Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple Road Warrior users with PSK auth unable to connect

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      grep
      last edited by

      I'm having problems trying to setup more than one Mobile IPsec users with PSK auth. Earlier I have been succesfully set up one user using the guide for 2.0.1 and now I need to add 3-4 mobile users with their own passwords.
      When adding more users, it seems that only one of these user/pass combinations work and rest end up with "gateway authentication error" from Shrew Soft client side.

      While on the pfSense side I'm seeing this on the logs:

      Jan 5 00:22:47	charon: 12[NET] <150> received packet: from <roadwarrior ip="">[63192] to <pfsense wan="" ip="">[500] (444 bytes)
Jan 5 00:22:47	charon: 12[ENC] <150> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]
Jan 5 00:22:47	charon: 12[IKE] <150> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 5 00:22:47	charon: 12[IKE] <150> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jan 5 00:22:47	charon: 12[IKE] <150> received NAT-T (RFC 3947) vendor ID
Jan 5 00:22:47	charon: 12[IKE] <150> received FRAGMENTATION vendor ID
Jan 5 00:22:47	charon: 12[ENC] <150> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
Jan 5 00:22:47	charon: 12[ENC] <150> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
Jan 5 00:22:47	charon: 12[ENC] <150> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
Jan 5 00:22:47	charon: 12[IKE] <150> received Cisco Unity vendor ID
Jan 5 00:22:47	charon: 12[IKE] <150> <roadwarrior ip=""> is initiating a Aggressive Mode IKE_SA
Jan 5 00:22:47	charon: 12[CFG] <150> looking for pre-shared key peer configs matching <pfsense wan="" ip="">...<roadwarrior ip="">[TestUser02]
Jan 5 00:22:47	charon: 12[CFG] <150> selected peer config "con3"
Jan 5 00:22:47	charon: 12[ENC] <con3|150> generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
Jan 5 00:22:47	charon: 12[NET] <con3|150> sending packet: from <pfsense wan="" ip="">[500] to <roadwarrior ip="">[63192] (432 bytes)
Jan 5 00:22:47	charon: 09[NET] <con3|150> received packet: from <roadwarrior ip="">[63193] to <pfsense wan="" ip="">[4500] (108 bytes)
Jan 5 00:22:47	charon: 09[ENC] <con3|150> invalid HASH_V1 payload length, decryption failed?
Jan 5 00:22:47	charon: 09[ENC] <con3|150> could not decrypt payloads
Jan 5 00:22:47	charon: 09[IKE] <con3|150> message parsing failed
Jan 5 00:22:47	charon: 09[ENC] <con3|150> generating INFORMATIONAL_V1 request 3918501119 [ HASH N(PLD_MAL) ]
Jan 5 00:22:47	charon: 09[NET] <con3|150> sending packet: from <pfsense wan="" ip="">[500] to <roadwarrior ip="">[63192] (76 bytes)
Jan 5 00:22:47	charon: 09[IKE] <con3|150> AGGRESSIVE request with message ID 0 processing failed
Jan 5 00:22:47	charon: 09[NET] <con3|150> received packet: from <roadwarrior ip="">[63193] to <pfsense wan="" ip="">[4500] (92 bytes)
Jan 5 00:22:47	charon: 09[ENC] <con3|150> invalid HASH_V1 payload length, decryption failed?
Jan 5 00:22:47	charon: 09[ENC] <con3|150> could not decrypt payloads
Jan 5 00:22:47	charon: 09[IKE] <con3|150> message parsing failed
Jan 5 00:22:47	charon: 09[IKE] <con3|150> ignore malformed INFORMATIONAL request
Jan 5 00:22:47	charon: 09[IKE] <con3|150> INFORMATIONAL_V1 request with message ID 4096175707 processing failed</con3|150></con3|150></con3|150></con3|150></con3|150></pfsense></roadwarrior></con3|150></con3|150></roadwarrior></pfsense></con3|150></con3|150></con3|150></con3|150></con3|150></pfsense></roadwarrior></con3|150></roadwarrior></pfsense></con3|150></con3|150></roadwarrior></pfsense></roadwarrior></pfsense></roadwarrior>

      After some experiments I discovered that the working user/pass login which works is always the bottom one listed on the /var/etc/ipsec/ipsec.secrets. If the working login/pass user is deleted from the webgui and reloaded the new bottom login starts now connect nicely while rest still stop with same error as seen above. All clients will be either Win/OSX with Shrew, no phones/tablets etc.

      I'm confused, shouldn't multiple PSK users work or is there some modifications I need to do either on Shrew or pfSense side differing from the 2.01-guide in order to get more than one user to work at the same time?

      I've tested now this with 2.2.5 and also with latest 2.2.6 both with the same result. Oh, and I'm aware of the security problems with PSK-auth in the first place, but at the moment all what really is needed is quick and dirty fix to get this solved.  :-\

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.