Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Authentication issue with most recent couple of snapshots.

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    5 Posts 4 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Eurisko
      last edited by

      I have encountered the strangest issue.
      NOTHING has changed in my configuration or IOS version on my iDevices. The only change made was I installed the recent snapshots.

      I know it was working prior to the Nov. 17th snapshots, I know it wasn't working with the snapshot from the 26th, or the current snapshot: 2.1-BETA0 (amd64)
      built on Thu Nov 29 20:21:43 EST 2012

      Every time I attempt to form an IPSEC VPN connection, I get a User Authentication Failed error.

      Here is the error in the logs:

      Nov 30 12:00:32 racoon: ERROR: Attempt to release an unallocated address (port 0)
      Nov 30 12:00:32 racoon: INFO: login failed for user "TestUser"
      Nov 30 12:00:32 racoon: INFO: Released port 0
      Nov 30 12:00:32 racoon: user 'TestUser' could not authenticate.
      Nov 30 12:00:32 racoon: INFO: Using port 0
      Nov 30 12:00:32 racoon: [Self]: INFO: ISAKMP-SA established 75.81.8.72[4500]-166.137.150.229[46237] spi:f904058abc90198f:b1232c8fa98f4a33
      Nov 30 12:00:32 racoon: INFO: Sending Xauth request
      Nov 30 12:00:32 racoon: INFO: NAT detected: ME PEER
      Nov 30 12:00:32 racoon: [166.137.150.229] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
      Nov 30 12:00:32 racoon: INFO: NAT-D payload #1 doesn't match
      Nov 30 12:00:32 racoon: INFO: NAT-D payload #0 doesn't match

      So, I confirmed the User account but going under diagnostics/authentication, and that works fine.

      Then I decided to use the shell to see ifI could get some better racoon logs. I used the following command from an SSH session:

      racoon -d -v -F -f/var/etc/ipsec/racoon.conf

      I test again, it works perfectly. I stop racoon in the shell, start it back up in the Web interface, test, and I get User Authentication Failed.

      I works great running it with those commands in the shell, but fails user authentication when started normally.

      Any thoughts or suggestions?

      1 Reply Last reply Reply Quote 0
      • B
        bmah
        last edited by

        I had this problem on two different systems, but I thought it was just me.  :-p

        Go to the VPN -> IPsec screen and click the "Mobile clients" tab.  At the top of the "Extended Authentication" section, what's selected for the "User Authentication" type?  In my case, I discovered that there wasn't anything selected; I needed to select "Local Database".  I can't remember if this was set previously, but after I did this and saved parameters, everything started working again.

        I don't recall exactly what update boundary I crossed but it was roughly mid-November to late-November.  The units in question were both Soekris 5501s running 2.1-BETA snapshots of i386 nanobsd (4GB).

        Hope this helps,

        Bruce.

        1 Reply Last reply Reply Quote 0
        • T
          Treffin
          last edited by

          I had the same issue the week before Thanksgiving.  My IPSEC stuff was working fine and I left town to visit family for the Thanksgiving holidays.  I had never had any problems with any of the beta updates failing to come back up and work properly –go figure.  I got to my destination and was logged back into my network via IPSEC and noticed that an update was available.  I pulled the trigger to allow the update.  Once it had completed I was unable to log back in via IPSEC for the duration of my trip.  Everything behind the firewall was working fine though (web server via v6, etc.).  When I got home I checked it out and noticed the "Local Database" user authentication option that didn't appear to be selected.  I selected it and saved the config.  That still didn't get it working.

          So I went back and on a second review, I noticed that the "Group Authentication" option was set to "system".  I normally have this configured to correspond to the group name that includes all of my VPN user logins.  I turned this off (set it to "none") and my IOS devices all began working properly again.  I don't know what changed in the past few versions, but something is different.  Now I guess I need to check whether it will work without that group name being assigned on the IOS device.  I'll do some more testing and report back once I have definitive info.  Meanwhile, setting it to "none" seems to work ok.

          Treffin (David)

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Some changes were made recently to allow not just local system auth but also LDAP/RADIUS auth with IPsec+xauth.

            It appears that the code used to assume that no settings meant to use the system users but now that there are multiple choices it may not be assuming any default.

            It may need a little upgrade code or to just assuming that nothing selected (or the old "system" value) means the same as Local Database.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • E
              Eurisko
              last edited by

              That did the trick! I had to set to Local Database & NONE as suggested, and that fixed it.

              Thanks!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.