IPSec: "The VPN Shared Secret is incorrect." From Mac After Upgrade to 2.3



  • After upgrading a system from 2.2.6 to 2.3.2, I can no longer connect to IPSec VPN  The message I get on my Mac is "The Shared Secret is incorrect.

    
    Aug 23 20:18:29	charon		16[IKE] <5> received FRAGMENTATION vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received NAT-T (RFC 3947) vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received XAuth vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received Cisco Unity vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> received DPD vendor ID
    Aug 23 20:18:29	charon		16[IKE] <5> [???.???.???.???] is initiating a Aggressive Mode IKE_SA
    Aug 23 20:18:29	charon		16[CFG] <5> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Aug 23 20:18:29	charon		16[CFG] <5> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Aug 23 20:18:29	charon		16[IKE] <5> no proposal found
    Aug 23 20:18:29	charon		16[ENC] <5> generating INFORMATIONAL_V1 request 4133479696 [ N(NO_PROP) ]
    Aug 23 20:18:29	charon		16[NET] <5> sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (56 bytes)
    Aug 23 20:18:29	charon		14[NET] <6> received packet: from [???.???.???.???][500] to [???.???.???.???][500] (777 bytes)
    Aug 23 20:18:29	charon		14[ENC] <6> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Aug 23 20:18:29	charon		14[IKE] <6> received FRAGMENTATION vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received NAT-T (RFC 3947) vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received XAuth vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received Cisco Unity vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> received DPD vendor ID
    Aug 23 20:18:29	charon		14[IKE] <6> [???.???.???.???] is initiating a Aggressive Mode IKE_SA
    Aug 23 20:18:29	charon		14[CFG] <6> looking for XAuthInitPSK peer configs matching [???.???.???.???]...[???.???.???.???][vpnusers@balletbc.com]
    Aug 23 20:18:29	charon		14[CFG] <6> selected peer config "con1"
    Aug 23 20:18:29	charon		14[ENC] <con1|6>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
    Aug 23 20:18:29	charon		14[NET] <con1|6>sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (412 bytes)
    Aug 23 20:18:29	charon		14[NET] <con1|6>received packet: from [???.???.???.???][18833] to [???.???.???.???][4500] (76 bytes)
    Aug 23 20:18:29	charon		14[IKE] <con1|6>queueing INFORMATIONAL_V1 request as tasks still active
    Aug 23 20:18:33	charon		14[IKE] <con1|6>sending retransmit 1 of response message ID 0, seq 1
    Aug 23 20:18:33	charon		14[NET] <con1|6>sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (412 bytes)
    Aug 23 20:18:41	charon		06[IKE] <con1|6>sending retransmit 2 of response message ID 0, seq 1
    Aug 23 20:18:41	charon		06[NET] <con1|6>sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (412 bytes)
    Aug 23 20:18:54	charon		08[IKE] <con1|6>sending retransmit 3 of response message ID 0, seq 1
    Aug 23 20:18:54	charon		08[NET] <con1|6>sending packet: from [???.???.???.???][500] to [???.???.???.???][500] (412 bytes)
    Aug 23 20:18:59	charon		06[JOB] <con1|6>deleting half open IKE_SA after timeout</con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6> 
    

  • Netgate

    Aug 23 20:18:29 charon 16[CFG] <5> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Aug 23 20:18:29 charon 16[CFG] <5> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Aug 23 20:18:29 charon 16[IKE] <5> no proposal found

    It looks like everything your Mac is offering is PFS Group 14 (MODP_2048). Your pfSense phase 1 is configured for PFS Group 2 (MODP_1024). Looks like you need to change either side to match.

    Apple has been making lots of changes to their VPN client lately - but it seems to be mostly in IKEv2. It's been a little bumpy.



  • Thanks for the info, but that did not solve my issue.  I should note that I made no changes or upgrades to my Mac before or after the pfSense upgrade.  The VPN connection worked before the upgrade to pfSense.  Also, I have completely removed all configurations from the IPSec settings on pfSense, and re-built them all exactly as I have on other pfSense 2.3.2 boxes, and yet my Mac, which successfully connects to the IPSec VPNs on those other pfSense 2.3.2 boxes, is unable to connect to this one.  So, it would seem that the upgrade of pfSense to 2.3 has broken something in IPSec…?



  • Also, i did make the change as above and match the DH Group as suggested.  Here are my logs now…

    On pfSense:

