IPSec Mobile Client - unable to connect after upgrade 2.4.4_3 to 2.4.5_1 [config change required due to upgrade / issue resolved]

sjcjonker

Hi All,

Note upfront: The issue is resolved, minor config change required. As such just for reference for others.

Just now I spend some time upgrading a node from 2.4.4_3 to 2.4.5_1. The PFSense instance is solely used for the termination of IPSec mobile clients (and OpenVPN clients). This worked fine with both MacOS and IOS clients (only Apple clients), before the upgrade.

After the upgrade the clients couldn't connect to the IPSec endpoint.
Before the upgrade the ipsec.conf in /var/etc/ipsec/ipsec.d/certs had:
leftid = vpn.example.com

Note: vpn.example.comis what is shown in the X509 cert output under both the "Subject" and "X509v3 Subject Alternative Name", for example:

[2.4.5-RELEASE][root@<<hostname>>]/var/etc/ipsec/ipsec.d/certs: openssl x509 -in cert-1.crt -noout -text
<<snip>>
        Subject: O=Example, CN=vpn.example.com/emailAddress=<<removed>>@example.com
<<snip>>
            X509v3 Subject Alternative Name:
                DNS:vpn.example.com
<<snip>>

Post upgrade the ipsec.conf had
leftid = "keyid:vpn.example.com"

To fix / restore this, change the GUI option in the menu: VPN => IPSec => Tunnels => "My Identifier" change value "KeyID Tag" to "ASN.1 distinguished Name"

Then the clients could connect again as the ipsec.conf now shows:
leftid = "vpn.example.com"

I hope this helps anyone experiencing issues in the upgrade from 2.4.4 to 2.4.5

Greetz,
Stijn