Probleme mit IPSec seit Update auf 2.2.4
-
Hallo,
wir haben unsere pfSense von 2.2.2 auf 2.2.4 aktualisiert und seitdem können unsere Road Warrior nicht mehr per VPN verbinden.
Die pfSense hat eine statische IP während die Clients genattet sind und dynamische IPs nutzen.
Die Identifier sind "My ip address" und "User distinguished name" in Form einer E-Mail-Addresse.
Wir benutzen IKE V1 mit PSK und XAuth, aggressive mode, AES und SHA1, Group 5..
Die Clients nutzen Shrew.
"My identifier" manuell auf die IP zu setzen brachte nichts, "Peer Identifier" auf "any zu setzen brachte ebenfalls nichts.
Hat jemand eine Idee oder werden mehr Informationen benötigt?
Vielen Dank!
Beste Grüße,
Lars
Log-Einträge (x.x.x.x = Ip der pfSense, y.y.y.y = Peer ip):
Aug 12 12:08:33 charon: 06[JOB] <con1|43>deleting half open IKE_SA after timeout Aug 12 12:08:28 charon: 06[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes) Aug 12 12:08:28 charon: 06[IKE] <con1|43>sending retransmit 3 of response message ID 0, seq 1 Aug 12 12:08:28 charon: 06[IKE] <con1|43>sending retransmit 3 of response message ID 0, seq 1 Aug 12 12:08:15 charon: 06[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes) Aug 12 12:08:15 charon: 06[IKE] <con1|43>sending retransmit 2 of response message ID 0, seq 1 Aug 12 12:08:15 charon: 06[IKE] <con1|43>sending retransmit 2 of response message ID 0, seq 1 Aug 12 12:08:08 charon: 06[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes) Aug 12 12:08:08 charon: 06[IKE] <con1|43>sending retransmit 1 of response message ID 0, seq 1 Aug 12 12:08:08 charon: 06[IKE] <con1|43>sending retransmit 1 of response message ID 0, seq 1 Aug 12 12:08:04 charon: 06[IKE] <con1|43>INFORMATIONAL_V1 request with message ID 1844034455 processing failed Aug 12 12:08:04 charon: 06[IKE] <con1|43>INFORMATIONAL_V1 request with message ID 1844034455 processing failed Aug 12 12:08:04 charon: 06[IKE] <con1|43>ignore malformed INFORMATIONAL request Aug 12 12:08:04 charon: 06[IKE] <con1|43>ignore malformed INFORMATIONAL request Aug 12 12:08:04 charon: 06[IKE] <con1|43>message parsing failed Aug 12 12:08:04 charon: 06[IKE] <con1|43>message parsing failed Aug 12 12:08:04 charon: 06[ENC] <con1|43>could not decrypt payloads Aug 12 12:08:04 charon: 06[ENC] <con1|43>invalid HASH_V1 payload length, decryption failed? Aug 12 12:08:04 charon: 06[NET] <con1|43>received packet: from y.y.y.y[4500] to x.x.x.x[4500] (92 bytes) Aug 12 12:08:04 charon: 14[IKE] <con1|43>AGGRESSIVE request with message ID 0 processing failed Aug 12 12:08:04 charon: 14[IKE] <con1|43>AGGRESSIVE request with message ID 0 processing failed Aug 12 12:08:04 charon: 14[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (76 bytes) Aug 12 12:08:04 charon: 14[ENC] <con1|43>generating INFORMATIONAL_V1 request 768892632 [ HASH N(PLD_MAL) ] Aug 12 12:08:04 charon: 14[IKE] <con1|43>message parsing failed Aug 12 12:08:04 charon: 14[IKE] <con1|43>message parsing failed Aug 12 12:08:04 charon: 14[ENC] <con1|43>could not decrypt payloads Aug 12 12:08:04 charon: 14[ENC] <con1|43>invalid HASH_V1 payload length, decryption failed? Aug 12 12:08:04 charon: 14[NET] <con1|43>received packet: from y.y.y.y[4500] to x.x.x.x[4500] (108 bytes) Aug 12 12:08:04 charon: 14[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes) Aug 12 12:08:04 charon: 14[ENC] <con1|43>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ] Aug 12 12:08:04 charon: 14[CFG] <43> selected peer config "con1" Aug 12 12:08:04 charon: 14[CFG] <43> looking for XAuthInitPSK peer configs matching x.x.x.x...y.y.y.y[vpn@kv-viersen.drk.local] Aug 12 12:08:03 charon: 14[IKE] <43> y.y.y.y is initiating a Aggressive Mode IKE_SA Aug 12 12:08:03 charon: 14[IKE] <43> y.y.y.y is initiating a Aggressive Mode IKE_SA Aug 12 12:08:03 charon: 14[IKE] <43> received Cisco Unity vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received Cisco Unity vendor ID Aug 12 12:08:03 charon: 14[ENC] <43> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b Aug 12 12:08:03 charon: 14[ENC] <43> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51 Aug 12 12:08:03 charon: 14[ENC] <43> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26 Aug 12 12:08:03 charon: 14[IKE] <43> received FRAGMENTATION vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received FRAGMENTATION vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received NAT-T (RFC 3947) vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received NAT-T (RFC 3947) vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 12 12:08:03 charon: 14[ENC] <43> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62 Aug 12 12:08:03 charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-00 vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-00 vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received XAuth vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received XAuth vendor ID Aug 12 12:08:03 charon: 14[ENC] <43> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V ] Aug 12 12:08:03 charon: 14[NET] <43> received packet: from y.y.y.y[500] to x.x.x.x[500] (560 bytes)</con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43>
PS.: Der Beitrag ist auch nochmal im englischen Forum, aber ich hoffe, dass um diese Tageszeit hier mehr Leute unterwegs sind. Ich hoffe, das ist soweit okay..