IPSec tunnel problems after pfSense 2.2.3 upgrade

RMB

I am using Preshared Keys.

vbentley

Thanks. Using PSK works for me too, but I would rather use certs instead.

I don't think that the AES patch rollback will make any difference to the issue I am experiencing which is a failure to establish a P1 with RSA Certs and 3DES.

I suspect that I could be the only one using RSA Certs with site-to-site IPsec VPN on pfSense as more people would have spotted this.
I really wish 2.2.3 was just a GUI XSS fix.

doktornotor

@vbentley:

I suspect that I could be the only one using RSA Certs with site-to-site IPsec VPN on pfSense as more people would have spotted this.
I really wish 2.2.3 was just a GUI XSS fix.

Mutual RSA works here with 2.2.3 on pfS -> pfS (2.2.3)

stephenw10

Obviously we haven't tested with whatever hardware crypto cards you are using but the base FreeBSD hasn't changed so I wouldn't have expected them to fail.
Does it work if you choose not to use the hardware encryption?

Steve

vbentley

@doktornotor:

Mutual RSA works here with 2.2.3 on pfS -> pfS (2.2.3)

Excellent!
Can you tell me if you are using IP:value references in your certs or DNS:value references?

I am using DNS:value references because one end of the VPN is on a dynamic IP with dynamic DNS. It works on 2.2.2 perhaps StrongSwan 5.3.2 is looking for something in my certs that 5.3.0 doesn't need. I'm thinking this has something to do with reqid.

vbentley

@stephenw10:

Does it work if you choose not to use the hardware encryption?

I will try building two test boxes without crypto cards next week.
OpenSSL version hasn't changed so I'm fairly confident this isn't the problem.

phil.davis

OpenSSL version hasn't changed so I'm fairly confident this isn't the problem.

That cannot be automatically assumed because of:

FreeBSD patches OpenSSL without changing the version number.

https://forum.pfsense.org/index.php?topic=91461.msg532876#msg532876

doktornotor

Main problem here is that debugging any IPsec is impossible since logging is totally no-op (yet another regression). I really don't have any decent words for this "strongs"wan thing. Has been nothing but one giant pain in the butt ever since it's been introduced.

mauirixxx

I know this thread is over 2+ weeks old but ….

@Work tonight I upgraded pfSense to 2.2.3 with the AES-N1 option enabled.
@Home when 2.2.3 was released, I upgraded right away, and had the AES-N1 option enabled.

After the upgrade at work tonight, I had the same symptoms - endpoints would connect like they should, but 0 traffic passed between them. After I disabled the AES-N1 acceleration @work and rebooted, all is well and acting like it should again.

So I have 1 endpoint with it enabled, and 1 without, and traffic flows. I haven't tried re-enabling it because stuff works now.

Next test would be to disable it @home, and enable it @work, and see if it still works as it should. Or should I just leave well enough alone?

stephenw10

It's fixed in 2.2.4 snapshots. Perhaps the CPU at the home end is not actually supporting AES-NI as it reports?
If the module actually loads at boot (check the boot logs) then I would exepct it to break IPSec if AES is used.

Steve

TheWaterbug

@vbentley:

You can use IP addresses for your identifiers but they are not much use unless the WAN IP addresses at each end are both static. The IP address identifier is just for IP addresses not hostnames.

If you have one or more WAN interfaces with dynamic IP addresses you should use an identifier that doesn't change.

If you have a resolvable hostname for your pfSense host and another for your Linksys host you could use the Distinguished Name type like in this example:-

On pfSense
My Identifier: Distinguished Name: pfsense.mydynamic.dns
Peer Identifier: Distinguished Name: linksys.mydynamic.dns

On Linksys
My Identifier: Distinguished Name: linksys.mydynamic.dns
Peer Identifier: Distinguished Name: pfsense.mydynamic.dns

Thanks! I'd had Peer Identifier entered as IP Address, and it wasn't working under 2.2.3, though I'm pretty sure it had worked previously under some earlier version.

Once I used Distinguished Name it started working again.

gteley

All well and nice but I have several pfSense boxes at several client locations and all work except one.
I've checked and double checked each and every setting, deleted it and recreated it, but it still keeps saying 'Gateway authentication error' and 'invalid ID_V1 payload length, decryption failed?' after the upgrade to 2.2.4 (I skipped 2.2.3)
To be precise, I copied the configuration from exact the same hardware appliance box, just to rule out hardware dependencies.