Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    iPhone failing to connect to IPSec VPN after updating to 23.09-RELEASE (amd64)

    Scheduled Pinned Locked Moved IPsec
    12 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonsteinmetz
      last edited by

      My VPN connections to my home network are no longer working after updating to 23.09. I am running pfSense on a Netgate SG-2440. VPN had been working fine before the update.

      Here are the IPsec logs:

      Nov 20 10:27:00	charon	6876	11[NET] <83> received packet: from 172.58.14.156[38352] to x.x.x.x[500] (783 bytes)
      Nov 20 10:27:00	charon	6876	11[ENC] <83> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
      Nov 20 10:27:00	charon	6876	11[CFG] <83> looking for an IKEv1 config for x.x.x.x...172.58.14.156
      Nov 20 10:27:00	charon	6876	11[CFG] <83> candidate: x.x.x.x...0.0.0.0/0, ::/0, prio 1052
      Nov 20 10:27:00	charon	6876	11[CFG] <83> found matching ike config: x.x.x.x...0.0.0.0/0, ::/0 with prio 1052
      Nov 20 10:27:00	charon	6876	11[IKE] <83> local endpoint changed from 0.0.0.0[500] to x.x.x.x[500]
      Nov 20 10:27:00	charon	6876	11[IKE] <83> remote endpoint changed from 0.0.0.0 to 172.58.14.156[38352]
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received FRAGMENTATION vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received NAT-T (RFC 3947) vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received XAuth vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received Cisco Unity vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> received DPD vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <83> 172.58.14.156 is initiating a Aggressive Mode IKE_SA
      Nov 20 10:27:00	charon	6876	11[IKE] <83> IKE_SA (unnamed)[83] state change: CREATED => CONNECTING
      Nov 20 10:27:00	charon	6876	11[CFG] <83> selecting proposal:
      Nov 20 10:27:00	charon	6876	11[CFG] <83> no acceptable INTEGRITY_ALGORITHM found
      Nov 20 10:27:00	charon	6876	11[CFG] <83> selecting proposal:
      Nov 20 10:27:00	charon	6876	11[CFG] <83> no acceptable INTEGRITY_ALGORITHM found
      Nov 20 10:27:00	charon	6876	11[CFG] <83> selecting proposal:
      Nov 20 10:27:00	charon	6876	11[CFG] <83> no acceptable INTEGRITY_ALGORITHM found
      Nov 20 10:27:00	charon	6876	11[CFG] <83> selecting proposal:
      Nov 20 10:27:00	charon	6876	11[CFG] <83> proposal matches
      Nov 20 10:27:00	charon	6876	11[CFG] <83> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
      Nov 20 10:27:00	charon	6876	11[CFG] <83> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Nov 20 10:27:00	charon	6876	11[CFG] <83> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
      Nov 20 10:27:00	charon	6876	11[CFG] <83> looking for XAuthInitPSK peer configs matching x.x.x.x...172.58.14.156[vpnusers@steinmetz-home.net]
      Nov 20 10:27:00	charon	6876	11[CFG] <83> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
      Nov 20 10:27:00	charon	6876	11[CFG] <83> selected peer config "con-mobile"
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> sending XAuth vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> sending DPD vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> sending FRAGMENTATION vendor ID
