IPsec



  • Hi

    I just update my nokia 820 with WP8.1 and if i may ask when ipsec is ready to test on 2.2?.

    Thnaks



  • Normally you can test since you updated.

    Though i do not understand the post really well can you clarify more?



  • oh , is supposed ipsec service run? i can't start ipsec.

    I will delete my old config and do a new one and give some feedback.

    Update:
    can't start service IPsec. I have lots of: "charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/crls' failed: No such file or directory"

    • "/var/etc/ipsec/ipsec.d" - don't exist. Right path is "/var/etc/ipsec/crls",this dir is empty, probably is supposed to be.

    -  Each time i save duplicate the Remote Gateway. I said this before.



  • 2.2-ALPHA (amd64)
    built on Sun Apr 20 23:14:40 CDT 2014
    nanobsd (1g)

    
    Apr 21 10:46:48	charon: 16[CFG] received stroke: loglevel -1 for cfg
    Apr 21 10:46:47	charon: 15[CFG] received stroke: loglevel -1 for job
    Apr 21 10:46:47	charon: 13[CFG] received stroke: loglevel -1 for chd
    Apr 21 10:46:47	charon: 00[JOB] spawning 16 worker threads
    Apr 21 10:46:47	charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
    Apr 21 10:46:47	charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
    Apr 21 10:46:47	charon: 00[CFG] loaded 0 RADIUS server configurations
    Apr 21 10:46:47	charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
    Apr 21 10:46:47	charon: 00[CFG] loaded IKE secret for *******@gmail.com
    Apr 21 10:46:47	charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Apr 21 10:46:47	charon: 00[CFG] reading directory failed
    Apr 21 10:46:47	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/crls' failed: No such file or directory
    Apr 21 10:46:47	charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
    Apr 21 10:46:47	charon: 00[CFG] reading directory failed
    Apr 21 10:46:47	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/acerts' failed: No such file or directory
    Apr 21 10:46:47	charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Apr 21 10:46:47	charon: 00[CFG] reading directory failed
    Apr 21 10:46:47	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/ocspcerts' failed: No such file or directory
    Apr 21 10:46:47	charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Apr 21 10:46:47	charon: 00[CFG] reading directory failed
    Apr 21 10:46:47	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/aacerts' failed: No such file or directory
    Apr 21 10:46:47	charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Apr 21 10:46:47	charon: 00[CFG] reading directory failed
    Apr 21 10:46:47	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/cacerts' failed: No such file or directory
    Apr 21 10:46:47	charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Apr 21 10:46:47	charon: 00[CFG] ipseckey plugin is disabled
    Apr 21 10:46:47	charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    Apr 21 10:46:47	charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
    Apr 21 10:46:47	charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, FreeBSD 10.0-STABLE, amd64)
    Apr 21 10:45:55	charon: 00[DMN] initialization failed - aborting charon
    Apr 21 10:45:55	charon: 00[LIB] failed to load 2 critical plugin features
    Apr 21 10:45:55	charon: 00[CFG] loaded 0 RADIUS server configurations
    Apr 21 10:45:55	charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
    Apr 21 10:45:55	charon: 00[CFG] loaded IKE secret for *********@gmail.com
    Apr 21 10:45:55	charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Apr 21 10:45:55	charon: 00[CFG] reading directory failed
    Apr 21 10:45:55	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/crls' failed: No such file or directory
    Apr 21 10:45:55	charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
    Apr 21 10:45:55	charon: 00[CFG] reading directory failed
    Apr 21 10:45:55	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/acerts' failed: No such file or directory
    Apr 21 10:45:55	charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Apr 21 10:45:55	charon: 00[CFG] reading directory failed
    Apr 21 10:45:55	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/ocspcerts' failed: No such file or directory
    Apr 21 10:45:55	charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Apr 21 10:45:55	charon: 00[CFG] reading directory failed
    Apr 21 10:45:55	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/aacerts' failed: No such file or directory
    Apr 21 10:45:55	charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Apr 21 10:45:55	charon: 00[CFG] reading directory failed
    Apr 21 10:45:55	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/cacerts' failed: No such file or directory
    Apr 21 10:45:55	charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    
    


  • UPDATE: Switched to latest snapshot.

    Hi, I am also having trouble setting up IPSEC.

