Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec: "The VPN Shared Secret is incorrect." From Mac After Upgrade to 2.3

    Scheduled Pinned Locked Moved IPsec
    7 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      downtown
      last edited by

      After upgrading a system from 2.2.6 to 2.3.2, I can no longer connect to IPSec VPN  The message I get on my Mac is "The Shared Secret is incorrect.

      
Aug 23 20:18:29	charon		16[IKE] <5> received FRAGMENTATION vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received NAT-T (RFC 3947) vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received XAuth vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received Cisco Unity vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> received DPD vendor ID
Aug 23 20:18:29	charon		16[IKE] <5> [???.???.???.???] is initiating a Aggressive Mode IKE_SA
Aug 23 20:18:29	charon		16[CFG] <5> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Aug 23 20:18:29	charon		16[CFG] <5> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug 23 20:18:29	charon		16[IKE] <5> no proposal found
Aug 23 20:18:29	charon		16[ENC] <5> generating INFORMATIONAL_V1 request 4133479696 [ N(NO_PROP) ]
Aug 23 20:18:29	charon		16[NET] <5> sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (56 bytes)
Aug 23 20:18:29	charon		14[NET] <6> received packet: from [???.???.???.???][500] to [???.???.???.???][500] (777 bytes)
Aug 23 20:18:29	charon		14[ENC] <6> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Aug 23 20:18:29	charon		14[IKE] <6> received FRAGMENTATION vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received NAT-T (RFC 3947) vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received XAuth vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received Cisco Unity vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> received DPD vendor ID
Aug 23 20:18:29	charon		14[IKE] <6> [???.???.???.???] is initiating a Aggressive Mode IKE_SA
Aug 23 20:18:29	charon		14[CFG] <6> looking for XAuthInitPSK peer configs matching [???.???.???.???]...[???.???.???.???][vpnusers@balletbc.com]
Aug 23 20:18:29	charon		14[CFG] <6> selected peer config "con1"
Aug 23 20:18:29	charon		14[ENC] <con1|6>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Aug 23 20:18:29	charon		14[NET] <con1|6>sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (412 bytes)
Aug 23 20:18:29	charon		14[NET] <con1|6>received packet: from [???.???.???.???][18833] to [???.???.???.???][4500] (76 bytes)
Aug 23 20:18:29	charon		14[IKE] <con1|6>queueing INFORMATIONAL_V1 request as tasks still active
Aug 23 20:18:33	charon		14[IKE] <con1|6>sending retransmit 1 of response message ID 0, seq 1
Aug 23 20:18:33	charon		14[NET] <con1|6>sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (412 bytes)
Aug 23 20:18:41	charon		06[IKE] <con1|6>sending retransmit 2 of response message ID 0, seq 1
Aug 23 20:18:41	charon		06[NET] <con1|6>sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (412 bytes)
Aug 23 20:18:54	charon		08[IKE] <con1|6>sending retransmit 3 of response message ID 0, seq 1
Aug 23 20:18:54	charon		08[NET] <con1|6>sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (412 bytes)
Aug 23 20:18:59	charon		06[JOB] <con1|6>deleting half open IKE_SA after timeout</con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6>
      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Aug 23 20:18:29 charon 16[CFG] <5> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
        Aug 23 20:18:29 charon 16[CFG] <5> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        Aug 23 20:18:29 charon 16[IKE] <5> no proposal found

        It looks like everything your Mac is offering is PFS Group 14 (MODP_2048). Your pfSense phase 1 is configured for PFS Group 2 (MODP_1024). Looks like you need to change either side to match.

        Apple has been making lots of changes to their VPN client lately - but it seems to be mostly in IKEv2. It's been a little bumpy.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          downtown
          last edited by

          Thanks for the info, but that did not solve my issue.  I should note that I made no changes or upgrades to my Mac before or after the pfSense upgrade.  The VPN connection worked before the upgrade to pfSense.  Also, I have completely removed all configurations from the IPSec settings on pfSense, and re-built them all exactly as I have on other pfSense 2.3.2 boxes, and yet my Mac, which successfully connects to the IPSec VPNs on those other pfSense 2.3.2 boxes, is unable to connect to this one.  So, it would seem that the upgrade of pfSense to 2.3 has broken something in IPSec…?

          1 Reply Last reply Reply Quote 0
          • D
            downtown
            last edited by

            Also, i did make the change as above and match the DH Group as suggested.  Here are my logs now…

            On pfSense:

