Client IPSec EAP VPN does not work after upgrade to 2.5release
-
Hi,
after reckoning that pfsense 2.5 mangles the PSK's somewhat funny and re-set up my most important ipsec tunnels again as in that post mentioned...
https://forum.netgate.com/topic/161096/2-5-upgrade-broke-some-not-all-ipsec/17?_=1613852046769
...I tried to revive my client EAP based ipsec server as well...
but here simply useing the PSK which is mentioned in the secrects section does not work so far - besides it is also differend than the PSK you see in the webinterface....
Feb 20 21:11:30 rotorouter charon[52332]: 16[CFG] <81> looking for peer configs matching 79.xxx.xx.xx[xx.xxx.xx]...80.xx.xx.xx[oneplus@whatever.org] Feb 20 21:11:30 rotorouter charon[52332]: 16[CFG] <81> no matching peer config foundThis - as any other ipsec connection - was working perfectly in the last 2.4.5 pfsense release...
I don't know why pfsense cannot find a config for that EAP User which is configured correctly and worked until the update, everything is in the right place, despite (again) the fact that the PSK in /var/etc/ipsec/swanctl.conf does also NOT match the PSK VPN/IPsec/Pre-Shared Keys EAP entry for that same user....
Any advice?
Cheers
4920441
-
@4920441-0
sorry for replying myself.... but
simply deleting the EAP entry in the webinterface (VPN / IPSec / Pre-Shared Keys)
and add a new one with EXACTLY the same data works....The really funny thing is the /var/etc/ipsec/swanctl.conf is exactly the same as before removal! How can this happen?
When the EAP User was removed the appropriat secret entry was gone, though....
Mystique.....
-
If it is 100% identical there should not have been a difference in behavior.
Use the config history function under Diagnostics > Backup/Restore and compare the configurations before and after making the change.
-
The problem also occurred with us.
After the upgrade, the IPsec tunnels could not connect.
As a solution, we re-entered the Pre Shared Key from the config.xml Backup file and save.
Alternatively, the entire backup file can be re-entered, but it involves a reboot.
Another problem is that the IPsec Widget still does not display active connections. Not on the status side either.
Tthe connection is active:
OK - IPSEC VPN tunnel to xxx.xxx.xxx.xxx - ESTABLISHED 6 minutes ago
OK - IPSEC VPN tunnel to xxx.xxx.xxx.xxx - ESTABLISHED 7 minutes ago
OK - IPSEC VPN tunnel to xxx.xxx.xxx.xxx - ESTABLISHED 9 minutes ago
Will there be an update to fix the problem?
Thanks!
-
This post is deleted! -
@matyi-szabolcs said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
As a solution, we re-entered the Pre Shared Key from the config.xml Backup file and save.
If you look at the contents of config.xml before and after re-entering the key, are there any differences? Are there any differences in
/var/etc/ipsec/swanctl.conffor keys before and after changing config.xml? There should not be, but if there are, I need to know what they are.The status problem is already known and fixed. To ensure you have all of the current known and fixed IPsec issues corrected, You can install the System Patches package and then create entries for the following commit IDs to apply the fixes:
Remember: Upvote with the đ button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
Hi Support!
The following 2 paths have solved the widget and status page issue:
https://github.com/pfsense/pfsense/commit/95a4e1a0e42392fe4523bf769589f74864446f8c.patch
https://github.com/pfsense/pfsense/commit/4e5857b656c7bfd59efadbb9a124876a5516c7df.patch
i looked at the difference (config.xml) before and after the update.
Data differ in 32 places and are missing.Unfortunately, I haven't seen the "swanctl.conf" file before. I will apply as soon as I know more!
Thanks!
-
@matyi-szabolcs
Unfortunately, there were problems with the ipsec connection again this morning. We've added additional patches and it now works.
However, the Ipsec Widget does not show an active link again.activated patches:
- ead6515637a34ce6e170e2d2b0802e4fa1e63a00
- 57beb9ad8ca11703778fc483c7cba0f6770657ac
- 10eb04259fd139c62e08df8de877b71fdd0eedc8
- ded7970ba57a99767e08243103e55d8a58edfc35
- afffe759c4fd19fe6b8311196f4b6d5e288ea4fb
- 2fe5cc52bd881ed26723a81e0eed848fd505fba6
- 95a4e1a0e42392fe4523bf769589f74864446f8c
- 4e5857b656c7bfd59efadbb9a124876a5516c7df
-
@matyi-szabolcs said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
Unfortunately, there were problems with the ipsec connection again this morning.
Hi,
Termelési környezetben hasznåljåtok a 2.5.0 -åt?
