IPSec/IKEV2 not connecting with PSK on pfSense 2.5 dev release "AUTH_FAILED & CONNECTING => DESTROYING"

sblinov · Apr 24, 2020, 3:13 PM

@geovaneg @jimp
I have updated pfSense to 2.5 dev release and I found some connection issues, can't connect to Ikev2 IPSec mobile users. They are use PSK authentication. I tried different settings and it was no successful for me.
In all cases I received error log like <con-mobile|4> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
<con-mobile|4> IKE_SA con-mobile[4] state change: CONNECTING => DESTROYING

jimp · Apr 24, 2020, 3:14 PM

Are you sure they were using IKEv2 and PSK? IKEv2 mobile connections would be using EAP auth (EAP-MSCHAPv2, EAP-RADIUS, EAP-TLS), not PSK.

sblinov · Apr 24, 2020, 3:30 PM

Yes I'm sure. I have IPSEC/ikev2 with Authentication Method Mutual PSK. It was worked on pfSense stable release 2.4.5 But after update to 2.5.0 dev not working. Also I tried clean install pfSense 2.5 with restoring IPSec config and firewall rules. All cases not successful for me.

sblinov · Apr 24, 2020, 3:33 PM

login-to-view

jimp · Apr 24, 2020, 3:43 PM

What kind of clients? How are they configured?

I don't know of any IKEv2 clients, other than maybe strongSwan itself, which can use non-EAP auth with mobile IKEv2 setups.

sblinov · Apr 25, 2020, 6:00 AM

VPN Clients is Mac OS and iOS users. VPN ikev2 configured in system settings. They are using just PSK key for authentication with out any certificates,non-EAP auth. It works fine on all systems. Maybe this problem related new Strongswan 5.8.4 version in pfSense 2.5 dev

sblinov · Apr 25, 2020, 6:03 AM

@jimp Also in yesterday night I have tested auth with eap-MSChapv2 with cert in pfSense 2.5 dev - it works fine

jimp · Apr 27, 2020, 2:49 PM

Can you share some more specific details about the IKEv2+PSK Mobile config you had? Ideally, the IPsec section of config.xml would have everything I'd need to see, but it would contain some private info you could redact or change (like the PSK).

Failing that, the Mobile Clients tab settings, the Mobile P1 settings, and an example of how you configured a user account and client would be helpful.

sblinov · Apr 28, 2020, 5:55 AM

@jimp Yes, sure. This is my IPsec config, I changed private info like psk & identifier. As I said early this configuration works fine current stable release of pfsense. Please see attached file
config-pfSense.localdomain-20200428041603.xml

sblinov · Apr 28, 2020, 3:41 PM

@jimp Did you have a time for reviewing it?

jimp · Apr 28, 2020, 4:06 PM

I think I have figured out the problem. I didn't try connecting a client but I configured a 2.4.x and 2.5.x setup with the same settings and the only thing that stood out is on 2.5.0, mobile user keys were being set as EAP in the IPsec daemon config (/var/etc/ipsec/swanctl.conf) even when PSK was selected for the user.

I opened a Redmine issue to track it here: https://redmine.pfsense.org/issues/10505

I committed a fix which should show up on that bug report in a few minutes. It's a small change, you can install the System Patches package and then create an entry for 2c9c2891678fc87dc40359726af81468a3570464 to apply the fix once it shows up on the Redmine issue.

After that, edit/save/apply on something in IPsec so the config will be rewritten, then try to connect again.

sblinov · Apr 29, 2020, 4:55 AM

@jimp Many thanks! Your fix is working correctly!
Thanks for your support!