            Sep 8 07:25:36	charon		11[NET] <7> received packet: from [YYY.YYY.YYY.YYY][500] to [XXX.XXX.XXX.XXX][500] (777 bytes)
Sep 8 07:25:36	charon		11[ENC] <7> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Sep 8 07:25:36	charon		11[IKE] <7> received FRAGMENTATION vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received NAT-T (RFC 3947) vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received XAuth vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received Cisco Unity vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> received DPD vendor ID
Sep 8 07:25:36	charon		11[IKE] <7> [YYY.YYY.YYY.YYY] is initiating a Aggressive Mode IKE_SA
Sep 8 07:25:37	charon		11[CFG] <7> looking for XAuthInitPSK peer configs matching [XXX.XXX.XXX.XXX]...[YYY.YYY.YYY.YYY][vpnusers@balletbc.com]
Sep 8 07:25:37	charon		11[CFG] <7> selected peer config "con1"
Sep 8 07:25:37	charon		11[ENC] <con1|7> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Sep 8 07:25:37	charon		11[NET] <con1|7> sending packet: from [XXX.XXX.XXX.XXX][500] to [YYY.YYY.YYY.YYY][500] (540 bytes)
Sep 8 07:25:37	charon		11[NET] <con1|7> received packet: from [YYY.YYY.YYY.YYY][5930] to [XXX.XXX.XXX.XXX][4500] (76 bytes)
Sep 8 07:25:37	charon		11[IKE] <con1|7> queueing INFORMATIONAL_V1 request as tasks still active
Sep 8 07:25:41	charon		11[IKE] <con1|7> sending retransmit 1 of response message ID 0, seq 1
Sep 8 07:25:41	charon		11[NET] <con1|7> sending packet: from [XXX.XXX.XXX.XXX][500] to [YYY.YYY.YYY.YYY][500] (540 bytes)
Sep 8 07:25:47	charon		09[CFG] rereading secrets
Sep 8 07:25:47	charon		09[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Sep 8 07:25:47	charon		09[CFG] loaded IKE secret for [XXX.XXX.XXX.XXX] vpnusers@balletbc.com
Sep 8 07:25:47	charon		09[CFG] loaded IKE secret for %any
Sep 8 07:25:47	charon		09[CFG] loaded IKE secret for %any
Sep 8 07:25:47	charon		09[CFG] loaded IKE secret for vpnusers@balletbc.com
Sep 8 07:25:47	charon		09[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Sep 8 07:25:47	charon		09[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Sep 8 07:25:47	charon		09[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Sep 8 07:25:47	charon		09[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Sep 8 07:25:47	charon		09[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Sep 8 07:25:49	charon		11[IKE] <con1|7> sending retransmit 2 of response message ID 0, seq 1
Sep 8 07:25:49	charon		11[NET] <con1|7> sending packet: from [XXX.XXX.XXX.XXX][500] to [YYY.YYY.YYY.YYY][500] (540 bytes)</con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7>

            On the Mac:

            2016-09-08 7:25:36.552 AM	racoon[55341]	accepted connection on vpn control socket.
2016-09-08 7:25:36.552 AM	racoon[55341]	accepted connection on vpn control socket.
2016-09-08 7:25:36.553 AM	racoon[55341]	IPSec connecting to server [XXX.XXX.XXX.XXX]
2016-09-08 7:25:36.553 AM	racoon[55341]	IPSec connecting to server [XXX.XXX.XXX.XXX]
2016-09-08 7:25:36.553 AM	racoon[55341]	Connecting.
2016-09-08 7:25:36.554 AM	racoon[55341]	IPSec Phase 1 started (Initiated by me).
2016-09-08 7:25:36.554 AM	racoon[55341]	IPSec Phase 1 started (Initiated by me).
2016-09-08 7:25:36.568 AM	racoon[55341]	IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
2016-09-08 7:25:36.568 AM	racoon[55341]	>>>>> phase change status = Phase 1 started by us
2016-09-08 7:25:36.568 AM	racoon[55341]	>>>>> phase change status = Phase 1 started by us
2016-09-08 7:25:37.951 AM	racoon[55341]	HASH mismatched
2016-09-08 7:25:37.955 AM	racoon[55341]	HASH mismatched
2016-09-08 7:25:37.955 AM	racoon[55341]	IKEv1 Phase 1 AUTH: failed. (Initiator, Aggressive-Mode Message 2).
2016-09-08 7:25:37.957 AM	racoon[55341]	IKE Packet: transmit success. (Information message).
2016-09-08 7:25:37.957 AM	racoon[55341]	IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
2016-09-08 7:25:37.957 AM	racoon[55341]	IKE Packet: receive failed. (Initiator, Aggressive-Mode Message 2).
2016-09-08 7:25:37.971 AM	racoon[55341]	IPSec disconnecting from server [XXX.XXX.XXX.XXX]
2016-09-08 7:25:37.972 AM	racoon[55341]	IPSec disconnecting from server [XXX.XXX.XXX.XXX]
2016-09-08 7:25:37.975 AM	racoon[55341]	glob found no matches for path "/var/run/racoon/*.conf"
2016-09-08 7:25:37.978 AM	racoon[55341]	glob found no matches for path "/var/run/racoon/*.conf"
2016-09-08 7:25:37.979 AM	racoon[55341]	IPSec disconnecting from server [XXX.XXX.XXX.XXX]
2016-09-08 7:25:37.983 AM	racoon[55341]	IPSec disconnecting from server [XXX.XXX.XXX.XXX]
            1 Reply Last reply Reply Quote 0
            • C
              cb831
              last edited by

              After upgrading pfSense I see same issue on two Win10 machines - that worked flawlessly before.

              I constantly get

              Sep 8 22:38:52  charon  11[NET] <con1|62>received packet: from 2.130.86.250[61121] to xxx.xx.xxx.xxx[4500] (108 bytes) 
              Sep 8 22:38:52  charon  11[ENC] <con1|62>invalid HASH_V1 payload length, decryption failed? 
              Sep 8 22:38:52  charon  11[ENC] <con1|62>could not decrypt payloads

              no matter what I do to config (clean PSK, DH2/14 etc…)</con1|62></con1|62></con1|62>

              1 Reply Last reply Reply Quote 0
              • C
                cb831
                last edited by

                In my configuration the phase1:peer identification somehow have been reset by the upgrade.
                When I explicitly called out 'User distinguished name' for peer id and provided the value I defined in the client stuff works again :-)

                Case closed (for me)

                1 Reply Last reply Reply Quote 0
                • D
                  downtown
                  last edited by

                  As I mentioned above, I have completely removed and re-added the configuration at both ends.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.