Unable to start IPSec connection in 2.5.1
-
When I initially upgraded to v2.5.0, I had one IPSec connection that I could not start. Clicking "Connect" did nothing, and there was nothing in the logs related to this tunnel at all. I applied several patches for IPSec, including 11486, which fixed this issue. This fix is included in v2.5.1.
I did not do anything with the patches before the upgrade - perhaps I should have. But this issue has returned, and I cannot connect this tunnel. I have reverted the patches, deleted them, restarted the ipsec service, but I still cannot connect the tunnel. (I also tried re-applying the patch)
I realize I may have messed something up in the upgrade process by not reverting the patches first. What can I do to fix this issue?
-
Following up on this. I still can't get this to work but have narrowed it down somewhat. It appears to be failing on the PSK. I tried to manually start it from the far end (ipsec running on Ubuntu server) and I get the following error:
parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr ] tried 1 shared key for 'xxx.domain1.com' - 'yyy.domain2.com', but MAC mismatched generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
This was working fine in 2.5.0. I have generated a new PSK from the pfsense GUI and moved it to the far end, but I get the same error.
I do have another pfsense machine on 2.5.1 that is connecting successfully to this far end. I've verified that no settings change, and they match the other pfsense machine as well.
Any ideas?
-
Update on this - I disabled this tunnel in pfsense and created a new one by copy/pasting all settings, including the PSK, from the old tunnel to the new tunnel. I still cannot initiate connection from the pfsense side. There is nothing in the logs that indicates any attempt at creating a new tunnel, nothing referencing the far side IP - it's not doing a thing.
But with the new tunnel, I can successfully initiate the tunnel from the far end. When I do this, there are two shown in Status -> IPSec - one that is connected, and one that is not. If I disable the new tunnel and re-enable the old tunnel and try to connect from the far side I get the same MAC mismatched failure again. Switch back to the new tunnel - with the exact same settings - and it works.
Something's still not right. Anyone got any ideas? I'd sure like to be able to initiate from my end.