Update from 2.2 to 2.3.1_5 broke my ios9.3.2 ipsec



  • Hi,

    I had a working roadwarrior setup for ios9.3.2 working with my pfs 2.2 install.
    Today i decided to upgrade to the 2.3 branch (2.3.1_5 to be exact), unfortunately for me this broke my roadwarrior-ios config.
    I keep getting "The VPN shared secret is incorrect" messages from IOS, even tho the password is 100% correct.

    I followed this guide to the letter:
    https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

    I also tried enabling Unity as release notes suggested.

    It look similar to this bug:
    https://redmine.pfsense.org/issues/4806

    Reverting back to the 2.2 branch solved my problems.

    Did something break with ios and ipsec? Is anyone else experiencing issues as well?

    –-log---
    Jun 26 19:09:19 charon 05[IKE] <con5|27>queueing INFORMATIONAL_V1 request as tasks still active
    Jun 26 19:09:19 charon 05[NET] <con5|27>received packet: from x.x.x.x [21369] to x.x.x.x[4500] (76 bytes)
    Jun 26 19:09:19 charon 05[NET] <con5|27>sending packet: from x.x.x.x[500] to x.x.x.x[500] (432 bytes)
    Jun 26 19:09:19 charon 05[ENC] <con5|27>generating AGGRESSIVE response 0 [ SA KE No ID V V V V V NAT-D NAT-D HASH ]
    Jun 26 19:09:19 charon 05[CFG] <27> selected peer config "con5"
    Jun 26 19:09:19 charon 05[CFG] <27> looking for XAuthInitPSK peer configs matching x.x.x.x…x.x.x.x[vpn-ipsec-m]
    Jun 26 19:09:19 charon 05[IKE] <27> x.x.x.x is initiating a Aggressive Mode IKE_SA
    Jun 26 19:09:19 charon 05[IKE] <27> received DPD vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received Cisco Unity vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received XAuth vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received draft-ietf-ipsec-nat-t-ike vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received NAT-T (RFC 3947) vendor ID
    Jun 26 19:09:19 charon 05[IKE] <27> received FRAGMENTATION vendor ID
    Jun 26 19:09:19 charon 05[ENC] <27> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Jun 26 19:09:19 charon 05[NET] <27> received packet: from x.x.x.x[500] to x.x.x.x[500] (767 bytes)
    Jun 26 19:09:19 charon 15[NET] <26> sending packet: from x.x.x.x[500] to x.x.x.x[500] (56 bytes)
    Jun 26 19:09:19 charon 15[ENC] <26> generating INFORMATIONAL_V1 request 4265068621 [ N(NO_PROP) ]
    Jun 26 19:09:19 charon 15[IKE] <26> no proposal found
    Jun 26 19:09:19 charon 15[CFG] <26> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jun 26 19:09:19 charon 15[CFG] <26> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Jun 26 19:09:19 charon 15[IKE] <26> x.x.x.x is initiating a Aggressive Mode IKE_SA
    Jun 26 19:09:19 charon 15[IKE] <26> received DPD vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received Cisco Unity vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received XAuth vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received draft-ietf-ipsec-nat-t-ike vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received NAT-T (RFC 3947) vendor ID
    Jun 26 19:09:19 charon 15[IKE] <26> received FRAGMENTATION vendor ID
    Jun 26 19:09:19 charon 15[ENC] <26> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Jun 26 19:09:19 charon 15[NET] <26> received packet: from x.x.x.x[500] to x.x.x.x[500] (767 bytes)
    –-log---</con5|27></con5|27></con5|27></con5|27>


  • Netgate

    What is logged after that? What are your mobile client Phase 1 settings?



  • Thanks for the quick reply, my phase1 settings are:

    Authentication method: Mutual PSK + Xauth
    Negotiation mode: aggressive
    My identifier: My IP address
    Peer identfier: vpn-ipsec-m
    Pre-Shared Key: secret
    Encryption Algorithm: AES 128
    Hash Algorithm: SHA1
    DH Key Group: 2
    Lifetime: 86400
    NAT Traversal: Force

    Full log:

