Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec

    2.2 Snapshot Feedback and Problems - RETIRED
    5
    30
    18.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eri--
      last edited by

      Its not related to tool repo at all you have everything in that image.

      Can you show me the ldd /usr/local/lib/ipsec/plugins/libstrongswan-smp.so
      Somehow you are missing a dependency there.

      1 Reply Last reply Reply Quote 0
      • C
        charliem
        last edited by

        @ermal:

        Can you show me the ldd /usr/local/lib/ipsec/plugins/libstrongswan-smp.so
        Somehow you are missing a dependency there.

        There is no such plugin on my system, and I guess you need the tools repo to figure out why it's not being built.  This is an AMD64 image from yesterday.

        [2.2-ALPHA][root@pfsense.localdomain]/usr/local/lib/ipsec(4): find / -iname \*smp\*
/kernels/kernel_SMP.gz
[2.2-ALPHA][root@pfsense.localdomain]/usr/local/lib/ipsec(5): ls -l plugins
total 1220
-rwxr-xr-x  1 root  wheel    9349 May  6 05:20 libstrongswan-addrblock.so
-rwxr-xr-x  1 root  wheel   38028 May  6 05:20 libstrongswan-aes.so
-rwxr-xr-x  1 root  wheel   12613 May  6 05:20 libstrongswan-attr.so
-rwxr-xr-x  1 root  wheel   17666 May  6 05:20 libstrongswan-blowfish.so
-rwxr-xr-x  1 root  wheel   10380 May  6 05:20 libstrongswan-cmac.so
-rwxr-xr-x  1 root  wheel   12403 May  6 05:20 libstrongswan-constraints.so
-rwxr-xr-x  1 root  wheel   10856 May  6 05:20 libstrongswan-curl.so
-rwxr-xr-x  1 root  wheel   29206 May  6 05:20 libstrongswan-des.so
-rwxr-xr-x  1 root  wheel    9161 May  6 05:20 libstrongswan-dnskey.so
-rwxr-xr-x  1 root  wheel   19555 May  6 05:20 libstrongswan-eap-aka-3gpp2.so
-rwxr-xr-x  1 root  wheel   21748 May  6 05:20 libstrongswan-eap-aka.so
-rwxr-xr-x  1 root  wheel   10874 May  6 05:20 libstrongswan-eap-dynamic.so
-rwxr-xr-x  1 root  wheel    9472 May  6 05:20 libstrongswan-eap-identity.so
-rwxr-xr-x  1 root  wheel   11081 May  6 05:20 libstrongswan-eap-md5.so
-rwxr-xr-x  1 root  wheel   25868 May  6 05:20 libstrongswan-eap-mschapv2.so
-rwxr-xr-x  1 root  wheel   19188 May  6 05:20 libstrongswan-eap-peap.so
-rwxr-xr-x  1 root  wheel   48981 May  6 05:20 libstrongswan-eap-radius.so
-rwxr-xr-x  1 root  wheel   14671 May  6 05:20 libstrongswan-eap-sim-file.so
-rwxr-xr-x  1 root  wheel   22144 May  6 05:20 libstrongswan-eap-sim.so
-rwxr-xr-x  1 root  wheel    9642 May  6 05:20 libstrongswan-eap-tls.so
-rwxr-xr-x  1 root  wheel   18983 May  6 05:20 libstrongswan-eap-ttls.so
-rwxr-xr-x  1 root  wheel    9219 May  6 05:20 libstrongswan-fips-prf.so
-rwxr-xr-x  1 root  wheel   34630 May  6 05:20 libstrongswan-gmp.so
-rwxr-xr-x  1 root  wheel   10151 May  6 05:20 libstrongswan-hmac.so
-rwxr-xr-x  1 root  wheel   12819 May  6 05:20 libstrongswan-ipseckey.so
-rwxr-xr-x  1 root  wheel   36303 May  6 05:20 libstrongswan-kernel-pfkey.so
-rwxr-xr-x  1 root  wheel   26592 May  6 05:20 libstrongswan-kernel-pfroute.so
-rwxr-xr-x  1 root  wheel    9550 May  6 05:20 libstrongswan-md4.so
-rwxr-xr-x  1 root  wheel   10110 May  6 05:20 libstrongswan-md5.so
-rwxr-xr-x  1 root  wheel    7390 May  6 05:20 libstrongswan-nonce.so
-rwxr-xr-x  1 root  wheel  103975 May  6 05:20 libstrongswan-openssl.so
-rwxr-xr-x  1 root  wheel   19993 May  6 05:20 libstrongswan-pem.so
-rwxr-xr-x  1 root  wheel   19897 May  6 05:20 libstrongswan-pgp.so
-rwxr-xr-x  1 root  wheel   14472 May  6 05:20 libstrongswan-pkcs1.so
-rwxr-xr-x  1 root  wheel   14979 May  6 05:20 libstrongswan-pkcs12.so
-rwxr-xr-x  1 root  wheel   34623 May  6 05:20 libstrongswan-pkcs7.so
-rwxr-xr-x  1 root  wheel    9657 May  6 05:20 libstrongswan-pkcs8.so
-rwxr-xr-x  1 root  wheel   10008 May  6 05:20 libstrongswan-pubkey.so
-rwxr-xr-x  1 root  wheel    9426 May  6 05:20 libstrongswan-random.so
-rwxr-xr-x  1 root  wheel   10070 May  6 05:20 libstrongswan-rc2.so
-rwxr-xr-x  1 root  wheel   12288 May  6 05:20 libstrongswan-resolve.so
-rwxr-xr-x  1 root  wheel   15030 May  6 05:20 libstrongswan-revocation.so
-rwxr-xr-x  1 root  wheel   14382 May  6 05:20 libstrongswan-sha1.so
-rwxr-xr-x  1 root  wheel   16210 May  6 05:20 libstrongswan-sha2.so
-rwxr-xr-x  1 root  wheel   14942 May  6 05:20 libstrongswan-socket-default.so
-rwxr-xr-x  1 root  wheel   13568 May  6 05:20 libstrongswan-sshkey.so
-rwxr-xr-x  1 root  wheel  101821 May  6 05:20 libstrongswan-stroke.so
-rwxr-xr-x  1 root  wheel   16166 May  6 05:20 libstrongswan-unbound.so
-rwxr-xr-x  1 root  wheel   15377 May  6 05:20 libstrongswan-updown.so
-rwxr-xr-x  1 root  wheel   12132 May  6 05:20 libstrongswan-whitelist.so
-rwxr-xr-x  1 root  wheel   90623 May  6 05:20 libstrongswan-x509.so
-rwxr-xr-x  1 root  wheel   10314 May  6 05:20 libstrongswan-xauth-eap.so
-rwxr-xr-x  1 root  wheel   12961 May  6 05:20 libstrongswan-xauth-generic.so
-rwxr-xr-x  1 root  wheel   10345 May  6 05:20 libstrongswan-xcbc.so
[2.2-ALPHA][root@pfsense.localdomain]/usr/local/lib/ipsec(6):

