IPSEC Authentication issue with most recent couple of snapshots.

  • I have encountered the strangest issue.
    NOTHING has changed in my configuration or IOS version on my iDevices. The only change made was I installed the recent snapshots.

    I know it was working prior to the Nov. 17th snapshots, I know it wasn't working with the snapshot from the 26th, or the current snapshot: 2.1-BETA0 (amd64)
    built on Thu Nov 29 20:21:43 EST 2012

    Every time I attempt to form an IPSEC VPN connection, I get a User Authentication Failed error.

    Here is the error in the logs:

    Nov 30 12:00:32 racoon: ERROR: Attempt to release an unallocated address (port 0)
    Nov 30 12:00:32 racoon: INFO: login failed for user "TestUser"
    Nov 30 12:00:32 racoon: INFO: Released port 0
    Nov 30 12:00:32 racoon: user 'TestUser' could not authenticate.
    Nov 30 12:00:32 racoon: INFO: Using port 0
    Nov 30 12:00:32 racoon: [Self]: INFO: ISAKMP-SA established[4500]-[46237] spi:f904058abc90198f:b1232c8fa98f4a33
    Nov 30 12:00:32 racoon: INFO: Sending Xauth request
    Nov 30 12:00:32 racoon: INFO: NAT detected: ME PEER
    Nov 30 12:00:32 racoon: [] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Nov 30 12:00:32 racoon: INFO: NAT-D payload #1 doesn't match
    Nov 30 12:00:32 racoon: INFO: NAT-D payload #0 doesn't match

    So, I confirmed the User account but going under diagnostics/authentication, and that works fine.

    Then I decided to use the shell to see ifI could get some better racoon logs. I used the following command from an SSH session:

    racoon -d -v -F -f/var/etc/ipsec/racoon.conf

    I test again, it works perfectly. I stop racoon in the shell, start it back up in the Web interface, test, and I get User Authentication Failed.

    I works great running it with those commands in the shell, but fails user authentication when started normally.

    Any thoughts or suggestions?

  • I had this problem on two different systems, but I thought it was just me.  :-p

    Go to the VPN -> IPsec screen and click the "Mobile clients" tab.  At the top of the "Extended Authentication" section, what's selected for the "User Authentication" type?  In my case, I discovered that there wasn't anything selected; I needed to select "Local Database".  I can't remember if this was set previously, but after I did this and saved parameters, everything started working again.

    I don't recall exactly what update boundary I crossed but it was roughly mid-November to late-November.  The units in question were both Soekris 5501s running 2.1-BETA snapshots of i386 nanobsd (4GB).

    Hope this helps,


  • I had the same issue the week before Thanksgiving.  My IPSEC stuff was working fine and I left town to visit family for the Thanksgiving holidays.  I had never had any problems with any of the beta updates failing to come back up and work properly –go figure.  I got to my destination and was logged back into my network via IPSEC and noticed that an update was available.  I pulled the trigger to allow the update.  Once it had completed I was unable to log back in via IPSEC for the duration of my trip.  Everything behind the firewall was working fine though (web server via v6, etc.).  When I got home I checked it out and noticed the "Local Database" user authentication option that didn't appear to be selected.  I selected it and saved the config.  That still didn't get it working.

    So I went back and on a second review, I noticed that the "Group Authentication" option was set to "system".  I normally have this configured to correspond to the group name that includes all of my VPN user logins.  I turned this off (set it to "none") and my IOS devices all began working properly again.  I don't know what changed in the past few versions, but something is different.  Now I guess I need to check whether it will work without that group name being assigned on the IOS device.  I'll do some more testing and report back once I have definitive info.  Meanwhile, setting it to "none" seems to work ok.

    Treffin (David)

  • Rebel Alliance Developer Netgate

    Some changes were made recently to allow not just local system auth but also LDAP/RADIUS auth with IPsec+xauth.

    It appears that the code used to assume that no settings meant to use the system users but now that there are multiple choices it may not be assuming any default.

    It may need a little upgrade code or to just assuming that nothing selected (or the old "system" value) means the same as Local Database.

  • That did the trick! I had to set to Local Database & NONE as suggested, and that fixed it.


Log in to reply