IPSec: "The VPN Shared Secret is incorrect." From Mac After Upgrade to 2.3
-
After upgrading a system from 2.2.6 to 2.3.2, I can no longer connect to IPSec VPN The message I get on my Mac is "The Shared Secret is incorrect.
Aug 23 20:18:29 charon 16[IKE] <5> received FRAGMENTATION vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received NAT-T (RFC 3947) vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received draft-ietf-ipsec-nat-t-ike vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-08 vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-07 vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-06 vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-05 vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received XAuth vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received Cisco Unity vendor ID Aug 23 20:18:29 charon 16[IKE] <5> received DPD vendor ID Aug 23 20:18:29 charon 16[IKE] <5> [???.???.???.???] is initiating a Aggressive Mode IKE_SA Aug 23 20:18:29 charon 16[CFG] <5> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 Aug 23 20:18:29 charon 16[CFG] <5> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Aug 23 20:18:29 charon 16[IKE] <5> no proposal found Aug 23 20:18:29 charon 16[ENC] <5> generating INFORMATIONAL_V1 request 4133479696 [ N(NO_PROP) ] Aug 23 20:18:29 charon 16[NET] <5> sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (56 bytes) Aug 23 20:18:29 charon 14[NET] <6> received packet: from [???.???.???.???][500] to [???.???.???.???][500] (777 bytes) Aug 23 20:18:29 charon 14[ENC] <6> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ] Aug 23 20:18:29 charon 14[IKE] <6> received FRAGMENTATION vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received NAT-T (RFC 3947) vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received draft-ietf-ipsec-nat-t-ike vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-08 vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-07 vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-06 vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-05 vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received XAuth vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received Cisco Unity vendor ID Aug 23 20:18:29 charon 14[IKE] <6> received DPD vendor ID Aug 23 20:18:29 charon 14[IKE] <6> [???.???.???.???] is initiating a Aggressive Mode IKE_SA Aug 23 20:18:29 charon 14[CFG] <6> looking for XAuthInitPSK peer configs matching [???.???.???.???]...[???.???.???.???][vpnusers@balletbc.com] Aug 23 20:18:29 charon 14[CFG] <6> selected peer config "con1" Aug 23 20:18:29 charon 14[ENC] <con1|6>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ] Aug 23 20:18:29 charon 14[NET] <con1|6>sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (412 bytes) Aug 23 20:18:29 charon 14[NET] <con1|6>received packet: from [???.???.???.???][18833] to [???.???.???.???][4500] (76 bytes) Aug 23 20:18:29 charon 14[IKE] <con1|6>queueing INFORMATIONAL_V1 request as tasks still active Aug 23 20:18:33 charon 14[IKE] <con1|6>sending retransmit 1 of response message ID 0, seq 1 Aug 23 20:18:33 charon 14[NET] <con1|6>sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (412 bytes) Aug 23 20:18:41 charon 06[IKE] <con1|6>sending retransmit 2 of response message ID 0, seq 1 Aug 23 20:18:41 charon 06[NET] <con1|6>sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (412 bytes) Aug 23 20:18:54 charon 08[IKE] <con1|6>sending retransmit 3 of response message ID 0, seq 1 Aug 23 20:18:54 charon 08[NET] <con1|6>sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (412 bytes) Aug 23 20:18:59 charon 06[JOB] <con1|6>deleting half open IKE_SA after timeout</con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6>
-
Aug 23 20:18:29 charon 16[CFG] <5> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 23 20:18:29 charon 16[CFG] <5> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug 23 20:18:29 charon 16[IKE] <5> no proposal foundIt looks like everything your Mac is offering is PFS Group 14 (MODP_2048). Your pfSense phase 1 is configured for PFS Group 2 (MODP_1024). Looks like you need to change either side to match.
Apple has been making lots of changes to their VPN client lately - but it seems to be mostly in IKEv2. It's been a little bumpy.
-
Thanks for the info, but that did not solve my issue. I should note that I made no changes or upgrades to my Mac before or after the pfSense upgrade. The VPN connection worked before the upgrade to pfSense. Also, I have completely removed all configurations from the IPSec settings on pfSense, and re-built them all exactly as I have on other pfSense 2.3.2 boxes, and yet my Mac, which successfully connects to the IPSec VPNs on those other pfSense 2.3.2 boxes, is unable to connect to this one. So, it would seem that the upgrade of pfSense to 2.3 has broken something in IPSec…?
