[2.2] Mobile clients not connecting anymore

maxxer

hi.
Since the upgrade to 2.2 my Mobile clients aren't able to connect to the VPN anymore. I used this well done guide which has been working until the upgrade to openSWAN of 2.2. As posted on the upgrade guide I fixed the phase2 entry which was working with racoon, and the VPN works great with an Ubuntu client, but my androids are failing to establish the connection.

Does anyone knows the needed changes for it to work again?
Thanks

Clouseau

Look at this:
https://forum.pfsense.org/index.php?topic=87553.0

=> there is a bug in PSK identiefier used like user@domain.com. Email based or neither fully qualified domain name identifier does not work for me. Change that to IP -identifier like 1.1.1.1 (not needed to be real ip)
That identifier works now!

Bud:
https://redmine.pfsense.org/issues/4126

maxxer

thanks for the reply. I checked the issue and the diff but it doesn't match the vpn.inc source in my pfSense 2.2 install.
Any idea why?

cmb

When your Android devices fail, what IPsec logs do you get?

@Clouseau:

Look at this:
https://forum.pfsense.org/index.php?topic=87553.0

=> there is a bug in PSK identiefier used like user@domain.com.

That's not true and not relevant here, given Ubuntu machines work and just Android doesn't.

maxxer

@cmb:

That's not true and not relevant here, given Ubuntu machines work and just Android doesn't.

Indeed this puzzled me… This is a portion of the log, I hope I got the correct lines since I have other vpns running:

Jan 29 09:01:40 pfyo charon: 07[NET] received packet: from ANDROIDIP[61809] to PFSENSEIP[500] (656 bytes)
Jan 29 09:01:40 pfyo charon: 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]
Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received FRAGMENTATION vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] received FRAGMENTATION vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received NAT-T (RFC 3947) vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received XAuth vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] received XAuth vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received Cisco Unity vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] received Cisco Unity vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received DPD vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] received DPD vendor ID
Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> ANDROIDIP is initiating a Aggressive Mode IKE_SA
Jan 29 09:01:40 pfyo charon: 07[IKE] ANDROIDIP is initiating a Aggressive Mode IKE_SA
Jan 29 09:01:40 pfyo charon: 07[CFG] looking for XAuthInitPSK peer configs matching PFSENSEIP...ANDROIDIP[vpnusers@domain.com]
Jan 29 09:01:40 pfyo charon: 07[CFG] selected peer config "con4"
Jan 29 09:01:40 pfyo charon: 07[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
Jan 29 09:01:40 pfyo charon: 07[NET] sending packet: from PFSENSEIP[500] to ANDROIDIP[61809] (432 bytes)
Jan 29 09:01:43 pfyo charon: 07[NET] received packet: from ANDROIDIP[61809] to PFSENSEIP[500] (656 bytes)
Jan 29 09:01:43 pfyo charon: 07[IKE] <con4|9397>received retransmit of request with ID 0, retransmitting response
Jan 29 09:01:43 pfyo charon: 07[IKE] received retransmit of request with ID 0, retransmitting response
Jan 29 09:01:43 pfyo charon: 07[NET] sending packet: from PFSENSEIP[500] to ANDROIDIP[61809] (432 bytes)
Jan 29 09:01:44 pfyo charon: 07[IKE] <con4|9397>sending retransmit 1 of response message ID 0, seq 1
Jan 29 09:01:44 pfyo charon: 07[IKE] sending retransmit 1 of response message ID 0, seq 1
Jan 29 09:01:44 pfyo charon: 07[NET] sending packet: from PFSENSEIP[500] to ANDROIDIP[61809] (432 bytes)
Jan 29 09:01:45 pfyo charon: 07[IKE] <con1000|8701>sending DPD request
Jan 29 09:01:45 pfyo charon: 07[IKE] sending DPD request
Jan 29 09:01:45 pfyo charon: 07[ENC] generating INFORMATIONAL_V1 request 3656135092 [ HASH N(DPD) ]
Jan 29 09:01:46 pfyo charon: 07[ENC] parsed INFORMATIONAL_V1 request 2519074927 [ HASH N(DPD_ACK) ]
Jan 29 09:01:46 pfyo charon: 07[NET] received packet: from ANDROIDIP[61809] to PFSENSEIP[500] (656 bytes)
Jan 29 09:01:46 pfyo charon: 07[IKE] <con4|9397>received retransmit of request with ID 0, retransmitting response
Jan 29 09:01:46 pfyo charon: 07[IKE] received retransmit of request with ID 0, retransmitting response
Jan 29 09:01:46 pfyo charon: 07[NET] sending packet: from PFSENSEIP[500] to ANDROIDIP[61809] (432 bytes)
Jan 29 09:01:48 pfyo charon: 07[IKE] <con1000|8701>unable to reauthenticate in CHILD_SA REKEYING state, delaying for 18s
Jan 29 09:01:48 pfyo charon: 07[IKE] unable to reauthenticate in CHILD_SA REKEYING state, delaying for 18s
Jan 29 09:01:48 pfyo charon: 07[NET] received packet: from ANOTHERIP[500] to PFSENSEIP[500] (92 bytes)
Jan 29 09:01:48 pfyo charon: 07[ENC] parsed INFORMATIONAL_V1 request 2836642412 [ HASH N(DPD) ]
Jan 29 09:01:48 pfyo charon: 07[ENC] generating INFORMATIONAL_V1 request 2010749931 [ HASH N(DPD_ACK) ]
Jan 29 09:01:48 pfyo charon: 07[NET] sending packet: from PFSENSEIP[500] to ANOTHERIP[500] (92 bytes)
Jan 29 09:01:49 pfyo charon: 07[IKE] <con2000|8801>sending DPD request
Jan 29 09:01:49 pfyo charon: 07[IKE] sending DPD request
Jan 29 09:01:49 pfyo charon: 07[ENC] generating INFORMATIONAL_V1 request 3608059943 [ HASH N(DPD) ]</con2000|8801></con1000|8701></con4|9397></con1000|8701></con4|9397></con4|9397> 

