Client IPSec EAP VPN does not work after upgrade to 2.5release
-
@matyi-szabolcs said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
Használ AES-t a hardveres titkosításhoz, vagy annélkül csinálja?
Nem
a sebesség pont ezért van, mivel ezt használja
ChaCha20 + Poly1305 + https://tools.ietf.org/html/rfc7539
-
This post is deleted! -
@matyi-szabolcs
Yes, I have the problem with the widgets and status page also. Not sure about applying the patches. Did they work? I could not understand the rest of the thread. -
@acestrider1
Answer from just another user with IPsec problems: forget about 2.5.0 in its current state and the patches mentioned.We had a perfectly working tunnel between our remote office and our HQ until I decided to upgrade our office site. Even with IPsec working in the evening when I leave the tunnel is down the next morning. Logs don't help, there are 500+ entries within 45min alone with some logged rubbish but without a clue to the problem.
Applying those patches didn't make any difference. Tunnel down next morning. Rebooting the device and it's up for an unknown period again.
Whatever the reason, this 2.5.0 is borked in its current state even with all patches applied as of 2021-02-25.
Sorry, netgate team. If an update brings a working system down then it is kaputt. Face it. -
@jahonix said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
We had a perfectly working tunnel between our remote office and our HQ until I decided to upgrade our office site. Even with IPsec working in the evening when I leave the tunnel is down the next morning. Logs don't help, there are 500+ entries within 45min alone with some logged rubbish but without a clue to the problem.
That doesn't match up with the symptoms in this thread, please start your own thread and we can help you figure out what's wrong with that setup. Sounds like maybe the tunnel isn't rekeying properly or the child SA close action needs set on one side to make it reconnect (especially if it's VTI)
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
please start your own thread and we can help you figure out what's wrong with that setup.
Jim,
thanks for your offer!
Unfortunately we don't have the time to dig through this. Our fix was to rollback to 2.4.5-p1 and stick with that version. Maybe we'll have a look at 2.5.0 +1 or so. -
@jahonix said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
thanks for your offer!
Unfortunately we don't have the time to dig through this. Our fix was to rollback to 2.4.5-p1 and stick with that version. Maybe we'll have a look at 2.5.0 +1 or so.Fair enough but if nobody else hits the same problem as you then there is little chance of it being fixed. If we don't know enough about it and can't reproduce or diagnose it, then we can't work on it.
-
This post is deleted! -
Too bad, the last comment of this tread has been deleted. You could think of a community test - distribute the VPN credentials of the test environment to the forum participants and we will provide you with all possible dumps and logs. Really guys, I'm available. All this would have allowed your customers not to spend sleepless nights studying IPSec in the hope of finding "that" fantastic configuration that will allow their company to work peacefully. Please...
-
This post is deleted! -
We do test it. We all use snapshots on our home edges with IPsec back to HQ, I have dozens of tunnels and mobile setup styles in my lab and am constantly monitoring and testing them with Windows, Android, and OS X clients. Others here have their own setups at home and in their labs as well. All of mine work, but there are only so many different scenarios we can test.
With all the settings possible in IPsec there are thousands of different potential configurations and client combinations. At some point we need more feedback from real-world users instead of tests in lab conditions.
-
@jimp said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
@matyi-szabolcs said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
As a solution, we re-entered the Pre Shared Key from the config.xml Backup file and save.
If you look at the contents of config.xml before and after re-entering the key, are there any differences? Are there any differences in
/var/etc/ipsec/swanctl.conffor keys before and after changing config.xml? There should not be, but if there are, I need to know what they are.The status problem is already known and fixed. To ensure you have all of the current known and fixed IPsec issues corrected, You can install the System Patches package and then create entries for the following commit IDs to apply the fixes:
Hi Jimp,
I had installed the patches but after I added a second ipsec site2site tunnel all tunnels are shown as dicconected in the widget. Maybe @matyi-szabolcs and @DaddyGo found a solution but I'm only able to understand english and german ;)I tried to check some return values from the funktion: pfSense_ipsec_list_sa() like in https://redmine.pfsense.org/issues/7856 but I'm not able to do. I don't know how. Maby you can sne me a link for an how to or an documentation how I can do this and I can debug myself and help you out?
Cheers -
@marco42 said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
Maybe @matyi-szabolcs and @DaddyGo found a solution but I'm only able to understand english and german ;)
Hi,
nope, we didn't find a solution either, unfortunately...
we just met and spoke on the same language briefly, I apologize to the other colleagues...
