Mobile Tunnels Fail After 2.2.2 upgrade
-
We recently upgraded from a 2.1.X version (i don't recall the X part at this time) and previously had perfectly working ipsec mobile tunnels.
After the upgrade the connection stalls out with
Client:
2015-06-21 16:55:48 vpnc version 0.5.3
2015-06-21 16:55:48 IKE SA selected psk+xauth-aes256-sha1
2015-06-21 16:55:48 NAT status: this end behind NAT? YES – remote end behind NAT? YES
2015-06-21 16:55:48 ---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
2015-06-21 16:55:48 configuration response rejected: (ISAKMP_N_PAYLOAD_MALFORMED)(16)Server:
Jun 21 17:32:27 charon: 05[CFG] <con1|12>lease 10.255.0.193 by 'jrudolph' went offline
Jun 21 17:32:27 charon: 05[IKE] <con1|12>deleting IKE_SA con1[12] between XXXXXXXXXXXXX….XXXXXXXXXXXX
Jun 21 17:32:27 charon: 05[IKE] <con1|12>deleting IKE_SA con1[12] between XXXXXXXXX…XXXXXXXXXXXXXXX
Jun 21 17:32:27 charon: 05[IKE] <con1|12>received DELETE for IKE_SA con1[12]
Jun 21 17:32:27 charon: 05[IKE] <con1|12>received DELETE for IKE_SA con1[12]
Jun 21 17:32:27 charon: 05[ENC] <con1|12>parsed INFORMATIONAL_V1 request 54 [ HASH D ]
Jun 21 17:32:27 charon: 05[NET] <con1|12>received packet: from XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Jun 21 17:32:27 charon: 11[IKE] <con1|12>received PAYLOAD_MALFORMED error notify
Jun 21 17:32:27 charon: 11[IKE] <con1|12>received PAYLOAD_MALFORMED error notifySome background on clients and settings:
Using Shimo Client on OSX with a "CISCO IPSEC" profile and VPNC as internal system.
Using PSK + Xauth (all users properly assigned xauth VPN permissions… as it was working fine before upgrade)
PHASE 1 Settings:
Key Exchange: V1
IP: V4
Interface: Carp Virtual IP InterfaceAuth Method: Mutual PSK + XAuth
Negotiation: Aggressive
My Id: My IP Address
Peer Id: UDN user@domain.com
psk: <psk here="">Enc: AES256
Hash: SHA1
DH Group: 2NAT-T: Force
DPD: On 10/5PHASE 2 Settings:
Mode: TunIP4
Type: Network
No NAT/BINATProtocol: ESP
Enc: AES256
Hash: SHA1
PFS Key Group: 2
Lifetime: 28800Mobile Clients Settings:
User Auth: Local DB
Group Auth: SystemNetwork List Checked
Save XAuth Checked (I think this was unchecked before but got checked during my 6 hours trying to make this work)Phase 2 PFS Group: Checked and 2
Client:
Using a "Cisco" profile in Shimo with the usual group/PSK settings plus user XAuth
Sample VPNC config from client
Vendor cisco
IPSec gateway X.X.X.X
IPSec ID user@domain.com
Xauth username jrudolph
Interface mode tun
IKE Authmode psk
NAT Traversal Mode force-natt
Local Port 500Expert Configuration:
Interface MTU 1428
I have tried EVERYTHING and can only seem to make it worse if any change at all.
I know there was a switch away from raccoon to strongswan but I can't find any docs out there that are not for the racoon version.
Any help would be appreciated.