        [edit: add system info]

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          Ok fixed should show up on upcoming snaps.

          Thank you for the help.

          1 Reply Last reply Reply Quote 0
          • C
            charliem
            last edited by

            @ermal:

            Ok fixed should show up on upcoming snaps.

            Well, the smp plugin is loaded OK now and charon.xml socket is created in /var/run.  (I note on the StronSwan plugins wiki page, the smp plugin is still classified as 'in development / incomplete').  There are still some issues:

            • gui still shows that ipsec is stopped
            • I still get the "unable to load 6 plugin features (5 due to unmet dependencies)" in the ipsec log
            • Log level setting changes from the gui are not honored (but I do get the 'changes have been successfully applied' banner).
            • Strangely, each line in the log is duplicated; not initially, but only after "12[CFG] received stroke: loglevel 1 for cfg" line [1]

            [1] Actually the lines for negotiation are not exact duplicates: one line is preceded by the logging level like so:

            May  7 13:33:44 pfsense charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
May  7 13:33:44 pfsense charon: 08[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID

            But this is far enough along for me to dig deeper and try to figure out why the negotiation is failing.

            Thanks for looking into this.

            1 Reply Last reply Reply Quote 0
            • C
              charliem
              last edited by

              As of: Current version: 2.2-ALPHA Built On: Sun May 11 03:46:29 CDT 2014

              @charliem:

              • gui still shows that ipsec is stopped

              This one is fixed

              • I still get the "unable to load 6 plugin features (5 due to unmet dependencies)" in the ipsec log

              This one is still there

              • Log level setting changes from the gui are not honored (but I do get the 'changes have been successfully applied' banner).