    Sep 8 07:25:36	charon		11[NET] <7> received packet: from [YYY.YYY.YYY.YYY][500] to [XXX.XXX.XXX.XXX][500] (777 bytes)
    Sep 8 07:25:36	charon		11[ENC] <7> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Sep 8 07:25:36	charon		11[IKE] <7> received FRAGMENTATION vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received NAT-T (RFC 3947) vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received XAuth vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received Cisco Unity vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> received DPD vendor ID
    Sep 8 07:25:36	charon		11[IKE] <7> [YYY.YYY.YYY.YYY] is initiating a Aggressive Mode IKE_SA
    Sep 8 07:25:37	charon		11[CFG] <7> looking for XAuthInitPSK peer configs matching [XXX.XXX.XXX.XXX]...[YYY.YYY.YYY.YYY][vpnusers@balletbc.com]
    Sep 8 07:25:37	charon		11[CFG] <7> selected peer config "con1"
    Sep 8 07:25:37	charon		11[ENC] <con1|7> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
    Sep 8 07:25:37	charon		11[NET] <con1|7> sending packet: from [XXX.XXX.XXX.XXX][500] to [YYY.YYY.YYY.YYY][500] (540 bytes)
    Sep 8 07:25:37	charon		11[NET] <con1|7> received packet: from [YYY.YYY.YYY.YYY][5930] to [XXX.XXX.XXX.XXX][4500] (76 bytes)
    Sep 8 07:25:37	charon		11[IKE] <con1|7> queueing INFORMATIONAL_V1 request as tasks still active
    Sep 8 07:25:41	charon		11[IKE] <con1|7> sending retransmit 1 of response message ID 0, seq 1
    Sep 8 07:25:41	charon		11[NET] <con1|7> sending packet: from [XXX.XXX.XXX.XXX][500] to [YYY.YYY.YYY.YYY][500] (540 bytes)
    Sep 8 07:25:47	charon		09[CFG] rereading secrets
    Sep 8 07:25:47	charon		09[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Sep 8 07:25:47	charon		09[CFG] loaded IKE secret for [XXX.XXX.XXX.XXX] vpnusers@balletbc.com
    Sep 8 07:25:47	charon		09[CFG] loaded IKE secret for %any
    Sep 8 07:25:47	charon		09[CFG] loaded IKE secret for %any
    Sep 8 07:25:47	charon		09[CFG] loaded IKE secret for vpnusers@balletbc.com
    Sep 8 07:25:47	charon		09[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
    Sep 8 07:25:47	charon		09[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
    Sep 8 07:25:47	charon		09[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Sep 8 07:25:47	charon		09[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Sep 8 07:25:47	charon		09[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
    Sep 8 07:25:49	charon		11[IKE] <con1|7> sending retransmit 2 of response message ID 0, seq 1
    Sep 8 07:25:49	charon		11[NET] <con1|7> sending packet: from [XXX.XXX.XXX.XXX][500] to [YYY.YYY.YYY.YYY][500] (540 bytes)</con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7></con1|7>
    

    On the Mac:

    2016-09-08 7:25:36.552 AM	racoon[55341]	accepted connection on vpn control socket.
    2016-09-08 7:25:36.552 AM	racoon[55341]	accepted connection on vpn control socket.
    2016-09-08 7:25:36.553 AM	racoon[55341]	IPSec connecting to server [XXX.XXX.XXX.XXX]
    2016-09-08 7:25:36.553 AM	racoon[55341]	IPSec connecting to server [XXX.XXX.XXX.XXX]
    2016-09-08 7:25:36.553 AM	racoon[55341]	Connecting.
    2016-09-08 7:25:36.554 AM	racoon[55341]	IPSec Phase 1 started (Initiated by me).
    2016-09-08 7:25:36.554 AM	racoon[55341]	IPSec Phase 1 started (Initiated by me).
    2016-09-08 7:25:36.568 AM	racoon[55341]	IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
    2016-09-08 7:25:36.568 AM	racoon[55341]	>>>>> phase change status = Phase 1 started by us
    2016-09-08 7:25:36.568 AM	racoon[55341]	>>>>> phase change status = Phase 1 started by us
    2016-09-08 7:25:37.951 AM	racoon[55341]	HASH mismatched
    2016-09-08 7:25:37.955 AM	racoon[55341]	HASH mismatched
    2016-09-08 7:25:37.955 AM	racoon[55341]	IKEv1 Phase 1 AUTH: failed. (Initiator, Aggressive-Mode Message 2).
    2016-09-08 7:25:37.957 AM	racoon[55341]	IKE Packet: transmit success. (Information message).
    2016-09-08 7:25:37.957 AM	racoon[55341]	IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
    2016-09-08 7:25:37.957 AM	racoon[55341]	IKE Packet: receive failed. (Initiator, Aggressive-Mode Message 2).
    2016-09-08 7:25:37.971 AM	racoon[55341]	IPSec disconnecting from server [XXX.XXX.XXX.XXX]
    2016-09-08 7:25:37.972 AM	racoon[55341]	IPSec disconnecting from server [XXX.XXX.XXX.XXX]
    2016-09-08 7:25:37.975 AM	racoon[55341]	glob found no matches for path "/var/run/racoon/*.conf"
    2016-09-08 7:25:37.978 AM	racoon[55341]	glob found no matches for path "/var/run/racoon/*.conf"
    2016-09-08 7:25:37.979 AM	racoon[55341]	IPSec disconnecting from server [XXX.XXX.XXX.XXX]
    2016-09-08 7:25:37.983 AM	racoon[55341]	IPSec disconnecting from server [XXX.XXX.XXX.XXX]
    
    


  • After upgrading pfSense I see same issue on two Win10 machines - that worked flawlessly before.

    I constantly get

    Sep 8 22:38:52  charon  11[NET] <con1|62>received packet: from 2.130.86.250[61121] to xxx.xx.xxx.xxx[4500] (108 bytes) 
    Sep 8 22:38:52  charon  11[ENC] <con1|62>invalid HASH_V1 payload length, decryption failed? 
    Sep 8 22:38:52  charon  11[ENC] <con1|62>could not decrypt payloads

    no matter what I do to config (clean PSK, DH2/14 etc…)</con1|62></con1|62></con1|62>



  • In my configuration the phase1:peer identification somehow have been reset by the upgrade.
    When I explicitly called out 'User distinguished name' for peer id and provided the value I defined in the client stuff works again :-)

    Case closed (for me)



  • As I mentioned above, I have completely removed and re-added the configuration at both ends.