VPN no longer working after installing v2.4.4



  • Up until pfsense v2.4.3, this is all the VPN configuration I had to do, to successful VPN from my iPhone.

    VPN > IPSec > Mobile Clients > Enable IPsec Mobile Client Support
    User Authentication > Local Database
    Provide a virtual IP address to clients > 192.168.50.32
    Provide a DNS server list to clients > 8.8.8.8 / 8.8.4.4
    Save > Apply Changes
    
    Create Phase 1
    Description > VPN
    Authentication Method > Mutual PSK + Xauth
    Peer Identifier > Distinguished name > vpn
    Pre-Shared Key > <password_here>
    NAT Traversal > Force
    Save > Apply Changes
    
    Show Phase 2 Entries > Add P2
    Local Network > Network > 0.0.0.0/0
    Save > Apply Changes
    
    System > User Manager > Add > Username: <username_here> > Password: <password_here> > Save
    Edit user
    Effective Privileges > Add > User – VPN: IPSec xauth Dialin > Save
    
    Firewall > Rules > IPSec > Add
    Protocol > TCP/UDP
    Description > VPN
    Save > Apply Changes
    

    This morning I did a clean install of pfsense 2.4.4, and this configuration is no longer working. On my iPhone I get a message saying: "Negotiation with the VPN server failed".

    Anyone else facing this issue? Did something change on v2.4.4?

    Thanks


  • Rebel Alliance Developer Netgate

    Logs?




  • Rebel Alliance Developer Netgate

    Oct 17 13:30:52	charon		08[CFG] <8> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Oct 17 13:30:52	charon		08[CFG] <8> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Oct 17 13:30:52	charon		08[IKE] <8> no proposal found
    

    Your config doesn't match what your client wants.



  • So I am assuming the configuration to fix this, is under Phase 2 Proposal? I tried a few combinations, but nothing worked, so I selected everything but still no luck. And the configured proposals didn't change. So where do I change the configured proposals?

    https://paste.ofcode.org/YQm53ihV23Kxh6J84w4f7F

    alt text



  • So it was actually the changes here that created more proposals

    https://paste.ofcode.org/fgeLYyrqpmqFZj7NLs4t4P

    but now I get a "no acceptable ENCRYPTION_ALGORITHM found" message. So I'm working on that. Any suggestions are appreciated.

    alt text


  • Rebel Alliance Developer Netgate

    Oct 18 07:11:30	charon		06[CFG] <con-mobile|25> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
    Oct 18 07:11:30	charon		06[CFG] <con-mobile|25> configured proposals: ESP:AES_CBC_256/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/AES_XCBC_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_512_256/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/AES_XCBC_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_512_256/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/AES_XCBC_96/MODP_2048/NO_EX
    Oct 18 07:11:30	charon		06[IKE] <con-mobile|25> no matching proposal found, sending NO_PROPOSAL_CHOSEN
    

    That looks more like P2 mismatch there, again, there was no match between what the client wants and what your firewall is configured to send. Looks like the client doesn't want PFS.