Reinstalled pfSense - Failed to attach to key daemon

  • Hello,

    Our nonprofit has relied on and older PC running pfSense for the past few years. It served as VPN server among other things. When it's hard drive crashed, I was forced to reinstall.

    When completed, I restored IPsec settings only from a backup config file. (Our VPN server had worked fine in the past.)
    I added the necessary users and granted them the 'xauth Dialin' privilege. (Connection method =  xauth + psk)

    Tried connecting. ShrewSoft VPN client claimed that tunnel had been brought up (I assume this means login OK), but no welcome banner displayed and no traffic possible.

    I started the IPsec service.
    I then added the following firewall rules:
    WAN - pass - IPv4 UDP - source any - destination any, port 500
    WAN - pass - IPv4 UDP - source any - destination any, port 4500
    WAN - pass - IPv4 ESP - source any - destination any
    IPsec - pass - IPv4* - source any - destination any

    Things are worse now: client immediately returns error: Failed to attach to key daemon.

    What am I missing? Please help.

    pfSense versions before and after crash differ. The currently installed version is the newest (2.3.4-RELEASE) while the pre-crash version was installed December 2014 and never updated.

  • Rebel Alliance Developer Netgate

    If the old version was from 2014 it was likely 2.1.x which used a different IPsec backend. It's possible you might need some adjustments to get your mobile VPN working again with the new setup.

    That said, "Failed to attach to key daemon" is a client-side error not something the server could do. Something in Shrew Soft isn't running correctly, or its service has stopped. Might need to reboot the client.

    It's still a good idea to go over the setup doc again and see if you need any changes:

    Depending on your clients, you might also be better off converting to an IKEv2 setup:

  • @jimp:

    "Failed to attach to key daemon" is a client-side error

    Hi Jimp,

    I reinstalled the client and imported the configuration file. The "Failed to attach" error is gone. This is what I get now:

    config loaded for site 'xxx.vpn'
    attached to key daemon ...
    peer configured
    iskamp proposal configured
    esp proposal configured
    client configured
    local id configured
    remote id configured
    pre-shared key configured
    bringing up tunnel ...
    network device configured
    tunnel enabled

    After that, nothing happens. No welcome banner (so connection not fully established?) and no traffic possible on client.
    Ipconfig on a client in this state returns an IP(v4) address as configured in the virtual address pool (Mobile Clients > Provide a virtual IP address to clients), ditto subnet mask. So OK there. The listed default gateway however, is .

    I have actually used the guide you link to during my initial setup years ago. I have gone over it again and everything seems to be OK. With the possible exception of Phase 2 > Local Network, which is currently set to 'LAN subnet'. I'm not sure what I should enter here, but 'LAN subnet' is the value imported from the backup config. I have also played around with this setting, to no avail.
    Also, I was unable to find System > Advanced, Miscellaneous tab > Uncheck Prefer Old IPsec SA.

    Any idea where to look? Thanks for your help.

  • Finally got it to work. The trick was to set 'Local Network' in the Phase 2 settings to 'Network', Address
    I think the dropdown portion of this setting changed since 2.1.x.

    Traffic is now forced through tunnel. Still no banner, but that's a detail.

Log in to reply