iPhone failing to connect to IPSec VPN after updating to 23.09-RELEASE (amd64)

teverett

I have the same issue

Nov 22 16:31:01 charon 40560 15[IKE] <con-mobile|4> XAUTH-SCRIPT failed to execute script '/etc/inc/ipsec.auth-user.php'.
Nov 22 16:31:01 charon 40018 15[ENC] <con-mobile|4> parsed TRANSACTION response 2115188573 [ HASH CPRP(X_USER X_PWD) ]
Nov 22 16:31:01 charon 40018 15[NET] <con-mobile|4> received packet: from 207.228.78.237[10482] to 198.166.24.90[4500] (92 bytes)
Nov 22 16:31:01 charon 40018 15[ENC] <con-mobile|4> parsed INFORMATIONAL_V1 request 3180770281 [ HASH N(INITIAL_CONTACT) ]
Nov 22 16:31:01 charon 40018 15[NET] <con-mobile|4> received packet: from 207.228.78.237[10482] to 198.166.24.90[4500] (92 bytes)
Nov 22 16:31:01 charon 40018 15[NET] <con-mobile|4> sending packet: from 198.166.24.90[4500] to 207.228.78.237[10482] (76 bytes)
Nov 22 16:31:01 charon 40018 15[ENC] <con-mobile|4> generating TRANSACTION request 2115188573 [ HASH CPRQ(X_USER X_PWD) ]

teverett

I may have found a solution. Looking at the file system I see this:

-rw-r--r--  1 root wheel 3638 Oct 31 13:54 ipsec.auth-user.php

It seems that strongswan needs that file to be executable. So I made it executable by owner and IPSEC seems to work again

chmod 744 /etc/inc/ipsec.auth-user.php

I dont know if there are security implications to doing this, and I also see that the file is writable by root which seems strange to me since its a script which I dont expect would change other than during upgrades. I left it writable for now since every file in /etc/inc seems to be 644.

jonsteinmetz

@teverett Excellent, that fixed my issue as well. Thank you very much.

teverett

@jonsteinmetz do you happen to have this problem?

https://forum.netgate.com/topic/184293/unable-to-save-group-authentication

jonsteinmetz

@teverett I will check shortly when I get home. Interestingly, while I can connect from my mobile device to my IPSec VPN I do not have access to the devices on my local network. Accessing the WAN while on VPN still seems to work. Accessing my local network did work previously. Hopefully there is some rule change I can make to access the local network.

jonsteinmetz

@teverett said in iPhone failing to connect to IPSec VPN after updating to 23.09-RELEASE (amd64):

https://forum.netgate.com/topic/184293/unable-to-save-group-authentication

Yep, mine is also displaying this issue.

teverett

@jonsteinmetz Hopefully both issues are fixed soon. I have an LDAP challenge too, but I don't know if that's related to the new release, an old bug or I'm just doing it wrong.

teverett

@jonsteinmetz I seem to have a similar issue. I used to be able to ping the default GW on my LAN, now I can't.

jonsteinmetz

@teverett I found a solution for my routing issue. Under "VPN/IPsec/Advanced Settings/Auto-exclude LAN address" there is a checkbox "Enable bypass for LAN interface IP". In my case it was checked and unchecking it allowed my VPN client to see devices on the local network. I have no idea if that was checked before the update or not.

See https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/advanced.html.

teverett

@jonsteinmetz In my case I had the network mask wrong in my phase 2. :)

The file permissions issue and the group authentication issue are still there however.

JonathanLee

My android will not even connect to even external AP WiFi in 23.09. Other devices connect just fine.