Vagy ez egy teszt VM?Jimp tud segĂteni ebben Ć a mƱszaki vezetĆje a Netgate -nek, Ă©rdemes figyelni a tanĂĄcsaira.
RĂĄadĂĄsul IPSec Ă©s egyĂ©b VPN szakĂ©rtĆ Ă©s ĂĄltalĂĄban minden...
Mi semmikĂ©ppen sem hasznĂĄljuk mĂ©g a 2.5.0 termelĂ©si környezetben, ez hosszĂș Ă©vek tapasztalata, egy kicsit vĂĄrni kell.Ădv...
+++edit:
@matyi-szabolcs "Hi Support!"
Jah Ă©s itt nincs support ez egy CE közössĂ©g, Ăgy mindenki segĂt...a support itt van : https://go.netgate.com/support/login
de ez nem CE -re vonatkozik, hanem Netgate HW -kra (SG-.......) -
Hi @daddygo !
Azt hittem kĂĄprĂĄzik a szemem, hogy magyarul olvaslak, vagy a google translate maradt bekapcsolva, de nem.
Igen ez az eset a termelĂ©sben törtĂ©nt. ElĆzĆleg itthoni környezetben mĂĄr 2 pfsense-t sikeresen lefrissĂtettem hiba nĂ©lkĂŒl, igaz itt ipsec nem volt csak openvpn. MĂĄr szinte biztos voltam benne, hogy nem lehet problĂ©ma. Jelenleg stabilnak lĂĄtszik több tovĂĄbbi patch beadĂĄsa utĂĄn, de mĂ©g szĂŒksĂ©g van idĆre a tesztelĂ©shez. A widget meg egyelĆre Ăgy marad, van helyette nagios check.
ĂrĂŒltem a talĂĄlkozĂĄsnak,
Ădv. -
@matyi-szabolcs said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
Azt hittem kĂĄprĂĄzik a szemem,
Az elmĂșlt Ă©vekben tapasztalatom szerint csak Ă©n vagyok itt magyar, vagyis Ăn sem az orszĂĄgban Ă©lek.
Maradj a 2.4.5 -p1 -en egy darabig nĂĄlunk több mint 200 pfSense telepĂtĂ©s fut kisseb nagyobb rendszereken, harmadik fĂ©l HW -in Ă©s original Netgate cuccokon is. Korai a 2.5, nĂĄlam egy Cisco UCS-C240M5 fut tesztkĂ©nt, de nem jĂł mĂ©g.
Valahol majd 2.5.3-4 körĂŒl lehet vĂĄltani, de ĂgĂ©retek szerint nyĂĄron kijön a 2.6, ergo a Netgate kisĂ©rletezik velĂŒnk, hihihihi.
A fĂłrum jĂł petricsĂ©sze nekik rengeteg "bug" jön elĆ.
Abban az esetben, ha segĂtsĂ©g kell ĂĄltalĂĄban itt vagyok, sok ismerĆsöm van itt sok szakterĂŒletrĆl, tudunk segĂteni sok mindenben.
ĂrĂŒltem Ăn is!+++edit:
jah a "patch" -kel az a gond, ha firssĂŒl az FW a pkg - manager felĂŒlĂr mindent, nem sok marad megbelĆlĂŒk, tehĂĄt mindent kezdhetsz Ășjra, inkĂĄbb jelentsd a dologokat "redmine" -on:
https://redmine.pfsense.org/ -
Hi @daddygo
Köszönöm az informåciót!
Most vettem Ă©szre, hogy a patch nem aktivĂĄlĂłdik.
Most mind a 8 patch ezt Ărja a tesztnĂ©l:Patch can NOT be applied cleanly (detail) Patch can be reverted cleanly (detail)
Mindegyik patch tesztelésnél hasonló hibåk.
A VPN kapcsolat rendben, status oldal is mutatja az aktĂv kapcsolatokat. EgyedĂŒl a widget nem. Van esetleg informĂĄciĂłd melyik patch amire tĂ©nyleg szĂŒksĂ©g van Ă©s melyek a nem fontosak? Tegnap amikor csak 2 patch volt hozzĂĄ adva, akkor minden rendben volt, a widget is. Ma reggelre szakadt meg a kapsolat Ă©s hozzĂĄ adtuk a tovĂĄbbi patcheket Ă©s most ez a problĂ©ma.
Ădv!
-
@matyi-szabolcs said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
Van esetleg informĂĄciĂłd melyik patch amire tĂ©nyleg szĂŒksĂ©g van Ă©s melyek a nem fontosak?
