Random IPSec mobile client disconnects on 2.4.5

hipgroove

This location has an older SG-2440 running a 2.4 version that works well, but is underpowered for the IPSec site-to-site and mobile user load it's handling. An SG-3100 with 2.4.5 was installed with a restored backup from the SG-2440, with the only changes to the config being interface reassignments and subsequent IPSec SA subnet selections.

All VPNs work, but now we're seeing random IPSec mobile client disconnects. The clients are all using the Mac OS native VPN client. Users can be connected for hours, and then get disconnected, with the only relevant log entry being:

Jun  4 12:38:02 PFSenseFW charon: 08[IKE] <165> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun  4 12:38:02 PFSenseFW charon: 08[IKE] <165> received XAuth vendor ID
Jun  4 12:38:02 PFSenseFW charon: 08[IKE] <165> received Cisco Unity vendor ID
Jun  4 12:38:02 PFSenseFW charon: 08[IKE] <165> received DPD vendor ID
Jun  4 12:38:02 PFSenseFW charon: 08[IKE] <165> 12.12.12.1 is initiating a Aggressive Mode IKE_SA
Jun  4 12:38:02 PFSenseFW charon: 08[CFG] <165> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun  4 12:38:02 PFSenseFW charon: 08[CFG] <165> looking for XAuthInitPSK peer configs matching 10.10.10.1...12.12.12.1[groupname]
Jun  4 12:38:02 PFSenseFW charon: 08[CFG] <165> selected peer config "con-mobile"
Jun  4 12:38:02 PFSenseFW charon: 08[ENC] <con-mobile|165> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Jun  4 12:38:02 PFSenseFW charon: 08[NET] <con-mobile|165> sending packet: from 10.10.10.1[500] to 12.12.12.1[500] (412 bytes)
Jun  4 12:38:02 PFSenseFW charon: 08[NET] <con-mobile|165> received packet: from 12.12.12.1[4500] to 10.10.10.1[4500] (100 bytes)
Jun  4 12:38:02 PFSenseFW charon: 08[ENC] <con-mobile|165> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Jun  4 12:38:02 PFSenseFW charon: 08[IKE] <con-mobile|165> remote host is behind NAT
Jun  4 12:38:02 PFSenseFW charon: 08[ENC] <con-mobile|165> generating TRANSACTION request 4127191853 [ HASH CPRQ(X_USER X_PWD) ]
Jun  4 12:38:02 PFSenseFW charon: 08[NET] <con-mobile|165> sending packet: from 10.10.10.1[4500] to 12.12.12.1[4500] (76 bytes)
Jun  4 12:38:02 PFSenseFW charon: 06[NET] <con-mobile|165> received packet: from 12.12.12.1[4500] to 10.10.10.1[4500] (76 bytes)
Jun  4 12:38:02 PFSenseFW charon: 06[ENC] <con-mobile|165> parsed TRANSACTION response 4127191853 [ HASH CPRP(X_USER) ]
Jun  4 12:38:02 PFSenseFW charon: 06[IKE] <con-mobile|165> peer did not respond to our XAuth request
Jun  4 12:38:02 PFSenseFW charon: 06[IKE] <con-mobile|165> XAuth authentication of 'groupname' failed
Jun  4 12:38:02 PFSenseFW charon: 06[ENC] <con-mobile|165> generating TRANSACTION request 1210655804 [ HASH CPS(X_STATUS) ]
Jun  4 12:38:02 PFSenseFW charon: 06[NET] <con-mobile|165> sending packet: from 10.10.10.1[4500] to 12.12.12.1[4500] (76 bytes)
Jun  4 12:38:02 PFSenseFW charon: 06[NET] <con-mobile|165> received packet: from 12.12.12.1[4500] to 10.10.10.1[4500] (76 bytes)
Jun  4 12:38:02 PFSenseFW charon: 06[ENC] <con-mobile|165> parsed TRANSACTION response 1210655804 [ HASH CPA(X_STATUS) ]
Jun  4 12:38:02 PFSenseFW charon: 06[IKE] <con-mobile|165> destroying IKE_SA after failed XAuth authentication

It could be 45 minutes, or 18 hours, but these happen to multiple different clients. Replacing the 3100 with the original 2440 restores proper behavior to those clients. Searches for XAuth issues like this don't lead anywhere useful, at least so far.

Any ideas?

dcugy

I get the same problem

jgraham5481

@hipgroove
What do your proposals look like? There’s a sweet spot for mac and a sweet spot for windows 10.