Reinstalled pfSense - Failed to attach to key daemon
Our nonprofit has relied on and older PC running pfSense for the past few years. It served as VPN server among other things. When it's hard drive crashed, I was forced to reinstall.
When completed, I restored IPsec settings only from a backup config file. (Our VPN server had worked fine in the past.)
I added the necessary users and granted them the 'xauth Dialin' privilege. (Connection method = xauth + psk)
Tried connecting. ShrewSoft VPN client claimed that tunnel had been brought up (I assume this means login OK), but no welcome banner displayed and no traffic possible.
I started the IPsec service.
I then added the following firewall rules:
WAN - pass - IPv4 UDP - source any - destination any, port 500
WAN - pass - IPv4 UDP - source any - destination any, port 4500
WAN - pass - IPv4 ESP - source any - destination any
IPsec - pass - IPv4* - source any - destination any
Things are worse now: client immediately returns error: Failed to attach to key daemon.
What am I missing? Please help.
pfSense versions before and after crash differ. The currently installed version is the newest (2.3.4-RELEASE) while the pre-crash version was installed December 2014 and never updated.
If the old version was from 2014 it was likely 2.1.x which used a different IPsec backend. It's possible you might need some adjustments to get your mobile VPN working again with the new setup.
That said, "Failed to attach to key daemon" is a client-side error not something the server could do. Something in Shrew Soft isn't running correctly, or its service has stopped. Might need to reboot the client.
It's still a good idea to go over the setup doc again and see if you need any changes:
Depending on your clients, you might also be better off converting to an IKEv2 setup:
"Failed to attach to key daemon" is a client-side error
I reinstalled the client and imported the configuration file. The "Failed to attach" error is gone. This is what I get now:
config loaded for site 'xxx.vpn' attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... network device configured tunnel enabled
After that, nothing happens. No welcome banner (so connection not fully established?) and no traffic possible on client.
Ipconfig on a client in this state returns an IP(v4) address as configured in the virtual address pool (Mobile Clients > Provide a virtual IP address to clients), ditto subnet mask. So OK there. The listed default gateway however, is 0.0.0.0 .
I have actually used the guide you link to during my initial setup years ago. I have gone over it again and everything seems to be OK. With the possible exception of Phase 2 > Local Network, which is currently set to 'LAN subnet'. I'm not sure what I should enter here, but 'LAN subnet' is the value imported from the backup config. I have also played around with this setting, to no avail.
Also, I was unable to find System > Advanced, Miscellaneous tab > Uncheck Prefer Old IPsec SA.
Any idea where to look? Thanks for your help.
Finally got it to work. The trick was to set 'Local Network' in the Phase 2 settings to 'Network', Address 0.0.0.0/0.
I think the dropdown portion of this setting changed since 2.1.x.
Traffic is now forced through tunnel. Still no banner, but that's a detail.