2.4.3 Breaks Mobile Client
-
Yeah I'm getting similar problems as well. OS X replies with a shared secret error after upgrade to 2.4.3. Nothing in the logs to indicate what the problem could be.
 -
Mobile Clients are not working for me either - and it had previously been working.
-
I've opened bug 8426 for this problem.
https://redmine.pfsense.org/issues/8426
-
Maybe related to this change :
"Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and DH groups"Could you check if your phase 1 algorithms include something useful or simply save the desired settings again?
-
With IKEv2 it is working here as before BTW, at least with Windows and Android clients. Maybe only the Apple clients are affected?
-
With IKEv2 it is working here as before BTW, at least with Windows and Android clients. Maybe only the Apple clients are affected?
My iPhone and Mac clients are working same as before with IKEv2.
-
On my side I tried forcing ikve1 and ikve2, and leaving it on auto
I have also changed the encryptions used for both phase 1 and phase 2 to various different options with no change
Just to note, I am on the android client under android 8.0.0
-
Maybe related to this change :
"Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and DH groups"Could you check if your phase 1 algorithms include something useful or simply save the desired settings again?
The only change in config.xml after upgrade was from this:
<phase1><encryption-algorithm><name>aes</name> <keylen>256</keylen></encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>2</dhgroup></phase1>To this:
<phase1><encryption><encryption-algorithm><name>aes</name> <keylen>256</keylen></encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>2</dhgroup></encryption></phase1>So, just rearranging the parameters to allow for multiple entries, as the release notes say. Re-saving the config made no difference. Tried deleting and recreating the config today, but GUI is throwing nonsensical errors at me. ::)
-
With IKEv2 it is working here as before BTW, at least with Windows and Android clients. Maybe only the Apple clients are affected?
My iPhone and Mac clients are working same as before with IKEv2.
Yeah I'm on IKEv1, and Jim P has just updated the ticket indicating that it looks like a problem related to IKEv1 PSK handling in a new version of strongSwan.
-
Yep, it isn't anything in our code. I was sure I had botched something in the new dual stack stuff at first but nope, the pfSense side was all good. strongSwan 5.6.2 changed ipsec.secrets logic for IKEv1, I think I've got it sorted out now.
Try applying fad13c4142bba5c24e2a1d4739d46a5ff9c7ed19 with the system patches package and then edit/save/apply the mobile tunnel. Let me know if it works or fails, especially if other tunnels (IKEv1 or IKEv2) fail that are working now before adding that patch.
-
Hi jimp
I can confirm, that patch does fix the vpn connection
I wasn't using StrongSwan on my android though. I am just using the in built vpn system on android 8.0.0, either way, all fixed now
Thank you very much
Jamie
-
I can confirm, that patch does fix the vpn connection
Great!
I wasn't using StrongSwan on my android though. I am just using the in built vpn system on android 8.0.0, either way, all fixed now
It's the version of strongSwan on pfSense itself to blame in this instance. It doesn't matter what the clients are running.
-
Ahh OK, lack of understanding on my side
Thanks again
-
So how does the average user go about fixing this? :). I was able to get my mobile clients working by removing and re-adding the mobile client config, but split tunneling is no longer working after that…
-
Use the System Patches package and apply the commit ID I mentioned above. See https://doc.pfsense.org/index.php/System_Patches
-
Applied the patch and split tunneling still does NOT work. I may try deleting the mobile profile and recreating it again. If that doesn't do I'll have to fall back to the previous version if I can find a d/l for it.
–--
Update, split tunneling works. When I recreated the mobile client I had the access set to LAN instead of 0.0.0.0. My mistake
Thanks for the help. All is good.
Mike -
Patch application fixed the issue! Thanks!