maxxer

no ideas? anyone else using mobile IPSec on 2.2? thanks

dharrigan

Hi,

Just to add my voice to this, my iOS devices connect successfully, as do my Mac clients.

Android just fails to connect.

Same setup from pfSense 2.1, but on pfSense 2.2, Android devices just fail (sidenote, I wish I could see logs on Android of the connection/failure so I can at least try and figure out what Android is doing…)

-=david=-

eri--

Jan 29 09:01:46 pfyo charon: 07[NET] received packet: from ANDROIDIP[61809] to PFSENSEIP[500] (656 bytes)

Seeing this there seems a device doing nat in front of the Android device and changing ports which do not make ipsec happy in general.
Without having full details its a bit of a problem to diagnostic.

maxxer

@ermal:

Seeing this there seems a device doing nat in front of the Android device and changing ports which do not make ipsec happy in general.
Without having full details its a bit of a problem to diagnostic.

Well, most of my Android VPN connections come from a NATted connection (i.e. when I'm at home connected to my wifi), and it has been working fine in 2.1.
What full detail do you need? I'll try to provide them.

HaburGate

@maxxer:

no ideas? anyone else using mobile IPSec on 2.2? thanks

Having the same problem here, mobile devices (iPhone, iPad and Android) can't connect after 2.2 upgrade.

covex

i can't ipsec into pfsense 2.2 box from iphone anymore. used to work on 2.1.3

jalonergan

I am having the same issues with IPSEC and 2.2. Most of the Pfsense online guides are for versions less than 2.1.5. Does anyone have a step by step guide that they can post for a verified working configuration utilizing PSEC on 2.2 with Shrew Client and Android 4.4 as the clients. Thanks!

Joe

eri--

Please provide the logs to analyze this.
Also read the RELEASE notes about the new update and changes with things to conisder.

pinoyboy

Moved…

eri--

Please open a new thread for your issue but probably its related that you need on pfSense side to set the phase2 to 0.0.0.0/0 for the client.
It is on the release notes.

HaburGate

@ermal:

Please open a new thread for your issue but probably its related that you need on pfSense side to set the phase2 to 0.0.0.0/0 for the client.
It is on the release notes.

Is this under the Local Network field? Currently I have it set to "LAN Subnet."

maxxer

I managed to install a fresh new 2.2, configure using this howto, and captured this log. I hope this can help debug.
Let me know if you need further debugging.
thanks for the help.

maxxer

I made some searches and tests myself.
First I found a possible issue with missing leftsendcert=always, but doesn't seem to apply to this problem.
Then I found an old thread about android and 2.2, and that seem to matter!

I had to do two changes:

• on the server set IPSec mobile to main mode

• on the Android client remove the IPSec identifier field (leave blank)

This way the VPN connection is established.
Can anyone else please confirm?

Sadly this way I have a regression: Ubuntu client won't connect anymore, it seems it's starting an aggressive mode connection thus fails…

HaburGate

Hi Maxxer, can you post a screenshot of your Phase 1 and Phase 2 screens? (with applicable info blacked out). Fighting the same issue here, trying to get Android and iPhone clients connected.

maxxer

@vocatus:

Hi Maxxer, can you post a screenshot of your Phase 1 and Phase 2 screens? (with applicable info blacked out). Fighting the same issue here, trying to get Android and iPhone clients connected.

attaching here a working configuration for Android. Tested just with one device running Lollipop. NOT working with Ubuntu (seems it doesn't like main mode, just aggressive).
IKE mode works both in auto, v1 or v2. Just make sure to leave blank group identifier on the phone configuration.