    2.2-ALPHA (amd64)
    built on Thu Apr 24 13:57:57 CDT 2014

    Last 50 IPsec log entries
    Apr 25 14:44:33	charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
    Apr 25 14:44:33	charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    Apr 25 14:44:33	charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Apr 25 14:44:33	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/cacerts' failed: No such file or directory
    Apr 25 14:44:33	charon: 00[CFG] reading directory failed
    Apr 25 14:44:33	charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Apr 25 14:44:33	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/aacerts' failed: No such file or directory
    Apr 25 14:44:33	charon: 00[CFG] reading directory failed
    Apr 25 14:44:33	charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Apr 25 14:44:33	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/ocspcerts' failed: No such file or directory
    Apr 25 14:44:33	charon: 00[CFG] reading directory failed
    Apr 25 14:44:33	charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Apr 25 14:44:33	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/acerts' failed: No such file or directory
    Apr 25 14:44:33	charon: 00[CFG] reading directory failed
    Apr 25 14:44:33	charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
    Apr 25 14:44:33	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/crls' failed: No such file or directory
    Apr 25 14:44:33	charon: 00[CFG] reading directory failed
    Apr 25 14:44:33	charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Apr 25 14:44:33	charon: 00[CFG] loaded IKE secret for 81.209.25.2
    Apr 25 14:44:33	charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
    Apr 25 14:44:33	charon: 00[CFG] loaded 0 RADIUS server configurations
    Apr 25 14:44:33	charon: 00[LIB] failed to load 2 critical plugin features
    Apr 25 14:44:33	charon: 00[DMN] initialization failed - aborting charon
    Apr 25 14:44:35	charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, FreeBSD 10.0-STABLE, amd64)
    Apr 25 14:44:35	charon: 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1
    Apr 25 14:44:35	charon: 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: CUSTOM:libcharon-receiver
    Apr 25 14:44:35	charon: 00[CFG] ipseckey plugin is disabled
    Apr 25 14:44:35	charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
    Apr 25 14:44:35	charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    Apr 25 14:44:35	charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Apr 25 14:44:35	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/cacerts' failed: No such file or directory
    Apr 25 14:44:35	charon: 00[CFG] reading directory failed
    Apr 25 14:44:35	charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Apr 25 14:44:35	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/aacerts' failed: No such file or directory
    Apr 25 14:44:35	charon: 00[CFG] reading directory failed
    Apr 25 14:44:35	charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Apr 25 14:44:35	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/ocspcerts' failed: No such file or directory
    Apr 25 14:44:35	charon: 00[CFG] reading directory failed
    Apr 25 14:44:35	charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Apr 25 14:44:35	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/acerts' failed: No such file or directory
    Apr 25 14:44:35	charon: 00[CFG] reading directory failed
    Apr 25 14:44:35	charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
    Apr 25 14:44:35	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/crls' failed: No such file or directory
    Apr 25 14:44:35	charon: 00[CFG] reading directory failed
    Apr 25 14:44:35	charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Apr 25 14:44:35	charon: 00[CFG] loaded IKE secret for 81.209.25.2
    Apr 25 14:44:35	charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
    Apr 25 14:44:35	charon: 00[CFG] loaded 0 RADIUS server configurations
    Apr 25 14:44:35	charon: 00[LIB] failed to load 2 critical plugin features
    Apr 25 14:44:35	charon: 00[DMN] initialization failed - aborting charon
    
    


  • Can you try with latest snapshots and see the results?



  • @ermal:

    Can you try with latest snapshots and see the results?

    Does not work for me either.  Fresh snapshot install, restore 2.1.2 working config.  IPSEC road warrior worked under 2.1.2, but same clients see negotiation time outs with 2.2 snapshots.

    IPSEC is shown as not running on the dashboard.  I'd suggest not turning off logging for alpha builds, leave it at some reasonable level, like 1.  I see logging turned off for cfg, job, chd, ike, mgr, dmn, like:

    
    charon: 12[CFG] received stroke: loglevel -1 for cfg
    
    

    I can turn on logging and post some logs if needed.



  • @charliem:

    IPSEC is shown as not running on the dashboard.  I'd suggest not turning off logging for alpha builds, leave it at some reasonable level, like 1.  I see logging turned off for cfg, job, chd, ike, mgr, dmn, like:

    
    charon: 12[CFG] received stroke: loglevel -1 for cfg
    
    

    I can turn on logging and post some logs if needed.

    Never mind the logging comments; I just now see that logging level is selectable on 'advanced settings' tab of IPSEC configuration.  Nice!  I'll check it out, they are all set to silent by default.



  • Looking through /etc/inc/ipsec.php, I think a few errors have crept in with the change to StrongSwan:

    function ipsec_smp_dump_status() {
            global $config, $g, $custom_listtags;
    
            if (!file_exists("{$g['varrun_path']}/charon.xml")) {
                    log_error("IPSec daemon seems to have issues or not running!");
                    return;
            }
    
            $fd = @fsockopen("unix://{$g['varrun_path']}/charon.xml");
            if (!$fd) {
                    log_error("Could not read status from ipsec");
                    return;
    
    

    The first check should be for charon.pid rather than charon.xml to see if ipsec is running.  This should explain why the pfSense gui shows ipsec as not running.

    Second, the socket connection attempt should to charon.ctl, rather than charon.xml, for communicating with the stroke plugin.  This should explain why the ipsec log level setting changes in the gui are not honored.