-
Also, i did make the change as above and match the DH Group as suggested. Here are my logs now…
On pfSense:
Sep 8 07:25:36 charon 11[NET] <7> received packet: from [YYY.YYY.YYY.YYY][500] to [XXX.XXX.XXX.XXX][500] (777 bytes) Sep 8 07:25:36 charon 11[ENC] <7> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ] Sep 8 07:25:36 charon 11[IKE] <7> received FRAGMENTATION vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received NAT-T (RFC 3947) vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received draft-ietf-ipsec-nat-t-ike vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-08 vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-07 vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-06 vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-05 vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received XAuth vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received Cisco Unity vendor ID Sep 8 07:25:36 charon 11[IKE] <7> received DPD vendor ID Sep 8 07:25:36 charon 11[IKE] <7> [YYY.YYY.YYY.YYY] is initiating a Aggressive Mode IKE_SA Sep 8 07:25:37 charon 11[CFG] <7> looking for XAuthInitPSK peer configs matching [XXX.XXX.XXX.XXX]...[YYY.YYY.YYY.YYY][vpnusers@balletbc.com] Sep 8 07:25:37 charon 11[CFG] <7> selected peer config "con1" Sep 8 07:25:37 charon 11[ENC] <con1|7> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ] Sep 8 07:25:37 charon 11[NET] <con1|7> sending packet: from [XXX.XXX.XXX.XXX][500] to [YYY.YYY.YYY.YYY][500] (540 bytes) Sep 8 07:25:37 charon 11[NET] <con1|7> received packet: from [YYY.YYY.YYY.YYY][5930] to [XXX.XXX.XXX.XXX][4500] (76 bytes) Sep 8 07:25:37 charon 11[IKE] <con1|7> queueing INFORMATIONAL_V1 request as tasks still active Sep 8 07:25:41 charon 11[IKE] <con1|7> sending retransmit 1 of response message ID 0, seq 1 Sep 8 07:25:41 charon 11[NET] <con1|7> sending packet: from [XXX.XXX.XXX.XXX][500] to [YYY.YYY.YYY.YYY][500] (540 bytes) Sep 8 07:25:47 charon 09[CFG] rereading secrets Sep 8 07:25:47 charon 09[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Sep 8 07:25:47 charon 09[CFG] loaded IKE secret for [XXX.XXX.XXX.XXX] vpnusers@balletbc.com Sep 8 07:25:47 charon 09[CFG] loaded IKE secret for %any Sep 8 07:25:47 charon 09[CFG] loaded IKE secret for %any Sep 8 07:25:47 charon 09[CFG] loaded IKE secret for vpnusers@balletbc.com Sep 8 07:25:47 charon 09[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Sep 8 07:25:47 charon 09[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Sep 8 07:25:47 charon 09[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Sep 8 07:25:47 charon 09[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Sep 8 07:25:47 charon 09[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls' Sep 8 07:25:49 charon 11[IKE] <con1|7> sending retransmit 2 of response message ID 0, seq 1 Sep 8 07:25:49 charon 11[NET] <con1|7> sending packet: from [XXX.XXX.XXX.XXX][500] to [YYY.YYY.YYY.YYY][500] (540 bytes)</con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7>
On the Mac:
2016-09-08 7:25:36.552 AM racoon[55341] accepted connection on vpn control socket. 2016-09-08 7:25:36.552 AM racoon[55341] accepted connection on vpn control socket. 2016-09-08 7:25:36.553 AM racoon[55341] IPSec connecting to server [XXX.XXX.XXX.XXX] 2016-09-08 7:25:36.553 AM racoon[55341] IPSec connecting to server [XXX.XXX.XXX.XXX] 2016-09-08 7:25:36.553 AM racoon[55341] Connecting. 2016-09-08 7:25:36.554 AM racoon[55341] IPSec Phase 1 started (Initiated by me). 2016-09-08 7:25:36.554 AM racoon[55341] IPSec Phase 1 started (Initiated by me). 2016-09-08 7:25:36.568 AM racoon[55341] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1). 2016-09-08 7:25:36.568 AM racoon[55341] >>>>> phase change status = Phase 1 started by us 2016-09-08 7:25:36.568 AM racoon[55341] >>>>> phase change status = Phase 1 started by us 2016-09-08 7:25:37.951 AM racoon[55341] HASH mismatched 2016-09-08 7:25:37.955 AM racoon[55341] HASH mismatched 2016-09-08 7:25:37.955 AM racoon[55341] IKEv1 Phase 1 AUTH: failed. (Initiator, Aggressive-Mode Message 2). 2016-09-08 7:25:37.957 AM racoon[55341] IKE Packet: transmit success. (Information message). 2016-09-08 7:25:37.957 AM racoon[55341] IKEv1 Information-Notice: transmit success. (ISAKMP-SA). 2016-09-08 7:25:37.957 AM racoon[55341] IKE Packet: receive failed. (Initiator, Aggressive-Mode Message 2). 2016-09-08 7:25:37.971 AM racoon[55341] IPSec disconnecting from server [XXX.XXX.XXX.XXX] 2016-09-08 7:25:37.972 AM racoon[55341] IPSec disconnecting from server [XXX.XXX.XXX.XXX] 2016-09-08 7:25:37.975 AM racoon[55341] glob found no matches for path "/var/run/racoon/*.conf" 2016-09-08 7:25:37.978 AM racoon[55341] glob found no matches for path "/var/run/racoon/*.conf" 2016-09-08 7:25:37.979 AM racoon[55341] IPSec disconnecting from server [XXX.XXX.XXX.XXX] 2016-09-08 7:25:37.983 AM racoon[55341] IPSec disconnecting from server [XXX.XXX.XXX.XXX]
-
After upgrading pfSense I see same issue on two Win10 machines - that worked flawlessly before.
I constantly get
Sep 8 22:38:52 charon 11[NET] <con1|62>received packet: from 2.130.86.250[61121] to xxx.xx.xxx.xxx[4500] (108 bytes)
Sep 8 22:38:52 charon 11[ENC] <con1|62>invalid HASH_V1 payload length, decryption failed?
Sep 8 22:38:52 charon 11[ENC] <con1|62>could not decrypt payloadsno matter what I do to config (clean PSK, DH2/14 etc…)</con1|62></con1|62></con1|62>
-
In my configuration the phase1:peer identification somehow have been reset by the upgrade.
When I explicitly called out 'User distinguished name' for peer id and provided the value I defined in the client stuff works again :-)Case closed (for me)
-
As I mentioned above, I have completely removed and re-added the configuration at both ends.