PS:
there are not many Hungarian speakers here on the forum -
@daddygo said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
@marco42 said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
Maybe @matyi-szabolcs and @DaddyGo found a solution but I'm only able to understand english and german ;)
Hi,
nope, we didn't find a solution either, unfortunately...
we just met and spoke on the same language briefly, I apologize to the other colleagues...
PS:
there are not many Hungarian speakers here on the forumU R Welcome
Sorry for repeat my question but:
I tried to check some return values from the funktion: pfSense_ipsec_list_sa() like in https://redmine.pfsense.org/issues/7856 but I'm not able to do. I don't know how. Maby someone can send me a link for a how to or a documentation how I can do this and I can debug myself?Cheers
-
@marco42 said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
Sorry for repeat my question but:
Hi,
understandable, but...nope, no one knows that.. :)
The best, I can suggest is stay a little longer at 2.4.5-p1 with IPsecI know it's hard to figure out what's going on in 2.5.0, but it's a production environment... in our case (from this I get my IT judgment)
we never switch versions, when Netgate says it can be now :-)
pls. - understand them too, you are the best experimental interface
so I am running a 2.5.0 machine on an ESXI enviroment on Cisco UCS unit to help the community
-
Mas is van magyar... Ez se Mo-on el... :-)
-
@csandor said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
Ez se Mo-on el... :-)
Örülünk neked Sándor
Látom a billentyűzet angol, hihihihhi, mostanában nem sokat vagyok itt, de készülök a hétvégén 2.5.1 telepíteni, szóval benézek, ha tudok segíteni valamiben megtalálsz.
Kellemes hétvégét.
-
Hali minden kedves honfitarsamnak,!
Van meg 2 eszrevetel 2.5.1 verziot illetoen.
A node_exporter plugin eltunik kis ido után a web menüből és nem indul automatikusan.
linkValamint mit biztosan nem sokan teszteltek meg le az, hogy hardver koltozteteskor 2.5-bol atvitt config.xml masik hardveren beadva nem bootolt be tobb probalkozas utan sem. Miutan csinaltam egy friss 2.4.5 telepitest es a 2.4.5 configot beadtam neki, minden tokeletesen mukodott. Majd a HW2-t tudtam frissiteni most mar 2.5.1-re. @DaddyGo nak lesz igaza, hogy majd frissiteni inkabb olyan 2.5.2 vagy 2.5.3 korul lesz erdemes. A 2.5.1 is tulsagosan hamar elkeszult igy a vegere. A kiadas elott 2-3 nappal neztem meg 50 ticket nyitva volt. Nem hiszem, hogy 2 nap alatt osszecsaptak volna ha elotte a 25 ticketet honapokig kellett csinalniuk. Udv.
-
Észrevettem egy ilyen megoldást - törölje az EAP bejegyzést a webes felületről (VPN / IPSec / Pre-Shared Keys). Számomra úgy tűnik, hogy ha így törli a problémát, akkor a probléma megoldható, és a konfiguráció más részei sérülhetnek.
-
@matyi-szabolcs said in Client IPSec EAP VPN does not work after upgrade to 2.5release:
Majd a HW2-t tudtam frissiteni most mar 2.5.1-re. @DaddyGo nak lesz igaza, hogy majd frissiteni inkabb olyan 2.5.2 vagy 2.5.3 korul lesz erdemes.
Jah, egy kicsit elmerültem a VPS -ink világában (sok volt a változás Ubuntu FocalFossa :-) és -a skandalum cuccok, amik történtek manapság a Netgate "háza táján" egy kicsit távol tartott a forumtól, várom míg elül a por...
@matyi-szabolcs "hogy hardver koltozteteskor 2.5-bol atvitt config.xml masik hardveren beadva nem bootolt be"
ha HW változás van a config.xml a régi cuccokat tartalmazza, like igb, cxgbe, emX, bwn, ixgbe, or other driver, mindig gond...
azt szoktam tenni, hogy a régi HW paramétereit manuálisan átírom a config.xml- ben az új (estleges) meghajtókhoz, mivel a régi HW tuti nem tartalmazza, ugyanazt a HW komponenseket, mint a régi.
A FreeBSD újra konfigolja az alap paramétereket (CPU, ACPI, MEM, BUS, USB, etc.), de a pl. a NIC paramétereket társítja interface(s) -hez, így azok nem importálhatóak egy új rendszerbe, HW -ba,Szóval az alap pfSense dolog átjönnek az új installra, de NIC paraméterek nem, így az összes új interface el lesz dobva, értelem szerűen.
BTW:
Mi van veletek srácok, mindenki jól van??? I hope so... :-)