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> sending NAT-T (RFC 3947) vendor ID
      Nov 20 10:27:00	charon	6876	11[ENC] <con-mobile|83> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
      Nov 20 10:27:00	charon	6876	11[NET] <con-mobile|83> sending packet: from x.x.x.x[500] to 172.58.14.156[38352] (672 bytes)
      Nov 20 10:27:00	charon	6876	11[NET] <con-mobile|83> received packet: from 172.58.14.156[18028] to x.x.x.x[4500] (232 bytes)
      Nov 20 10:27:00	charon	6876	11[ENC] <con-mobile|83> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> local endpoint changed from x.x.x.x[500] to x.x.x.x[4500]
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> remote endpoint changed from 172.58.14.156[38352] to 172.58.14.156[18028]
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> queueing XAUTH task
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> local host is behind NAT, sending keep alives
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> remote host is behind NAT
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> activating new tasks
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> activating XAUTH task
      Nov 20 10:27:00	charon	6876	11[ENC] <con-mobile|83> generating TRANSACTION request 1753144327 [ HASH CPRQ(X_USER X_PWD) ]
      Nov 20 10:27:00	charon	6876	11[NET] <con-mobile|83> sending packet: from x.x.x.x[4500] to 172.58.14.156[18028] (124 bytes)
      Nov 20 10:27:00	charon	6876	05[NET] <con-mobile|83> received packet: from 172.58.14.156[18028] to x.x.x.x[4500] (140 bytes)
      Nov 20 10:27:00	charon	6876	05[ENC] <con-mobile|83> parsed INFORMATIONAL_V1 request 2207481420 [ HASH N(INITIAL_CONTACT) ]
      Nov 20 10:27:00	charon	6876	05[NET] <con-mobile|83> received packet: from 172.58.14.156[18028] to x.x.x.x[4500] (156 bytes)
      Nov 20 10:27:00	charon	6876	05[ENC] <con-mobile|83> parsed TRANSACTION response 1753144327 [ HASH CPRP(X_USER X_PWD) ]
      Nov 20 10:27:00	charon	6966	05[IKE] <con-mobile|83> XAUTH-SCRIPT failed to execute script '/etc/inc/ipsec.auth-user.php'.
      Nov 20 10:27:00	charon	6876	05[IKE] <con-mobile|83> XAuth-SCRIPT failed for user 'jon' with return status: -1.
      Nov 20 10:27:00	charon	6876	05[IKE] <con-mobile|83> Could not authenticate with XAuth secrets for 'x.x.x.x' - 'jon'
      Nov 20 10:27:00	charon	6876	05[IKE] <con-mobile|83> XAuth authentication of 'jon' failed
      Nov 20 10:27:00	charon	6876	05[IKE] <con-mobile|83> reinitiating already active tasks
      Nov 20 10:27:00	charon	6876	05[IKE] <con-mobile|83> XAUTH task
      Nov 20 10:27:00	charon	6876	05[ENC] <con-mobile|83> generating TRANSACTION request 688022786 [ HASH CPS(X_STATUS) ]
      Nov 20 10:27:00	charon	6876	05[NET] <con-mobile|83> sending packet: from x.x.x.x[4500] to 172.58.14.156[18028] (124 bytes)
      Nov 20 10:27:00	charon	6876	11[NET] <con-mobile|83> received packet: from 172.58.14.156[18028] to x.x.x.x[4500] (124 bytes)
      Nov 20 10:27:00	charon	6876	11[ENC] <con-mobile|83> parsed TRANSACTION response 688022786 [ HASH CPA(X_STATUS) ]
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> destroying IKE_SA after failed XAuth authentication
      Nov 20 10:27:00	charon	6876	11[IKE] <con-mobile|83> IKE_SA con-mobile[83] state change: CONNECTING => DESTROYING
      

