Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Issues after update to 2.2.4

    IPsec
    3
    3
    2.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DRKViersen
      last edited by

      Hello,

      we upgraded our pfSense from 2.2.2 to 2.2.4 and all Road Warriors can no longer connect.

      The pfSense is on a static IP while the clients are NATed and using dynamic IPs.

      Identifiers are "My ip address" and a User distinguished name in the form of a email address.

      We are using IKE V1 with PSK and XAuth, aggressive mode, AES and SHA1, Group 5.

      The clients use the Shrew client.

      Setting "My identifier" to the IP address manually didn't help. Setting "Peer identifier" to "any" didn't help.

      Any ideas or any more information needed?

      Tank you very much!

      Kind regards,

      Lars

      Log entries (x.x.x.x = Ip of pfSense, y.y.y.y = Peer ip):

      
Aug 12 12:08:33 	charon: 06[JOB] <con1|43>deleting half open IKE_SA after timeout
Aug 12 12:08:28 	charon: 06[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes)
Aug 12 12:08:28 	charon: 06[IKE] <con1|43>sending retransmit 3 of response message ID 0, seq 1
Aug 12 12:08:28 	charon: 06[IKE] <con1|43>sending retransmit 3 of response message ID 0, seq 1
Aug 12 12:08:15 	charon: 06[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes)
Aug 12 12:08:15 	charon: 06[IKE] <con1|43>sending retransmit 2 of response message ID 0, seq 1
Aug 12 12:08:15 	charon: 06[IKE] <con1|43>sending retransmit 2 of response message ID 0, seq 1
Aug 12 12:08:08 	charon: 06[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes)
Aug 12 12:08:08 	charon: 06[IKE] <con1|43>sending retransmit 1 of response message ID 0, seq 1
Aug 12 12:08:08 	charon: 06[IKE] <con1|43>sending retransmit 1 of response message ID 0, seq 1
Aug 12 12:08:04 	charon: 06[IKE] <con1|43>INFORMATIONAL_V1 request with message ID 1844034455 processing failed
Aug 12 12:08:04 	charon: 06[IKE] <con1|43>INFORMATIONAL_V1 request with message ID 1844034455 processing failed
Aug 12 12:08:04 	charon: 06[IKE] <con1|43>ignore malformed INFORMATIONAL request
Aug 12 12:08:04 	charon: 06[IKE] <con1|43>ignore malformed INFORMATIONAL request
Aug 12 12:08:04 	charon: 06[IKE] <con1|43>message parsing failed
Aug 12 12:08:04 	charon: 06[IKE] <con1|43>message parsing failed
Aug 12 12:08:04 	charon: 06[ENC] <con1|43>could not decrypt payloads
Aug 12 12:08:04 	charon: 06[ENC] <con1|43>invalid HASH_V1 payload length, decryption failed?
Aug 12 12:08:04 	charon: 06[NET] <con1|43>received packet: from y.y.y.y[4500] to x.x.x.x[4500] (92 bytes)
Aug 12 12:08:04 	charon: 14[IKE] <con1|43>AGGRESSIVE request with message ID 0 processing failed
Aug 12 12:08:04 	charon: 14[IKE] <con1|43>AGGRESSIVE request with message ID 0 processing failed
Aug 12 12:08:04 	charon: 14[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (76 bytes)
Aug 12 12:08:04 	charon: 14[ENC] <con1|43>generating INFORMATIONAL_V1 request 768892632 [ HASH N(PLD_MAL) ]
Aug 12 12:08:04 	charon: 14[IKE] <con1|43>message parsing failed
Aug 12 12:08:04 	charon: 14[IKE] <con1|43>message parsing failed
Aug 12 12:08:04 	charon: 14[ENC] <con1|43>could not decrypt payloads
Aug 12 12:08:04 	charon: 14[ENC] <con1|43>invalid HASH_V1 payload length, decryption failed?
Aug 12 12:08:04 	charon: 14[NET] <con1|43>received packet: from y.y.y.y[4500] to x.x.x.x[4500] (108 bytes)
Aug 12 12:08:04 	charon: 14[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes)
Aug 12 12:08:04 	charon: 14[ENC] <con1|43>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
Aug 12 12:08:04 	charon: 14[CFG] <43> selected peer config "con1"
Aug 12 12:08:04 	charon: 14[CFG] <43> looking for XAuthInitPSK peer configs matching x.x.x.x...y.y.y.y[vpn@kv-viersen.drk.local]
Aug 12 12:08:03 	charon: 14[IKE] <43> y.y.y.y is initiating a Aggressive Mode IKE_SA
Aug 12 12:08:03 	charon: 14[IKE] <43> y.y.y.y is initiating a Aggressive Mode IKE_SA
Aug 12 12:08:03 	charon: 14[IKE] <43> received Cisco Unity vendor ID
Aug 12 12:08:03 	charon: 14[IKE] <43> received Cisco Unity vendor ID
Aug 12 12:08:03 	charon: 14[ENC] <43> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
Aug 12 12:08:03 	charon: 14[ENC] <43> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
Aug 12 12:08:03 	charon: 14[ENC] <43> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
Aug 12 12:08:03 	charon: 14[IKE] <43> received FRAGMENTATION vendor ID
Aug 12 12:08:03 	charon: 14[IKE] <43> received FRAGMENTATION vendor ID
Aug 12 12:08:03 	charon: 14[IKE] <43> received NAT-T (RFC 3947) vendor ID
Aug 12 12:08:03 	charon: 14[IKE] <43> received NAT-T (RFC 3947) vendor ID
Aug 12 12:08:03 	charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug 12 12:08:03 	charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug 12 12:08:03 	charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 12 12:08:03 	charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 12 12:08:03 	charon: 14[ENC] <43> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
Aug 12 12:08:03 	charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Aug 12 12:08:03 	charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Aug 12 12:08:03 	charon: 14[IKE] <43> received XAuth vendor ID
Aug 12 12:08:03 	charon: 14[IKE] <43> received XAuth vendor ID
Aug 12 12:08:03 	charon: 14[ENC] <43> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V ]
Aug 12 12:08:03 	charon: 14[NET] <43> received packet: from y.y.y.y[500] to x.x.x.x[500] (560 bytes)</con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43>
      1 Reply Last reply Reply Quote 0
      • D
        dcandea
        last edited by

        Based on strongswan
        https://wiki.strongswan.org/issues/460

        try with modeconfig=pull

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Upgrade to latest 2.2.5 snapshot, that's probably the same root cause as this (which is confirmed fixed by several people in 2.2.5).

          @dcandea:

          Based on strongswan
          https://wiki.strongswan.org/issues/460

          try with modeconfig=pull

          That has no relation in this case.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.