PfSense sends wrong or corrupted data



  • After having to reinstall pfSense I had been trying for hours to create a connection to pfSense but I couldn't find what went wrong, I've done it dozens of times before, increased logging a few times and apparently everything went through but I still got disconnected in less than a second on my phone and on pfSense it took just a little while later for it to tell me it killed the connection.

    Even installing the Root CA cert and changing pfSense's identity to my Root CA it won't connect. These are the same certificates from my earlier installs, the exact same files.

    Now desperate I instead tried to figure out a way to get the log data from my phone, as it turns out it wasn't that hard, I just launched Apple Configurator 2 and I got a live really fast stream data and from what I understood the certificate information is wrong, but this couldn't be since this certificate has worked before.

    Here's the log:

    Sep 22 00:38:57 charon 11[NET] <8> received packet: from 201.175.159.147[314] to 189.174.249.89[500] (604 bytes)
    Sep 22 00:38:57 charon 11[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Sep 22 00:38:57 charon 11[IKE] 201.175.159.147 is initiating an IKE_SA
    Sep 22 00:38:57 charon 11[IKE] <8> 201.175.159.147 is initiating an IKE_SA
    Sep 22 00:38:57 charon 11[IKE] IKE_SA (unnamed)[8] state change: CREATED => CONNECTING
    Sep 22 00:38:57 charon 11[IKE] <8> IKE_SA (unnamed)[8] state change: CREATED => CONNECTING
    Sep 22 00:38:57 charon 11[IKE] remote host is behind NAT
    Sep 22 00:38:57 charon 11[IKE] <8> remote host is behind NAT
    Sep 22 00:38:57 charon 11[IKE] sending cert request for "–-Root CA cert info---"
    Sep 22 00:38:57 charon 11[IKE] <8> sending cert request for "–-Root CA cert info---"
    Sep 22 00:38:57 charon 11[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
    Sep 22 00:38:57 charon 11[NET] <8> sending packet: from 189.174.249.89[500] to 201.175.159.147[314] (473 bytes)
    Sep 22 00:38:57 charon 11[NET] <8> received packet: from 201.175.159.147[49772] to 189.174.249.89[4500] (544 bytes)
    Sep 22 00:38:57 charon 11[ENC] <8> unknown attribute type (25)
    Sep 22 00:38:57 charon 11[ENC] <8> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Sep 22 00:38:57 charon 11[CFG] <8> looking for peer configs matching 189.174.249.89[–-Here goes my FQDN---]…201.175.159.147[–-Some random ID---]
    Sep 22 00:38:57 charon 11[CFG] <con1|8>selected peer config 'con1'
    Sep 22 00:38:57 charon 11[IKE] initiating EAP_IDENTITY method (id 0x00)
    Sep 22 00:38:57 charon 11[IKE] <con1|8>initiating EAP_IDENTITY method (id 0x00)
    Sep 22 00:38:57 charon 11[IKE] processing INTERNAL_IP4_ADDRESS attribute
    Sep 22 00:38:57 charon 11[IKE] <con1|8>processing INTERNAL_IP4_ADDRESS attribute
    Sep 22 00:38:57 charon 11[IKE] processing INTERNAL_IP4_DHCP attribute
    Sep 22 00:38:57 charon 11[IKE] <con1|8>processing INTERNAL_IP4_DHCP attribute
    Sep 22 00:38:57 charon 11[IKE] processing INTERNAL_IP4_DNS attribute
    Sep 22 00:38:57 charon 11[IKE] <con1|8>processing INTERNAL_IP4_DNS attribute
    Sep 22 00:38:57 charon 11[IKE] processing INTERNAL_IP4_NETMASK attribute
    Sep 22 00:38:57 charon 11[IKE] <con1|8>processing INTERNAL_IP4_NETMASK attribute
    Sep 22 00:38:57 charon 11[IKE] processing INTERNAL_IP6_ADDRESS attribute
    Sep 22 00:38:57 charon 11[IKE] <con1|8>processing INTERNAL_IP6_ADDRESS attribute
    Sep 22 00:38:57 charon 11[IKE] processing INTERNAL_IP6_DHCP attribute
    Sep 22 00:38:57 charon 11[IKE] <con1|8>processing INTERNAL_IP6_DHCP attribute
    Sep 22 00:38:57 charon 11[IKE] processing INTERNAL_IP6_DNS attribute
    Sep 22 00:38:57 charon 11[IKE] <con1|8>processing INTERNAL_IP6_DNS attribute
    Sep 22 00:38:57 charon 11[IKE] processing (25) attribute
    Sep 22 00:38:57 charon 11[IKE] <con1|8>processing (25) attribute
    Sep 22 00:38:57 charon 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Sep 22 00:38:57 charon 11[IKE] <con1|8>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Sep 22 00:38:57 charon 11[IKE] peer supports MOBIKE
    Sep 22 00:38:57 charon 11[IKE] <con1|8>peer supports MOBIKE
    Sep 22 00:38:57 charon 11[IKE] authentication of '–-pfSense's ID---' (myself) with RSA signature successful
    Sep 22 00:38:57 charon 11[IKE] <con1|8>authentication of '–-pfSense's ID---' (myself) with RSA signature successful
    Sep 22 00:38:57 charon 11[IKE] sending end entity cert "–-Cert information---"
    Sep 22 00:38:57 charon 11[IKE] <con1|8>sending end entity cert "–-Cert information---"
    Sep 22 00:38:57 charon 11[ENC] <con1|8>generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    Sep 22 00:38:57 charon 11[ENC] <con1|8>splitting IKE message with length of 2544 bytes into 3 fragments
    Sep 22 00:38:57 charon 11[ENC] <con1|8>generating IKE_AUTH response 1 [ EF(1/3) ]
    Sep 22 00:38:57 charon 11[ENC] <con1|8>generating IKE_AUTH response 1 [ EF(2/3) ]
    Sep 22 00:38:57 charon 11[ENC] <con1|8>generating IKE_AUTH response 1 [ EF(3/3) ]
    Sep 22 00:38:57 charon 11[NET] <con1|8>sending packet: from 189.174.249.89[4500] to 201.175.159.147[49772] (1236 bytes)
    Sep 22 00:38:57 charon 11[NET] <con1|8>sending packet: from 189.174.249.89[4500] to 201.175.159.147[49772] (1236 bytes)
    Sep 22 00:38:57 charon 11[NET] <con1|8>sending packet: from 189.174.249.89[4500] to 201.175.159.147[49772] (212 bytes)
    Sep 22 00:39:27 charon 13[JOB] <con1|8>deleting half open IKE_SA with 201.175.159.147 after timeout
    Sep 22 00:39:27 charon 13[IKE] IKE_SA con1[8] state change: CONNECTING => DESTROYING
    Sep 22 00:39:27 charon 13[IKE] <con1|8>IKE_SA con1[8] state change: CONNECTING => DESTROYING

    I tried creating a new cert right from pfSense and exported this  cert, and the CA certs from pfSense and imported everything into the phone and I still can't connect.

    Oh, one more thing, before this issue I was setting up the network and Avahi didn't want to start so I changed the update settings and updated to a prerelease version and it seems that fixed it. Could my pfSense version be damaged? I don't want to reinstall because it takes me forever to setup interfaces and rules and I'm afraid that if I import settings all of the bad stuff will carry over too, I do have a backup of an old config but it doesn't match my network anymore.

    Do you have any suggestions?

    Do you have any suggestions?</con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8>