23.09 IPSEC broken
-
Aug 24 18:08:40 charon 89976 11[IKE] <con-mobile|2> no virtual IP found, sending INTERNAL_ADDRESS_FAILURE Aug 24 18:08:40 charon 89976 11[IKE] <con-mobile|2> no virtual IP found for %any6 requested by '----@gmail.com' Aug 24 18:08:40 charon 89976 11[IKE] <con-mobile|2> peer requested virtual IP %any6 Aug 24 18:08:40 charon 89976 11[IKE] <con-mobile|2> no virtual IP found for %any requested by '---@gmail.com' Aug 24 18:08:40 charon 89976 11[IKE] <con-mobile|2> peer requested virtual IP %anySame config works on 23.05.1
-
@w0w I am seeing the same INTERNAL_ADDRESS_FAILURE in a completely different IPSec environment. Sure looks like a regression as the same configuration functioned as expected in 23.05.1 as you have.
Ted Quade
-
What sort of mobile IPsec setup is it?
IKEv1 or v2? What type of EAP? What are your settings on the mobile tab and for the P1/P2 of the mobile tunnel?
Obviously we don't need the keys/secrets but we need a lot more to go on than "it's broken".
Remember: Upvote with the ๐ button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp
Clients are a mix of Windows10 and 11Gryphons Walk road worrier P1
IKE ID 2
Key Exchange version IKEv2
Internet Protocol IPv4
Interface WAN
Authentication Method EAP-MSChapv2
My identifier Fully qualified domain name teddelee.net
Peer identifier Any
My Certificate Gryphons Walk Server Certificate
AES 256 bits SHA256 14 (2048 bit)
AES 256 bits SHA512 14 (2048 bit)
Life Time 28800
Rekey Time 25920
Reauth Time 25920
Rand Time 2880
Child SA Close Action Default
NAT Traversal Auto
MOBIKE Enable
Dead Peer Detection Enable DPD
Delay 10
Max failures 5Gryphons Walk road worrier P2
Mode Tunnel IPv4
Phase 1 Gryphons Walk road worrier P1 (IKE ID 2, Mobile)
P2 reqid 2
Local Network Network 0.0.0.0/0
NAT/BINAT translation None
Phase 2 Proposal (SA/Key Exchange)
Protocol ESP
Encryption Algorithms AES 256 bits
Hash Algorithms SHA1 SHA256 SHA512
PFS key group off
Life Time 3600
Rekey Time 3240
Rand Time 360Enable IPsec Mobile Client Support
IKE Extensions Enable IPsec Mobile Client Support
User Authentication Local Database
Virtual Address Pool 192.168.200.0 24
DNS Servers Server #1 192.168.177.1 -
@jimp said in 23.09 IPSEC broken:
IKEv1 or v2?
V2
@jimp said in 23.09 IPSEC broken:
EAP?
EAP-MSChapv2
Client mostly Android phone. But I've played with windows client, and it was working just fine
-
OK, I can reproduce it here.
I opened a redmine issue to track it:
-
I found the issue. There was recently a refactoring of some
ipsec.inccode for PHP issues but a few references to the old variable style remained for mobile client config. I cleaned up what the automated tooling missed and now it works again.It will be in the next snapshot or you can install the System Patches package and then create an entry for
ceea1bd07b25ecb3061f3eda1a5137d2ead8311dto apply the fix. It should apply if you're on a recent enough snapshot, otherwise just wait for a snapshot dated after today and update later.Remember: Upvote with the ๐ button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
-