              This one is fixed

              • Strangely, each line in the log is duplicated; not initially, but only after "12[CFG] received stroke: loglevel 1 for cfg" line [1]

              This one is still there

              To date I've not been able to get Ipsec to work; I'm trying to get PSK mode working in road warrior mode, and charon is claiming to not find a shared key.  Configuration was working with 2.1.2, though by now I've tried lots of different configs.  Could be the 'ipseckey plugin is disabled' that's causing the issue?:

              May 11 23:35:01 pfsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, FreeBSD 10.0-STABLE, amd64)
              May 11 23:35:01 pfsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
              May 11 23:35:01 pfsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
              May 11 23:35:01 pfsense charon: 00[CFG] ipseckey plugin is disabled
              May 11 23:35:01 pfsense charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
              May 11 23:35:01 pfsense charon: 00[CFG]  loaded ca certificate "C=US, ST=xxxxxxxxxxx CN=internal-ca" from '/var/etc/ipsec/ipsec.d/cacerts/067991fe.0'
              May 11 23:35:01 pfsense charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
              May 11 23:35:01 pfsense charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
              May 11 23:35:01 pfsense charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
              May 11 23:35:01 pfsense charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
              May 11 23:35:01 pfsense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
              May 11 23:35:01 pfsense charon: 00[CFG]**  loaded IKE secret for vpnusers@no_place_special.com**
              May 11 23:35:01 pfsense charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such fi
              le or directory
              May 11 23:35:01 pfsense charon: 00[CFG] loaded 0 RADIUS server configurations
              May 11 23:35:01 pfsense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5
              random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fip
              s-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap
              -sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xaut
              h-eap whitelist addrblock
              May 11 23:35:01 pfsense charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
              May 11 23:35:01 pfsense charon: 00[JOB] spawning 16 worker threads

              Failing to find PSK:

              May 12 16:48:01 pfsense charon: 11[IKE] IKE_SA con1-1[26] state change: CONNECTING => DESTROYING
May 12 16:48:01 pfsense charon: 11[IKE] <con1-1|26>IKE_SA con1-1[26] state change: CONNECTING => DESTROYING
May 12 16:48:06 pfsense charon: 11[NET] received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes)
May 12 16:48:06 pfsense charon: 11[NET] <27> received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes)
May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] received NAT-T (RFC 3947) vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <27> received NAT-T (RFC 3947) vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] received FRAGMENTATION vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <27> received FRAGMENTATION vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] received Cisco Unity vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <27> received Cisco Unity vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] 173.xx.yy.zzz is initiating a Aggressive Mode IKE_SA
May 12 16:48:06 pfsense charon: 11[IKE] <27> 173.xx.yy.zzz is initiating a Aggressive Mode IKE_SA
May 12 16:48:06 pfsense charon: 11[IKE] IKE_SA (unnamed)[27] state change: CREATED => CONNECTING
May 12 16:48:06 pfsense charon: 11[IKE] <27> IKE_SA (unnamed)[27] state change: CREATED => CONNECTING
May 12 16:48:06 pfsense charon: 11[CFG] looking for pre-shared key peer configs matching 24.aa.bb.ccc...173.xx.yy.zzz[vpnusers@no_place_special.com]
May 12 16:48:06 pfsense charon: 11[CFG] <27> looking for pre-shared key peer configs matching 24.aa.bb.ccc...173.xx.yy.zzz[vpnusers@no_place_special.com]
May 12 16:48:06 pfsense charon: 11[CFG] selected peer config "con1-1"
May 12 16:48:06 pfsense charon: 11[CFG] <27> selected peer config "con1-1"
May 12 16:48:06 pfsense charon: 11[IKE] sending XAuth vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending XAuth vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] sending DPD vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending DPD vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] sending FRAGMENTATION vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending FRAGMENTATION vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] sending NAT-T (RFC 3947) vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending NAT-T (RFC 3947) vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] no shared key found for '24.aa.bb.ccc'[24.aa.bb.ccc] - 'vpnusers@no_place_special.com'[173.xx.yy.zzz]
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>no shared key found for '24.aa.bb.ccc'[24.aa.bb.ccc] - 'vpnusers@no_place_special.com'[173.xx.yy.zzz]
May 12 16:48:06 pfsense charon: 11[IKE] queueing INFORMATIONAL task
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>queueing INFORMATIONAL task
May 12 16:48:06 pfsense charon: 11[IKE] activating new tasks
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>activating new tasks
May 12 16:48:06 pfsense charon: 11[IKE]   activating INFORMATIONAL task
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>activating INFORMATIONAL task
May 12 16:48:06 pfsense charon: 11[NET] sending packet: from 24.aa.bb.ccc[500] to 173.xx.yy.zzz[500] (56 bytes)
May 12 16:48:06 pfsense charon: 11[NET] <con1-1|27>sending packet: from 24.aa.bb.ccc[500] to 173.xx.yy.zzz[500] (56 bytes)
May 12 16:48:06 pfsense charon: 11[IKE] IKE_SA con1-1[27] state change: CONNECTING => DESTROYING
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>IKE_SA con1-1[27] state change: CONNECTING => DESTROYING
May 12 16:48:11 pfsense charon: 11[NET] received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes)
May 12 16:48:11 pfsense charon: 11[NET] <28> received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500]</con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|26>
              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                Can you try next snapshots?

