Mobile User VPN failed w/Cert Expired; New Cert doesn't fix
-
I have two pfsense 2.4.4 appliances controlling two networks, Site 1 (office) and Site 2 (home). Prior to mid-June, both my MacBook Pro (macOS 10.14.6) and my iPhone (iOS 15.6) could connect to either site using Apple's built-in IPSec/IKEv2 clients.
In June, the certificate for Site 2 expired, and neither device could connect to Site 2, citing "Certificate Expired."
Since I'm on 2.4.4. I had to create a new certificate, so I did that, attempting to make it as similar to the expired one as possible. I issued the new certificate, told my pfsense IPSec Mobile Tunnel Phase 1 to use the new certificate, and exported the new certificate and emailed it to myself. I imported the new cert on both my devices and attempted to connect.
Now I'm getting a "User Authentication failed." error on both devices. I had not changed anything on the Mobile Users setup, so the usernames and passwords should not have changed, only the certificate.
I can still connect from both devices to Site 1, because its certificate hasn't expired.
I have compared my VPN tunnel settings and my Mobile User settings between Site 1 and Site 2, and AFAICT I've set them up identically except, of course, for their respective local settings.
I checked the user IDs and passwords/shared secrets a bazillion times, and I'm sure they're correct. In fact, because this is a Mac and an iPhone, I can copy the shared secret off the pfsense setup page on my Mac and then paste it into my phone. I also pasted it into a text document just to verify that's correct. I still can't connect.
I've rebooted the pfsense box a few times, with no improvement.
Is there another step that I'm missing? Thanks!
Spoilered IPSec log:
Time Process PID Message
Aug 15 15:15:36 charon 07[NET] <93> received packet: from 172.158.127.165[42710] to 47.157.121.240[500] (604 bytes)
Aug 15 15:15:36 charon 07[ENC] <93> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 15 15:15:36 charon 07[IKE] <93> 172.158.127.165 is initiating an IKE_SA
Aug 15 15:15:36 charon 07[IKE] <93> local host is behind NAT, sending keep alives
Aug 15 15:15:36 charon 07[IKE] <93> remote host is behind NAT
Aug 15 15:15:36 charon 07[IKE] <93> DH group MODP_2048 inacceptable, requesting MODP_1024
Aug 15 15:15:36 charon 07[ENC] <93> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Aug 15 15:15:36 charon 07[NET] <93> sending packet: from 47.157.121.240[500] to 172.158.127.165[42710] (38 bytes)
Aug 15 15:15:36 charon 07[NET] <94> received packet: from 172.158.127.165[42710] to 47.157.121.240[500] (476 bytes)
Aug 15 15:15:36 charon 07[ENC] <94> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 15 15:15:36 charon 07[IKE] <94> 172.158.127.165 is initiating an IKE_SA
Aug 15 15:15:36 charon 07[IKE] <94> local host is behind NAT, sending keep alives
Aug 15 15:15:36 charon 07[IKE] <94> remote host is behind NAT
Aug 15 15:15:36 charon 07[IKE] <94> sending cert request for "CN=MyLocalCertificateAuthority"
Aug 15 15:15:36 charon 07[ENC] <94> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Aug 15 15:15:36 charon 07[NET] <94> sending packet: from 47.157.121.240[500] to 172.158.127.165[42710] (341 bytes)
Aug 15 15:15:36 charon 07[NET] <94> received packet: from 172.158.127.165[33660] to 47.157.121.240[4500] (508 bytes)
Aug 15 15:15:36 charon 07[ENC] <94> unknown attribute type (25)
Aug 15 15:15:36 charon 07[ENC] <94> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Aug 15 15:15:36 charon 07[CFG] <94> looking for peer configs matching 47.157.121.240[my.dynamicDNS.name]...172.158.127.165[2607:fb91:3a2:a1b6:1c93:dad:121:e868]
Aug 15 15:15:36 charon 07[CFG] <con-mobile|94> selected peer config 'con-mobile'
Aug 15 15:15:36 charon 07[IKE] <con-mobile|94> initiating EAP_IDENTITY method (id 0x00)
Aug 15 15:15:36 charon 07[IKE] <con-mobile|94> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 15 15:15:36 charon 07[IKE] <con-mobile|94> peer supports MOBIKE, but disabled in config
Aug 15 15:15:36 charon 07[IKE] <con-mobile|94> authentication of 'new.certificate.name' (myself) with RSA signature successful
Aug 15 15:15:36 charon 07[IKE] <con-mobile|94> sending end entity cert "CN=new.certificate.name"
Aug 15 15:15:36 charon 07[ENC] <con-mobile|94> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Aug 15 15:15:36 charon 07[ENC] <con-mobile|94> splitting IKE message with length of 1308 bytes into 2 fragments
Aug 15 15:15:36 charon 07[ENC] <con-mobile|94> generating IKE_AUTH response 1 [ EF(1/2) ]
Aug 15 15:15:36 charon 07[ENC] <con-mobile|94> generating IKE_AUTH response 1 [ EF(2/2) ]
Aug 15 15:15:36 charon 07[NET] <con-mobile|94> sending packet: from 47.157.121.240[4500] to 172.158.127.165[33660] (1248 bytes)
Aug 15 15:15:36 charon 07[NET] <con-mobile|94> sending packet: from 47.157.121.240[4500] to 172.158.127.165[33660] (120 bytes)
Aug 15 15:15:56 charon 07[IKE] <con-mobile|94> sending keep alive to 172.158.127.165[33660]
Aug 15 15:16:06 charon 07[JOB] <con-mobile|94> deleting half open IKE_SA with 172.158.127.165 after timeout -
@thewaterbug said in Mobile User VPN failed w/Cert Expired; New Cert doesn't fix:
Is there another step that I'm missing?
Yes, a big one.
Your iPhone updates ones in a while. As do the iPhone Apps.
Certificate handling changes.
Example : 128 bits were just great back then, then it was 512 minimum, and now they use 4096 bits.
But you never followed the upgrade path for pfSense ..... so, one day, it just stops, as both sides can't understand each other any more.And also : if you decide to keep 2.4.4, you should become an expert user really fast. As no one here remembers what possible issues existed with 2.4.4 had back in 2017 - I don't even recall known issues and solutions with 2.5.2 ... (the forum, does !)
-
@gertjan but this same iPhone and Mac can still connect to an identical tunnel on my other pfsense box, running the same version of pfsense.
The only difference is that its certificate didn’t expire, so I didn’t have to generate a new one.
-
I'm not an IPSEC expert, never actually used it.
In your log I could see any 'cert' related errors.
Only this one :@thewaterbug said in Mobile User VPN failed w/Cert Expired; New Cert doesn't fix:
Aug 15 15:15:36 charon 07[IKE] <93> DH group MODP_2048 inacceptable, requesting MODP_1024
Who/what is charon ?