    Jun 26 21:39:53 charon 14[JOB] <con5|37>deleting half open IKE_SA after timeout
    Jun 26 21:39:47 charon 09[NET] <con5|37>sending packet: from x.x.83.56[500] to x.x.96.179[500] (432 bytes)
    Jun 26 21:39:47 charon 09[IKE] <con5|37>sending retransmit 3 of response message ID 0, seq 1
    Jun 26 21:39:34 charon 05[NET] <con5|37>sending packet: from x.x.83.56[500] to x.x.96.179[500] (432 bytes)
    Jun 26 21:39:34 charon 05[IKE] <con5|37>sending retransmit 2 of response message ID 0, seq 1
    Jun 26 21:39:27 charon 15[NET] <con5|37>sending packet: from x.x.83.56[500] to x.x.96.179[500] (432 bytes)
    Jun 26 21:39:27 charon 15[IKE] <con5|37>sending retransmit 1 of response message ID 0, seq 1
    Jun 26 21:39:23 charon 15[IKE] <con5|37>queueing INFORMATIONAL_V1 request as tasks still active
    Jun 26 21:39:23 charon 15[NET] <con5|37>received packet: from x.x.96.179[30924] to x.x.83.56[4500] (76 bytes)
    Jun 26 21:39:23 charon 15[NET] <con5|37>sending packet: from x.x.83.56[500] to x.x.96.179[500] (432 bytes)
    Jun 26 21:39:23 charon 15[ENC] <con5|37>generating AGGRESSIVE response 0 [ SA KE No ID V V V V V NAT-D NAT-D HASH ]
    Jun 26 21:39:23 charon 15[CFG] <37> selected peer config "con5"
    Jun 26 21:39:23 charon 15[CFG] <37> looking for XAuthInitPSK peer configs matching x.x.83.56…x.x.96.179[vpn-ipsec-m]
    Jun 26 21:39:23 charon 15[IKE] <37> x.x.96.179 is initiating a Aggressive Mode IKE_SA
    Jun 26 21:39:23 charon 15[IKE] <37> received DPD vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received Cisco Unity vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received XAuth vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received draft-ietf-ipsec-nat-t-ike vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received NAT-T (RFC 3947) vendor ID
    Jun 26 21:39:23 charon 15[IKE] <37> received FRAGMENTATION vendor ID
    Jun 26 21:39:23 charon 15[ENC] <37> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Jun 26 21:39:23 charon 15[NET] <37> received packet: from x.x.96.179[500] to x.x.83.56[500] (767 bytes)
    Jun 26 21:39:23 charon 06[NET] <36> sending packet: from x.x.83.56[500] to x.x.96.179[500] (56 bytes)
    Jun 26 21:39:23 charon 06[ENC] <36> generating INFORMATIONAL_V1 request 954009059 [ N(NO_PROP) ]
    Jun 26 21:39:23 charon 06[IKE] <36> no proposal found
    Jun 26 21:39:23 charon 06[CFG] <36> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jun 26 21:39:23 charon 06[CFG] <36> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Jun 26 21:39:23 charon 06[IKE] <36> x.x.96.179 is initiating a Aggressive Mode IKE_SA
    Jun 26 21:39:23 charon 06[IKE] <36> received DPD vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received Cisco Unity vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received XAuth vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received draft-ietf-ipsec-nat-t-ike vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received NAT-T (RFC 3947) vendor ID
    Jun 26 21:39:23 charon 06[IKE] <36> received FRAGMENTATION vendor ID
    Jun 26 21:39:23 charon 06[ENC] <36> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Jun 26 21:39:23 charon 06[NET] <36> received packet: from x.x.96.179[500] to x.x.83.56[500] (767 bytes)</con5|37></con5|37></con5|37></con5|37></con5|37></con5|37></con5|37></con5|37></con5|37></con5|37></con5|37>


  • Netgate

    <quote>Jun 26 21:39:53  charon      14[JOB] <con5|37>deleting half open IKE_SA after timeout
    Jun 26 21:39:47  charon      09[NET] <con5|37>sending packet: from x.x.83.56[500] to x.x.96.179[500] (432 bytes)
    Jun 26 21:39:47  charon      09[IKE] <con5|37>sending retransmit 3 of response message ID 0, seq 1
    Jun 26 21:39:34  charon      05[NET] <con5|37>sending packet: from x.x.83.56[500] to x.x.96.179[500] (432 bytes)
    Jun 26 21:39:34  charon      05[IKE] <con5|37>sending retransmit 2 of response message ID 0, seq 1
    Jun 26 21:39:27  charon      15[NET] <con5|37>sending packet: from x.x.83.56[500] to x.x.96.179[500] (432 bytes)
    Jun 26 21:39:27  charon      15[IKE] <con5|37>sending retransmit 1 of response message ID 0, seq 1
    Jun 26 21:39:23  charon      15[IKE] <con5|37>queueing INFORMATIONAL_V1 request as tasks still active
    Jun 26 21:39:23  charon      15[NET] <con5|37>received packet: from x.x.96.179[30924] to x.x.83.56[4500] (76 bytes)
    Jun 26 21:39:23  charon      15[NET] <con5|37>sending packet: from x.x.83.56[500] to x.x.96.179[500] (432 bytes)
    Jun 26 21:39:23  charon      15[ENC] <con5|37>generating AGGRESSIVE response 0 [ SA KE No ID V V V V V NAT-D NAT-D HASH ]</con5|37></con5|37></con5|37></con5|37></con5|37></con5|37></con5|37></con5|37></con5|37></con5|37></con5|37></quote>
    Looks like the client gives up.

    I did some poking around and the thing that made this work was deleting the iOS VPN config and recreating it. Same settings. Not sure what the deal is. Appears that after there's a mismatch it doesn't work until it's recreated but that's just a guess.



  • Thanks for the suggestion, I already tried deleting previous vpn-configs and recreated the VPN config on my iphone unfortunately still no luck.
    To rule out my iphone i also tried it on a fresh device (ipad of wife) and had the same psk error.
    Both run the latest ios 9.3.2


  • Netgate

    Sorry, but it works.




  • Thanks for checking, for my info, was this a fresh 2.3 or an upgraded 2.2 like mine?
    I'll try again tonight with a clean 2.3 install, just to rule stuff out.


  • Netgate

    This system has been upgraded since 2.1.X.

    Like I said I was able to get it to fail like you are seeing, but simply re-configuring the iOS device made it work with no changes to the server. Something's not right. Not sure where it is.

    I wouldn't completely reinstall if you haven't blown out the IPsec server and reconfigured it.