                Also if you get issues on matching the ID try using an PSK with a name of 'allusers'.

                1 Reply Last reply Reply Quote 0
                • C
                  charliem
                  last edited by

                  Works for me now, thanks.  I did add 'any' and 'allusers', and also changed the client to use ip address as remote identity rather than 'key identifier'.  Not sure which did it.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Check the format of ipsec.secrets. I added some code yesterday to make it properly honor the mobile tunnel identifier when it otherwise wouldn't.

                    Using allusers can help but it sets up an anonymous PSK which may not be what you want for general mobile IPsec (but it would be what someone wants for L2TP+IPsec)

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • C
                      charliem
                      last edited by

                      Yep, the image I'm using already has that commit.  Just now I took out the anonymous allusers and any PSK, and added the remote IP address.  It still connects OK with IP, I'll try to test key id later.

                      I'm seeing the connection being destroyed due to initiator not reauthenticating though, but that may well be a config problem on the client end (shrewsoft).  Client is unaware that the connection is dropped.  Not sure why a timeout is announced 9 minutes before it's scheduled, and then the connection is dropped immediately.  What happened to the 9 minutes?

                      May 16 13:14:29 pfsense charon: 05[IKE] <con1-1|19>initiator did not reauthenticate as requested
May 16 13:14:29 pfsense charon: 05[IKE] IKE_SA con1-1[19] will timeout in 9 minutes
May 16 13:14:29 pfsense charon: 05[IKE] <con1-1|19>IKE_SA con1-1[19] will timeout in 9 minutes
May 16 13:14:56 pfsense charon: 07[IKE] <con1-1|19>delaying task initiation, QUICK_MODE exchange in progress
May 16 13:15:00 pfsense charon: 07[IKE] giving up after 5 retransmits
May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>giving up after 5 retransmits
May 16 13:15:00 pfsense charon: 07[IKE] unable to reestablish IKE_SA due to asymmetric setup
May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>unable to reestablish IKE_SA due to asymmetric setup
May 16 13:15:00 pfsense charon: 07[IKE] IKE_SA con1-1[19] state change: ESTABLISHED => DESTROYING
May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>IKE_SA con1-1[19] state change: ESTABLISHED => DESTROYING
May 16 13:15:00 pfsense charon: 07[CFG] lease 192.168.3.1 by '10.5.60.58' went offline
May 16 13:15:00 pfsense charon: 07[CFG] <con1-1|19>lease 192.168.3.1 by '10.5.60.58' went offline</con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19>
                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        There are still some issues, some fixed by the commits made today (gitsync if you can't wait) but a couple more I'm about to create tickets for as they're not so simple.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          In short:

                          • Snap from this morning can't have more than one concurrent user connected, fixed now
                          • "Provide a list of accessible networks to clients" doesn't seem to work, but it does work if you specify the policy on the client (Shrew, Android) or if the client ignores that and tunnels everything anyway (iOS).
                          • "Tunnel All" only works if you add a P2 with 0.0.0.0/0 as local
                          • If the same user connects twice, the first connection is cut off (good/intentional behavior, but may be different from 2.1)

