Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile Tunnels Fail After 2.2.2 upgrade

    Scheduled Pinned Locked Moved IPsec
    9 Posts 3 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jrudolph
      last edited by

      We recently upgraded from a 2.1.X version (i don't recall the X part at this time) and previously had perfectly working ipsec mobile tunnels.

      After the upgrade the connection stalls out with

      Client:

      2015-06-21 16:55:48 vpnc version 0.5.3
      2015-06-21 16:55:48 IKE SA selected psk+xauth-aes256-sha1
      2015-06-21 16:55:48 NAT status: this end behind NAT? YES – remote end behind NAT? YES
      2015-06-21 16:55:48 ---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
      2015-06-21 16:55:48 configuration response rejected:  (ISAKMP_N_PAYLOAD_MALFORMED)(16)

      Server:

      Jun 21 17:32:27 charon: 05[CFG] <con1|12>lease 10.255.0.193 by 'jrudolph' went offline
      Jun 21 17:32:27 charon: 05[IKE] <con1|12>deleting IKE_SA con1[12] between XXXXXXXXXXXXX….XXXXXXXXXXXX
      Jun 21 17:32:27 charon: 05[IKE] <con1|12>deleting IKE_SA con1[12] between XXXXXXXXX…XXXXXXXXXXXXXXX
      Jun 21 17:32:27 charon: 05[IKE] <con1|12>received DELETE for IKE_SA con1[12]
      Jun 21 17:32:27 charon: 05[IKE] <con1|12>received DELETE for IKE_SA con1[12]
      Jun 21 17:32:27 charon: 05[ENC] <con1|12>parsed INFORMATIONAL_V1 request 54 [ HASH D ]
      Jun 21 17:32:27 charon: 05[NET] <con1|12>received packet: from XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      Jun 21 17:32:27 charon: 11[IKE] <con1|12>received PAYLOAD_MALFORMED error notify
      Jun 21 17:32:27 charon: 11[IKE] <con1|12>received PAYLOAD_MALFORMED error notify

      Some background on clients and settings:

      Using Shimo Client on OSX with a "CISCO IPSEC" profile and VPNC as internal system.

      Using PSK + Xauth (all users properly assigned xauth VPN permissions… as it was working fine before upgrade)

      PHASE 1 Settings:

      Key Exchange: V1
      IP: V4
      Interface: Carp Virtual IP Interface

      Auth Method: Mutual PSK + XAuth
      Negotiation: Aggressive
      My Id: My IP Address
      Peer Id: UDN user@domain.com
      psk:  <psk here="">Enc: AES256
      Hash: SHA1
      DH Group: 2

      NAT-T: Force
      DPD: On 10/5

      PHASE 2 Settings:

      Mode: TunIP4
      Type: Network
      No NAT/BINAT

      Protocol: ESP
      Enc: AES256
      Hash: SHA1
      PFS Key Group: 2
      Lifetime: 28800

      Mobile Clients Settings:

      User Auth: Local DB
      Group Auth: System

      Network List Checked
      Save XAuth Checked (I think this was unchecked before but got checked during my 6 hours trying to make this work)

      Phase 2 PFS Group: Checked and 2

      Client:

      Using a "Cisco" profile in Shimo with the usual group/PSK settings plus user XAuth

      Sample VPNC config from client

      Vendor cisco
      IPSec gateway X.X.X.X
      IPSec ID user@domain.com
      Xauth username jrudolph
      Interface mode tun
      IKE Authmode psk
      NAT Traversal Mode force-natt
      Local Port 500

      Expert Configuration:

      Interface MTU 1428

      I have tried EVERYTHING and can only seem to make it worse if any change at all.

      I know there was a switch away from raccoon to strongswan but I can't find any docs out there that are not for the racoon version.

      Any help would be appreciated.

