VPN no longer working after installing v2.4.4
Up until pfsense v2.4.3, this is all the VPN configuration I had to do, to successful VPN from my iPhone.
VPN > IPSec > Mobile Clients > Enable IPsec Mobile Client Support User Authentication > Local Database Provide a virtual IP address to clients > 192.168.50.32 Provide a DNS server list to clients > 22.214.171.124 / 126.96.36.199 Save > Apply Changes Create Phase 1 Description > VPN Authentication Method > Mutual PSK + Xauth Peer Identifier > Distinguished name > vpn Pre-Shared Key > <password_here> NAT Traversal > Force Save > Apply Changes Show Phase 2 Entries > Add P2 Local Network > Network > 0.0.0.0/0 Save > Apply Changes System > User Manager > Add > Username: <username_here> > Password: <password_here> > Save Edit user Effective Privileges > Add > User – VPN: IPSec xauth Dialin > Save Firewall > Rules > IPSec > Add Protocol > TCP/UDP Description > VPN Save > Apply Changes
This morning I did a clean install of pfsense 2.4.4, and this configuration is no longer working. On my iPhone I get a message saying: "Negotiation with the VPN server failed".
Anyone else facing this issue? Did something change on v2.4.4?
IPSEC logs here:
Oct 17 13:30:52 charon 08[CFG] <8> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Oct 17 13:30:52 charon 08[CFG] <8> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Oct 17 13:30:52 charon 08[IKE] <8> no proposal found
Your config doesn't match what your client wants.
So I am assuming the configuration to fix this, is under Phase 2 Proposal? I tried a few combinations, but nothing worked, so I selected everything but still no luck. And the configured proposals didn't change. So where do I change the configured proposals?
So it was actually the changes here that created more proposals
but now I get a "no acceptable ENCRYPTION_ALGORITHM found" message. So I'm working on that. Any suggestions are appreciated.
Oct 18 07:11:30 charon 06[CFG] <con-mobile|25> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ Oct 18 07:11:30 charon 06[CFG] <con-mobile|25> configured proposals: ESP:AES_CBC_256/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/AES_XCBC_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_512_256/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/AES_XCBC_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_512_256/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/AES_XCBC_96/MODP_2048/NO_EX Oct 18 07:11:30 charon 06[IKE] <con-mobile|25> no matching proposal found, sending NO_PROPOSAL_CHOSEN
That looks more like P2 mismatch there, again, there was no match between what the client wants and what your firewall is configured to send. Looks like the client doesn't want PFS.