ĂtnĂ©ztem Ă©s nekem Ășgy tƱnik, hogy nagyobb a problĂ©ma mint elsĆre Jimp gondolta 17 perc elteltĂ©vel adta ki a kĂ©t patch -et Ă©s mindegyik PHP related....
https://redmine.pfsense.org/issues/11435
figyeld csak "redmine" Renato mĂĄr ĂĄt is tette 2.5.0-p1 -be, ami nekem erĆssen azt sugalja, hogy a sok hiba miatt nem sokĂĄra kiadjĂĄk a -p1 -et.
A mĂĄsodik patch az aktuĂĄlisabb, de az sem jĂł
+++edit:
-
@matyi-szabolcs said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
Ma reggelre szakadt meg a kapsolat és hozzå adtuk a tovåbbi patcheket és most ez a probléma.
Egyébként hol hasznåljåtok az IPSec -et? Két - több iroda, cég, telephely között..?
Ideiglenesen nem megoldĂĄs az OpenVPN az most mƱködik rendesen, vagy Wireguard, ha nagyobb sebessĂ©g szĂŒksĂ©ges..WG -nek durva a teljesĂtmĂ©nye, teszteltĂŒk Ă©s 6 napja fut kĂ©t branch master router között.
https://www.netgate.com/blog/wireguard-in-pfsense-2-5-performance.html -
Hi @daddygo
Az ĂŒgyfelĂŒnknek mĂĄr megvolt az ipsec hĂĄlĂłzata mikor hozzĂĄnk kerĂŒlt (több nagyvĂĄros között). SzĂłval mindenkĂ©pp csak ezt tudtuk hasznĂĄlni a pfsense-ben a mĂĄr meglĂ©vĆ kapcsolataihoz. Ez most kĂŒlönösen kritikus problĂ©ma volt mivel a telefon is ipsecen keresztĂŒl ĂŒzemel. Volt kiesĂ©s is mĂg megtalĂĄltam ezt a fĂłrumot az ideiglenes megoldĂĄssal, hogy a pre-shared-key ĂșjbĂłli beadĂĄsa segĂthet. UtĂĄna vettĂŒk Ă©szre, hogy sem a stĂĄtusz oldal sem a widget nem mutatja megfelelĆen az adatokat. EgyelĆre most mƱködik jĂłl, a stĂĄtusz oldal is rendben, egyedĂŒl a widget a problĂ©ma de ez most elhanyagolhatĂł. Ăgy hagyjuk Ă©s figyeli a nagios check_ipsec.
A WG is Ă©rdekes mindenkĂ©pp, igen fĆleg a sebessĂ©g miatt. Ezt is majd tesztelni kell Ă©s semmikĂ©pp sem hagyjuk figyelmen kĂvĂŒl. HasznĂĄl AES-t a hardveres titkosĂtĂĄshoz, vagy annĂ©lkĂŒl csinĂĄlja?
Köszi az infókat!
Ădv. -
@matyi-szabolcs said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
HasznĂĄl AES-t a hardveres titkosĂtĂĄshoz, vagy annĂ©lkĂŒl csinĂĄlja?
Nem
a sebesség pont ezért van, mivel ezt hasznålja
ChaCha20 + Poly1305 + https://tools.ietf.org/html/rfc7539
-
This post is deleted! -
@matyi-szabolcs
Yes, I have the problem with the widgets and status page also. Not sure about applying the patches. Did they work? I could not understand the rest of the thread. -
@acestrider1
Answer from just another user with IPsec problems: forget about 2.5.0 in its current state and the patches mentioned.We had a perfectly working tunnel between our remote office and our HQ until I decided to upgrade our office site. Even with IPsec working in the evening when I leave the tunnel is down the next morning. Logs don't help, there are 500+ entries within 45min alone with some logged rubbish but without a clue to the problem.
Applying those patches didn't make any difference. Tunnel down next morning. Rebooting the device and it's up for an unknown period again.
Whatever the reason, this 2.5.0 is borked in its current state even with all patches applied as of 2021-02-25.
Sorry, netgate team. If an update brings a working system down then it is kaputt. Face it. -
@jahonix said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
We had a perfectly working tunnel between our remote office and our HQ until I decided to upgrade our office site. Even with IPsec working in the evening when I leave the tunnel is down the next morning. Logs don't help, there are 500+ entries within 45min alone with some logged rubbish but without a clue to the problem.
That doesn't match up with the symptoms in this thread, please start your own thread and we can help you figure out what's wrong with that setup. Sounds like maybe the tunnel isn't rekeying properly or the child SA close action needs set on one side to make it reconnect (especially if it's VTI)
Remember: Upvote with the đ button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
