23.09 Update and IPSec operation

maverickws

It was recently brought to my attention that mobile users aren't being able to connect to their VPN's.

After looking in the logs, I found this:

Nov 27 19:25:45	charon	5493	08[IKE] <con-mobile|15> IKE_SA con-mobile[15] state change: CONNECTING => DESTROYING
Nov 27 19:25:45	charon	5493	08[IKE] <con-mobile|15> destroying IKE_SA after failed XAuth authentication
Nov 27 19:25:45	charon	5493	08[ENC] <con-mobile|15> parsed TRANSACTION response 3058906979 [ HASH CPA(X_STATUS) ]
Nov 27 19:25:45	charon	5493	08[NET] <con-mobile|15> received packet: from 10.11.12.13[18482] to 101.112.131.114[4500] (76 bytes)
Nov 27 19:25:45	charon	5493	08[NET] <con-mobile|15> sending packet: from 101.112.131.114[4500] to 10.11.12.13[18482] (76 bytes)
Nov 27 19:25:45	charon	5493	08[ENC] <con-mobile|15> generating TRANSACTION request 3058906979 [ HASH CPS(X_STATUS) ]
Nov 27 19:25:45	charon	5493	08[IKE] <con-mobile|15> XAUTH task
Nov 27 19:25:45	charon	5493	08[IKE] <con-mobile|15> reinitiating already active tasks
Nov 27 19:25:45	charon	5493	08[IKE] <con-mobile|15> XAuth authentication of 'user1' failed
Nov 27 19:25:45	charon	5493	08[IKE] <con-mobile|15> Could not authenticate with XAuth secrets for 'target@vpn.domain.tld' - 'user1'
Nov 27 19:25:45	charon	5493	08[IKE] <con-mobile|15> XAuth-SCRIPT failed for user 'user1' with return status: -1.
Nov 27 19:25:45	charon	66318	08[IKE] <con-mobile|15> XAUTH-SCRIPT failed to execute script '/etc/inc/ipsec.auth-user.php'.
Nov 27 19:25:45	charon	5493	08[ENC] <con-mobile|15> parsed TRANSACTION response 3565162930 [ HASH CPRP(X_USER X_PWD) ]
Nov 27 19:25:45	charon	5493	08[NET] <con-mobile|15> received packet: from 10.11.12.13[18482] to 101.112.131.114[4500] (108 bytes)
Nov 27 19:25:45	charon	5493	08[ENC] <con-mobile|15> parsed INFORMATIONAL_V1 request 2967524497 [ HASH N(INITIAL_CONTACT) ]
Nov 27 19:25:45	charon	5493	08[NET] <con-mobile|15> received packet: from 10.11.12.13[18482] to 101.112.131.114[4500] (92 bytes)
Nov 27 19:25:45	charon	5493	08[NET] <con-mobile|15> sending packet: from 101.112.131.114[4500] to 10.11.12.13[18482] (76 bytes)
Nov 27 19:25:45	charon	5493	08[ENC] <con-mobile|15> generating TRANSACTION request 3565162930 [ HASH CPRQ(X_USER X_PWD) ]
Nov 27 19:25:45	charon	5493	08[IKE] <con-mobile|15> activating XAUTH task
Nov 27 19:25:45	charon	5493	08[IKE] <con-mobile|15> activating new tasks

I also found this thread here - iPhone failing to connect to IPSec VPN after updating to 23.09-RELEASE (amd64) on the forums, where the user teverett tells us to add 744 permissions to the mentioned php script

Well I'm a bit old fashioned and giving 744 permissions to said file isn't exactly what I was aiming.

But in the same topic we get this reference to yet other problems like not being able to save group authentication etc.

So unfortunately I did not see any participation from Netgate members or other staff, so I hope @jimp forgives me for calling his attention like this, but would it be possible to have some sort of opinion from Netgate's view about these issues?
Thank you.

teverett

@maverickws for clarity, I'm a little confused why the permissions are not 500, for example.

maverickws

@teverett well, on a security point of view, permissions are 644 as it was expected the web server user to have read rights over the file it's serving.

Today this distinction isn't so clear imo.

Here with pfSense everything runs as root ...

SteveITS

@maverickws said in 23.09 Update and IPSec operation:

ipsec.auth-user.php

known issue :)
https://redmine.pfsense.org/issues/14974

teverett

@SteveITS thanks! Is there also progress on the issue of not being able to save group authentication?

SteveITS

@teverett Don't know...have you tried searching your error/issue in the redmine site? That's where bugs/fixes live. I just searched for that one filename above. I see your post linked above. If the issue is reproducible and there's no redmine open I'd open one.

teverett

Confirmed this is fixed in 23.09.1-RELEASE