Suddenly mobile clients can´t connect via IPSec



  • Hi,

    we have a strange problem with some of our pfSense boxes.

    On our main site we are running a pfSense 2.3.2 on a SG-8860.
    We are using ShrewVPN Client to connect our mobile clients.
    This was working for ages without any problem.

    Suddenly we cant connect from mobile anymore.

    IPSec log shows:

    charon 13[IKE] <131> found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode

    No changes were made to our config at all.

    Our Site 2 Site connections are working.

    The problem first occured on 31.12.2016.
    After I rebooted the firewall on 03.01.2017, we were able to connect from our mobile clients again.
    Then today it stopped working again.
    We had an uptime without any issues for over 100 days.

    What I tried so far:

    • Check vpn configs on the shell
    • Reboot pfSense
    • Updated to 2.3.2 p1
    • Deleted and recreated the whole mobile ipsec config.

    What I doscoverd:

    We have six sites with pfSense all connected by site 2 site ipsec.
    On five Sites Mobile IPSec stopped working. This sites are yousing 2.3 and above.
    We didn´t noticed the problem on the other sites before, because we are connecting to our main site which will direct traffic to all other sites.
    The last site is using pfSense 2.1.5. Mobile IPSec is working without any issues here.

    Hope somebody can help us with this problem.

    Thanks and Regards

    Markus



  • I had a few fw on 2.1.5 due to issues of mobile clients (Shrewsoft) not being able to connect so I searched for alternative connection method.  Previously, I just used the Pre-Shared Keys for accounts and password.  Now, I have to use User Manager - IPSEC XAuth VPN method.  Most of the settings were the same except a few items.  Try this guide for mobile clients - http://www.thegeekpub.com/5855/pfsense-road-warrior-ipsec-config-works/

    Also, there's a wannabe expert on here that says Shewsoft VPN is dead - WRONG.  It's one of the only few IPSEC VPN clients that works well.  I suggest paying for the PRO version of that client.

    In summary, an alternative configuration in my setup and a good IPSEC client works just fine in latest 2.3.2.  I previously did not have any luck after 2.1.5.

    I just did not want to use OpenVPN as we standardized in IPSEC.



  • Thank you for your answer.

    Unluckily we were already using the User Manager - IPSEC XAuth VPN method as described in you link. So the problem still exsits.

    You are absolutly right. Shrew is one of the best IPSEC Clients out there.

    It seems that my problem comes from the change of racoon to strongswan.
    It is strange that my config worked for month and suddenly broke down.

    We were also standardized in IPSEC, but my only chance was to enable OpenVPN as a workaround.
    Our Site2Sites are still on IPSEC. But our mobile part in our main office changed to OpenVPN and routes traffic in every branch office via IPSEC.
    Till now this is working very well, but I will go back to IPSEC once I have a solution for my problem.


Log in to reply