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • C
                            charliem
                            last edited by 

                            [2.2-ALPHA][root@pfsense.localdomain]/root(4): cat /etc/version.buildtime
Mon May 19 13:13:23 CDT 2014
[2.2-ALPHA][root@pfsense.localdomain]/root(5): ipsec pki
exec: /usr/local/bin/pki: not found
[2.2-ALPHA][root@pfsense.localdomain]/root(6): find / -iname pki
[2.2-ALPHA][root@pfsense.localdomain]/root(7):

                            Is this intentional?  Any valid reason not to include it?

                            1 Reply Last reply Reply Quote 0
                            • E
                              eri--
                              last edited by

                              Added mostly an oversight.

                              Though why would one need it in a GUI environment is out of me.

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                @jimp:

                                • Snap from this morning can't have more than one concurrent user connected, fixed now

                                Fixed on current snaps.

                                @jimp:

                                • "Provide a list of accessible networks to clients" doesn't seem to work, but it does work if you specify the policy on the client (Shrew, Android) or if the client ignores that and tunnels everything anyway (iOS).

                                Should be fixed on the next new snaps.

                                @jimp:

                                • "Tunnel All" only works if you add a P2 with 0.0.0.0/0 as local

                                That appears to be a difference in how strongswan and racoon operate mobile connections. It's going to be required to add that manually unless we add an option to automatically add it.

                                Also L2TP+IPsec is almost working. More on that later.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • C
                                  charliem
                                  last edited by

                                  @ermal:

                                  Though why would one need it in a GUI environment is out of me.

                                  So newbies like me can follow how-tos on the 'net, trying to learn  :)

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    charliem
                                    last edited by

                                    Thanks for working on this.  I'm seeing the following (ask for more details if needed):

                                    • banner doesn't appear (shrewsoft client, banner appeared with racoon)
                                    • re-auth fails, client is oblivious (psk road warrior config)
                                    • No SAs or SPs appear on the web gui when connected
                                    • connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )

                                    Let me know if there is any particular testing or other info you need!  I'm pretty new to IPSEC, just trying to get my 2.1 config working under 2.2.

                                    BTW, the change to weakswan under psk aggressive is a strong motivator to learn a proper config ….

                                    1 Reply Last reply Reply Quote 0
                                    • jimpJ
                                      jimp Rebel Alliance Developer Netgate
                                      last edited by

                                      @charliem:

                                      • banner doesn't appear (shrewsoft client, banner appeared with racoon)

                                      It shows up for me. Are you sure you're on a current snapshot?
                                      Though it appears to only allow a single line banner, where racoon allowed a multi-line banner.

                                      @charliem:

                                      • re-auth fails, client is oblivious (psk road warrior config)

                                      re-auth when? When the P1 expires? Or when the server restarts?

                                      @charliem:

                                      • No SAs or SPs appear on the web gui when connected

                                      That's expected at the moment, there's a ticket open. Those tabs may go away, all the info is on the first tab there's a button under each connection to view the child SAs.

                                      @charliem:

                                      • connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )

                                      What does that mean? Using the key id or IP address where on the client/server?

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        charliem
                                        last edited by

                                        @jimp:

                                        @charliem:

                                        • banner doesn't appear (shrewsoft client, banner appeared with racoon)

                                        It shows up for me. Are you sure you're on a current snapshot?
                                        Though it appears to only allow a single line banner, where racoon allowed a multi-line banner.

                                        Current as of last night

                                        @jimp:

                                        @charliem:

                                        • re-auth fails, client is oblivious (psk road warrior config)

                                        re-auth when? When the P1 expires? Or when the server restarts?