Thanks,
Jody</psk></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12> -
Looks like your server side is behind NAT? In that case, you need to change the P1 from "My IP Address" to "IP address" and specify the public IP there.
https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_Validation -
@cmb:
Looks like your server side is behind NAT? In that case, you need to change the P1 from "My IP Address" to "IP address" and specify the public IP there.
https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_ValidationNo, server side is on public IP. I noticed that too and what caused it was "force NAT" setting on PFSense. I unchecked that and now see the same problem (except for that part) as below
2015-06-21 18:54:31 State changed to: Contacting (before: Disconnected)
2015-06-21 18:54:31 Enter IPSec secret for vpn@vaspian.com@X.X.X.X:
2015-06-21 18:54:31 Enter password for jrudolph@X.X.X.X:
2015-06-21 18:54:31 vpnc version 0.5.3
2015-06-21 18:54:31 IKE SA selected psk+xauth-aes128-sha1
2015-06-21 18:54:31 NAT status: this end behind NAT? YES – remote end behind NAT? no
2015-06-21 18:54:31 ---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
2015-06-21 18:54:31 configuration response rejected: (ISAKMP_N_PAYLOAD_MALFORMED)(16)I have both sides set to "auto" NAT now.
Thanks for the reply, though. Seems something else is the issue. Hoping someone has seen this and can help.
-
Ah, yeah when you force there that'll also make the client see it that way.
Could you get me into your system, or a copy of your config? PM me and we can arrange details. That definitely all works in general, so I'm not sure what the issue could be.
-
Having the same issues. It worked in 2.1.5 but not in 2.2.1. Tried 2.2.2 today and it still doesnt work.
It worked before with Shrewsoft/Android and iPhone.
-
Having the same issues. It worked in 2.1.5 but not in 2.2.1. Tried 2.2.2 today and it still doesnt work.
It worked before with Shrewsoft/Android and iPhone.
I've read other reports (on various other forums) of the same before i came here and posted. All were different clients and 2.1.x upgrading to 2.2.x.
i was amazed no one had mentioned it here.
Is this possibly something that could happen to the upgrade procedure?
-
I have verified this same error is the result when using a bare (fresh compiled) installation of VPNC
this is an interactive, non-config-file, psk/xauth session attempt.
Jodys-MacBook-Pro:vpnc jrudolph$ sudo /usr/local/sbin/vpnc
Enter IPSec gateway address: X.X.X.X
Enter IPSec ID for X.X.X.X: user@domain.com
Enter IPSec secret for user@domain.com@X.X.X.X:
Enter username for X.X.X.X: jrudolph
Enter password for jrudolph@X.X.X.X:
configuration response rejected: (ISAKMP_N_PAYLOAD_MALFORMED)(16)Something about Strongswan and VPNC do not play nice (in this scenario)
-
Having the same issues. It worked in 2.1.5 but not in 2.2.1. Tried 2.2.2 today and it still doesnt work.
It worked before with Shrewsoft/Android and iPhone.
If you're using PSKs defined in the user manager or on vpn_ipsec_keys.php, there was an issue there until 2.2.3 for mobile clients.
Most of the remainder of mobile IPsec issues are one of these three:
https://doc.pfsense.org/index.php/Upgrade_Guide#Problem_in_racoon_with_aggressive_mode_and_NAT-D
https://doc.pfsense.org/index.php/Upgrade_Guide#Mobile_client_users.2C_verify_Local_Network
https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_Validationjrudolph's issue with vpnc looks to be unrelated to those, I'm looking into it now. It wouldn't be the same issue with Shrewsoft or Android or iOS. Please review the above links, and start your own thread with info (IPsec logs especially) if you're still having issues.
-
There are either issues in vpnc when connecting to strongswan, or in strongswan itself. Configs that work fine with the built-in IPsec client in iOS and OS X, Shrewsoft, and others fail with vpnc where it should function the same as the others. My gut feel is it's a vpnc issue of some sort that racoon just didn't trigger for some reason, given all the other similar clients work fine in the same circumstance. There are a number of instances of people using vpnc with strongswan, though many of those date back quite some time. I updated the bug ticket and will revisit as soon as time permits (in the process of getting 2.2.3 to release this week).
https://redmine.pfsense.org/issues/4784