mobile|83> received packet: from 172.58.14.156[18028] to x.x.x.x[4500] (124 bytes)
Nov 20 10:27:00	charon	6876	11[ENC] <con-mobile|83> parsed TRANSACTION response 688022786 [ HASH CPA(X_STATUS) ]
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> destroying IKE_SA after failed XAuth authentication
Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> IKE_SA con-mobile[83] state change: CONNECTING => DESTROYING

This seems like the most likely culprit to me:

XAUTH-SCRIPT failed to execute script '/etc/inc/ipsec.auth-user.php'.

I have found some messages in various places suggesting rebooting the router might help but I have tried and it does not help. I am wondering if anyone has seen anything like this and has any suggestion.

Thank you in advance.

teverett

I have the same issue

Nov 22 16:31:01 charon 40560 15[IKE] <con-mobile|4> XAUTH-SCRIPT failed to execute script '/etc/inc/ipsec.auth-user.php'.
Nov 22 16:31:01 charon 40018 15[ENC] <con-mobile|4> parsed TRANSACTION response 2115188573 [ HASH CPRP(X_USER X_PWD) ]
Nov 22 16:31:01 charon 40018 15[NET] <con-mobile|4> received packet: from 207.228.78.237[10482] to 198.166.24.90[4500] (92 bytes)
Nov 22 16:31:01 charon 40018 15[ENC] <con-mobile|4> parsed INFORMATIONAL_V1 request 3180770281 [ HASH N(INITIAL_CONTACT) ]
Nov 22 16:31:01 charon 40018 15[NET] <con-mobile|4> received packet: from 207.228.78.237[10482] to 198.166.24.90[4500] (92 bytes)
Nov 22 16:31:01 charon 40018 15[NET] <con-mobile|4> sending packet: from 198.166.24.90[4500] to 207.228.78.237[10482] (76 bytes)
Nov 22 16:31:01 charon 40018 15[ENC] <con-mobile|4> generating TRANSACTION request 2115188573 [ HASH CPRQ(X_USER X_PWD) ]

teverett

I may have found a solution. Looking at the file system I see this:

-rw-r--r--  1 root wheel 3638 Oct 31 13:54 ipsec.auth-user.php

It seems that strongswan needs that file to be executable. So I made it executable by owner and IPSEC seems to work again

chmod 744 /etc/inc/ipsec.auth-user.php

I dont know if there are security implications to doing this, and I also see that the file is writable by root which seems strange to me since its a script which I dont expect would change other than during upgrades. I left it writable for now since every file in /etc/inc seems to be 644.

jonsteinmetz

@teverett Excellent, that fixed my issue as well. Thank you very much.

teverett

@jonsteinmetz do you happen to have this problem?

https://forum.netgate.com/topic/184293/unable-to-save-group-authentication

jonsteinmetz

@teverett I will check shortly when I get home. Interestingly, while I can connect from my mobile device to my IPSec VPN I do not have access to the devices on my local network. Accessing the WAN while on VPN still seems to work. Accessing my local network did work previously. Hopefully there is some rule change I can make to access the local network.

jonsteinmetz

@teverett said in iPhone failing to connect to IPSec VPN after updating to 23.09-RELEASE (amd64):

https://forum.netgate.com/topic/184293/unable-to-save-group-authentication

Yep, mine is also displaying this issue.

teverett

@jonsteinmetz Hopefully both issues are fixed soon. I have an LDAP challenge too, but I don't know if that's related to the new release, an old bug or I'm just doing it wrong.

teverett

@jonsteinmetz I seem to have a similar issue. I used to be able to ping the default GW on my LAN, now I can't.

jonsteinmetz

@teverett I found a solution for my routing issue. Under "VPN/IPsec/Advanced Settings/Auto-exclude LAN address" there is a checkbox "Enable bypass for LAN interface IP". In my case it was checked and unchecking it allowed my VPN client to see devices on the local network. I have no idea if that was checked before the update or not.

See https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/advanced.html.

teverett

@jonsteinmetz In my case I had the network mask wrong in my phase 2. :)

The file permissions issue and the group authentication issue are still there however.

JonathanLee

My android will not even connect to even external AP WiFi in 23.09. Other devices connect just fine.