                                        When P1 expires:

                                        May 21 10:33:46 pfsense charon: 01[IKE] <con1-1|4>IKE_SA con1-1[4] established between 24.74.xx.yy[24.74.xx.yy]…173.15.aa.bb[10.5.60.58]
                                        May 21 10:33:46 pfsense charon: 01[IKE] scheduling reauthentication in 2828s
                                        May 21 10:33:46 pfsense charon: 01[IKE] <con1-1|4>scheduling reauthentication in 2828s</con1-1|4>
                                        May 21 10:33:46 pfsense charon: 01[IKE] maximum IKE_SA lifetime 3368s
                                        .
                                        .
                                        .
                                        May 21 11:20:06 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:20:26 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:20:26 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:20:46 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:20:46 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:20:54 pfsense charon: 16[IKE] initiator did not reauthenticate as requested  <== 2828 sec expires here
                                        May 21 11:20:54 pfsense charon: 16[IKE] <con1-1|4>initiator did not reauthenticate as requested
                                        May 21 11:20:54 pfsense charon: 16[IKE] IKE_SA con1-1[4] will timeout in 9 minutes
                                        May 21 11:20:54 pfsense charon: 16[IKE] <con1-1|4>IKE_SA con1-1[4] will timeout in 9 minutes
                                        May 21 11:20:54 pfsense charon: 11[KNL] creating rekey job for ESP CHILD_SA with SPI c3d88eca and reqid {1}
                                        May 21 11:20:54 pfsense charon: 11[ENC] generating QUICK_MODE request 2100136337 [ HASH SA No ID ID ]
                                        May 21 11:20:54 pfsense charon: 11[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
                                        May 21 11:20:58 pfsense charon: 16[IKE] sending retransmit 1 of request message ID 2100136337, seq 1
                                        May 21 11:20:58 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 1 of request message ID 2100136337, seq 1
                                        May 21 11:20:58 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
                                        May 21 11:21:06 pfsense charon: 16[IKE] sending retransmit 2 of request message ID 2100136337, seq 1
                                        May 21 11:21:06 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 2 of request message ID 2100136337, seq 1
                                        May 21 11:21:06 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
                                        May 21 11:21:19 pfsense charon: 16[IKE] sending retransmit 3 of request message ID 2100136337, seq 1
                                        May 21 11:21:19 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 3 of request message ID 2100136337, seq 1
                                        May 21 11:21:19 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
                                        May 21 11:21:38 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:21:38 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:21:42 pfsense charon: 16[IKE] sending retransmit 4 of request message ID 2100136337, seq 1
                                        May 21 11:21:42 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 4 of request message ID 2100136337, seq 1
                                        May 21 11:21:42 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
                                        May 21 11:21:42 pfsense charon: 16[KNL] creating rekey job for ESP CHILD_SA with SPI c71c158f and reqid {1}
                                        May 21 11:22:01 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:22:01 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:22:21 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:22:21 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:22:24 pfsense charon: 01[IKE] sending retransmit 5 of request message ID 2100136337, seq 1
                                        May 21 11:22:24 pfsense charon: 01[IKE] <con1-1|4>sending retransmit 5 of request message ID 2100136337, seq 1
                                        May 21 11:22:24 pfsense charon: 01[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
                                        May 21 11:22:43 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:22:43 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:23:03 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:23:03 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:23:23 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:23:23 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
                                        May 21 11:23:39 pfsense charon: 16[IKE] giving up after 5 retransmits
                                        May 21 11:23:39 pfsense charon: 16[IKE] <con1-1|4>giving up after 5 retransmits
                                        May 21 11:23:39 pfsense charon: 16[IKE] unable to reestablish IKE_SA due to asymmetric setup
                                        May 21 11:23:39 pfsense charon: 16[IKE] <con1-1|4>unable to reestablish IKE_SA due to asymmetric setup
                                        May 21 11:23:39 pfsense charon: 16[KNL] unable to delete SAD entry with SPI ca40ad92: No such file or directory (2)
                                        May 21 11:23:39 pfsense charon: 16[CFG] lease 192.168.3.2 by '10.5.60.58' went offline</con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4>

                                        @charliem:

                                        • connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )

                                        What does that mean? Using the key id or IP address where on the client/server?

                                        On pfSense I have to configure PSK entries for the ip addresses , and configure the shrewsoft client to use 'ip address (discovered remote host address)'.  Can't get 'key id' to work.  I'll pay more attention and give better details, or set up proper certs.

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          It works for me using an ID, though I use "User FQDN" as the type. My "mobile" config is the same as what we have documented on the doc wiki for mobile IPsec on 2.x, since we are trying to ensure a smooth transition using the same settings as before.

                                          The reauth bit looks like the client didn't do what it should. I'm not sure what the server can do there to help, if anything.

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.