      Thanks,
      Jody</psk></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12>

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Looks like your server side is behind NAT? In that case, you need to change the P1 from "My IP Address" to "IP address" and specify the public IP there.
        https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_Validation

        1 Reply Last reply Reply Quote 0
        • J
          jrudolph
          last edited by

          @cmb:

          Looks like your server side is behind NAT? In that case, you need to change the P1 from "My IP Address" to "IP address" and specify the public IP there.
          https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_Validation

          No, server side is on public IP. I noticed that too and what caused it was "force NAT" setting on PFSense. I unchecked that and now see the same problem (except for that part) as below

          2015-06-21 18:54:31 State changed to: Contacting (before: Disconnected)
          2015-06-21 18:54:31 Enter IPSec secret for vpn@vaspian.com@X.X.X.X:
          2015-06-21 18:54:31 Enter password for jrudolph@X.X.X.X:
          2015-06-21 18:54:31 vpnc version 0.5.3
          2015-06-21 18:54:31 IKE SA selected psk+xauth-aes128-sha1
          2015-06-21 18:54:31 NAT status: this end behind NAT? YES – remote end behind NAT? no
          2015-06-21 18:54:31 ---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
          2015-06-21 18:54:31 configuration response rejected:  (ISAKMP_N_PAYLOAD_MALFORMED)(16)

          I have both sides set to "auto" NAT now.

          Thanks for the reply, though. Seems something else is the issue. Hoping someone has seen this and can help.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Ah, yeah when you force there that'll also make the client see it that way.

            Could you get me into your system, or a copy of your config? PM me and we can arrange details. That definitely all works in general, so I'm not sure what the issue could be.

            1 Reply Last reply Reply Quote 0
            • R
              rightnow
              last edited by

              Having the same issues. It worked in 2.1.5 but not in 2.2.1. Tried 2.2.2 today and it still doesnt work.

              It worked before with Shrewsoft/Android and iPhone.

              1 Reply Last reply Reply Quote 0
              • J
                jrudolph
                last edited by

                @rightnow:

                Having the same issues. It worked in 2.1.5 but not in 2.2.1. Tried 2.2.2 today and it still doesnt work.

                It worked before with Shrewsoft/Android and iPhone.

                I've read other reports (on various other forums) of the same before i came here and posted. All were different clients and 2.1.x upgrading to 2.2.x.

                i was amazed no one had mentioned it here.

                Is this possibly something that could happen to the upgrade procedure?

                1 Reply Last reply Reply Quote 0
                • J
                  jrudolph
                  last edited by

                  I have verified this same error is the result when using a bare (fresh compiled) installation of VPNC

                  this is an interactive, non-config-file, psk/xauth session attempt.

                  Jodys-MacBook-Pro:vpnc jrudolph$ sudo /usr/local/sbin/vpnc
                  Enter IPSec gateway address: X.X.X.X
                  Enter IPSec ID for X.X.X.X: user@domain.com
                  Enter IPSec secret for user@domain.com@X.X.X.X:
                  Enter username for X.X.X.X: jrudolph
                  Enter password for jrudolph@X.X.X.X:
                  configuration response rejected:  (ISAKMP_N_PAYLOAD_MALFORMED)(16)

                  Something about Strongswan and VPNC do not play nice (in this scenario)

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    @rightnow:

                    Having the same issues. It worked in 2.1.5 but not in 2.2.1. Tried 2.2.2 today and it still doesnt work.

                    It worked before with Shrewsoft/Android and iPhone.

                    If you're using PSKs defined in the user manager or on vpn_ipsec_keys.php, there was an issue there until 2.2.3 for mobile clients.

                    Most of the remainder of mobile IPsec issues are one of these three:
                    https://doc.pfsense.org/index.php/Upgrade_Guide#Problem_in_racoon_with_aggressive_mode_and_NAT-D
                    https://doc.pfsense.org/index.php/Upgrade_Guide#Mobile_client_users.2C_verify_Local_Network
                    https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_Validation

                    jrudolph's issue with vpnc looks to be unrelated to those, I'm looking into it now. It wouldn't be the same issue with Shrewsoft or Android or iOS. Please review the above links, and start your own thread with info (IPsec logs especially) if you're still having issues.

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by

                      There are either issues in vpnc when connecting to strongswan, or in strongswan itself. Configs that work fine with the built-in IPsec client in iOS and OS X, Shrewsoft, and others fail with vpnc where it should function the same as the others. My gut feel is it's a vpnc issue of some sort that racoon just didn't trigger for some reason, given all the other similar clients work fine in the same circumstance. There are a number of instances of people using vpnc with strongswan, though many of those date back quite some time. I updated the bug ticket and will revisit as soon as time permits (in the process of getting 2.2.3 to release this week).
                      https://redmine.pfsense.org/issues/4784

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.