      This seems like the most likely culprit to me:

      XAUTH-SCRIPT failed to execute script '/etc/inc/ipsec.auth-user.php'.
      

      I have found some messages in various places suggesting rebooting the router might help but I have tried and it does not help. I am wondering if anyone has seen anything like this and has any suggestion.

      Thank you in advance.

      1 Reply Last reply Reply Quote 1
      • T
        teverett
        last edited by

        I have the same issue

        Nov 22 16:31:01 charon 40560 15[IKE] <con-mobile|4> XAUTH-SCRIPT failed to execute script '/etc/inc/ipsec.auth-user.php'.
        Nov 22 16:31:01 charon 40018 15[ENC] <con-mobile|4> parsed TRANSACTION response 2115188573 [ HASH CPRP(X_USER X_PWD) ]
        Nov 22 16:31:01 charon 40018 15[NET] <con-mobile|4> received packet: from 207.228.78.237[10482] to 198.166.24.90[4500] (92 bytes)
        Nov 22 16:31:01 charon 40018 15[ENC] <con-mobile|4> parsed INFORMATIONAL_V1 request 3180770281 [ HASH N(INITIAL_CONTACT) ]
        Nov 22 16:31:01 charon 40018 15[NET] <con-mobile|4> received packet: from 207.228.78.237[10482] to 198.166.24.90[4500] (92 bytes)
        Nov 22 16:31:01 charon 40018 15[NET] <con-mobile|4> sending packet: from 198.166.24.90[4500] to 207.228.78.237[10482] (76 bytes)
        Nov 22 16:31:01 charon 40018 15[ENC] <con-mobile|4> generating TRANSACTION request 2115188573 [ HASH CPRQ(X_USER X_PWD) ]

        T 1 Reply Last reply Reply Quote 0
        • T
          teverett @teverett
          last edited by teverett

          I may have found a solution. Looking at the file system I see this:

          -rw-r--r--  1 root wheel 3638 Oct 31 13:54 ipsec.auth-user.php
          

          It seems that strongswan needs that file to be executable. So I made it executable by owner and IPSEC seems to work again

          chmod 744 /etc/inc/ipsec.auth-user.php
          

          I dont know if there are security implications to doing this, and I also see that the file is writable by root which seems strange to me since its a script which I dont expect would change other than during upgrades. I left it writable for now since every file in /etc/inc seems to be 644.

          J 1 Reply Last reply Reply Quote 1
          • J
            jonsteinmetz @teverett
            last edited by

            @teverett Excellent, that fixed my issue as well. Thank you very much.

            T 1 Reply Last reply Reply Quote 1
            • T
              teverett @jonsteinmetz
              last edited by

              @jonsteinmetz do you happen to have this problem?

              https://forum.netgate.com/topic/184293/unable-to-save-group-authentication

              J 2 Replies Last reply Reply Quote 0
              • J
                jonsteinmetz @teverett
                last edited by

                @teverett I will check shortly when I get home. Interestingly, while I can connect from my mobile device to my IPSec VPN I do not have access to the devices on my local network. Accessing the WAN while on VPN still seems to work. Accessing my local network did work previously. Hopefully there is some rule change I can make to access the local network.

                T 1 Reply Last reply Reply Quote 0
                • J
                  jonsteinmetz @teverett
                  last edited by

                  @teverett said in iPhone failing to connect to IPSec VPN after updating to 23.09-RELEASE (amd64):

                  https://forum.netgate.com/topic/184293/unable-to-save-group-authentication

                  Yep, mine is also displaying this issue.

                  T 1 Reply Last reply Reply Quote 0
                  • T
                    teverett @jonsteinmetz
                    last edited by

                    @jonsteinmetz Hopefully both issues are fixed soon. I have an LDAP challenge too, but I don't know if that's related to the new release, an old bug or I'm just doing it wrong.

                    1 Reply Last reply Reply Quote 0
                    • T
                      teverett @jonsteinmetz
                      last edited by

                      @jonsteinmetz I seem to have a similar issue. I used to be able to ping the default GW on my LAN, now I can't.

                      J 1 Reply Last reply Reply Quote 0
                      • J
                        jonsteinmetz @teverett
                        last edited by

                        @teverett I found a solution for my routing issue. Under "VPN/IPsec/Advanced Settings/Auto-exclude LAN address" there is a checkbox "Enable bypass for LAN interface IP". In my case it was checked and unchecking it allowed my VPN client to see devices on the local network. I have no idea if that was checked before the update or not.

                        See https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/advanced.html.

                        T 1 Reply Last reply Reply Quote 1
                        • T
                          teverett @jonsteinmetz
                          last edited by

                          @jonsteinmetz In my case I had the network mask wrong in my phase 2. :)

                          The file permissions issue and the group authentication issue are still there however.

                          1 Reply Last reply Reply Quote 0
                          • maverickwsM maverickws referenced this topic on
                          • JonathanLeeJ
                            JonathanLee
                            last edited by

                            My android will not even connect to even external AP WiFi in 23.09. Other devices connect just fine.

                            Make sure to upvote

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.