    [2.2-ALPHA][root@pfsense.localdomain]/var/run(22): ls -l /var/run/charon*
    srwxrwx---  1 root  wheel  0 May  2 10:57 /var/run/charon.ctl
    -rw-r--r--  1 root  wheel  6 May  2 10:57 /var/run/charon.pid
    srwxrwx---  1 root  wheel  0 May  2 10:57 /var/run/charon.wlst
    [2.2-ALPHA][root@pfsense.localdomain]/var/run(23):
    
    


  • Its using the xmp plugin and those paths are correct.

    You should see why smp plugin is not loading?



  • @ermal:

    Its using the xmp plugin and those paths are correct.

    You should see why smp plugin is not loading?

    You are right, smp plugin is not loading; Here is a restart log:

    May  6 16:03:00 pfsense charon: 00[DMN] signal of type SIGINT received. Shutting down
    May  6 16:03:11 pfsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, FreeBSD 10.0-STABLE, amd64)
    May  6 16:03:11 pfsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
    May  6 16:03:11 pfsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    May  6 16:03:11 pfsense charon: 00[CFG] ipseckey plugin is disabled
    May  6 16:03:11 pfsense charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    May  6 16:03:11 pfsense charon: 00[CFG]   loaded ca certificate "C=US, xxxxxx CN=internal-ca" from '/var/etc/ipsec/ipsec.d/cacerts/067991fe.0'
    May  6 16:03:11 pfsense charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    May  6 16:03:11 pfsense charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    May  6 16:03:11 pfsense charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    May  6 16:03:11 pfsense charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
    May  6 16:03:11 pfsense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    May  6 16:03:11 pfsense charon: 00[CFG]   loaded IKE secret for vpnusers@moschelhome.com
    May  6 16:03:11 pfsense charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such fi
    le or directory
    May  6 16:03:11 pfsense charon: 00[CFG] loaded 0 RADIUS server configurations
    May  6 16:03:11 pfsense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5
    random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fip
    s-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-sim
     eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-ea
    p whitelist addrblock
    May  6 16:03:11 pfsense charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
    May  6 16:03:11 pfsense charon: 00[JOB] spawning 16 worker threads
    May  6 16:03:11 pfsense charon: 04[CFG] received stroke: add connection 'con1-1'
    May  6 16:03:11 pfsense charon: 04[CFG] added configuration 'con1-1'
    May  6 16:03:11 pfsense charon: 04[CFG] received stroke: route 'con1-1'
    May  6 16:03:11 pfsense charon: 04[CFG] installing trap failed, remote address unknown
    May  6 16:03:11 pfsense charon: 13[CFG] received stroke: add connection 'con1-1'
    May  6 16:03:11 pfsense charon: 13[CFG] added child to existing configuration 'con1-1'
    May  6 16:03:11 pfsense charon: 13[CFG] received stroke: route 'con1-1'
    May  6 16:03:11 pfsense charon: 13[CFG] installing trap failed, remote address unknown
    May  6 16:08:22 pfsense charon: 08[CFG] rereading secrets
    May  6 16:08:22 pfsense charon: 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    May  6 16:08:22 pfsense charon: 08[CFG]   loaded IKE secret for vpnusers@xxxxx.com
    May  6 16:08:22 pfsense charon: 08[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    May  6 16:08:22 pfsense charon: 08[CFG]   loaded ca certificate "C=US, xxxxxxxxxx, CN=internal-ca" from '/var/etc/ipsec/ipsec.d/cacerts/067991fe.0'
    May  6 16:08:22 pfsense charon: 08[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    May  6 16:08:22 pfsense charon: 08[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    May  6 16:08:22 pfsense charon: 08[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    May  6 16:08:22 pfsense charon: 08[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    May  6 16:08:23 pfsense charon: 13[CFG] received stroke: loglevel 1 for dmn
    May  6 16:08:23 pfsense charon: 08[CFG] received stroke: loglevel 0 for mgr
    May  6 16:08:23 pfsense charon: 13[CFG] received stroke: loglevel 1 for ike
    May  6 16:08:23 pfsense charon: 08[CFG] received stroke: loglevel -1 for chd
    May  6 16:08:23 pfsense charon: 13[CFG] received stroke: loglevel -1 for job
    May  6 16:08:24 pfsense charon: 07[CFG] received stroke: loglevel -1 for cfg
    May  6 16:22:30 pfsense charon: 16[NET] <1> received packet: from 173.15.xx.37[500] to 24.74.xx.yy[500] (564 bytes)
    
    

    Note this: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)

    I will try to up the [LIB] logging level and restart ipsec, but I have not signed the TLA so I can't look into the configuration or build side.



  • Its not related to tool repo at all you have everything in that image.

    Can you show me the ldd /usr/local/lib/ipsec/plugins/libstrongswan-smp.so
    Somehow you are missing a dependency there.



  • @ermal:

    Can you show me the ldd /usr/local/lib/ipsec/plugins/libstrongswan-smp.so
    Somehow you are missing a dependency there.

    There is no such plugin on my system, and I guess you need the tools repo to figure out why it's not being built.  This is an AMD64 image from yesterday.

    [2.2-ALPHA][root@pfsense.localdomain]/usr/local/lib/ipsec(4): find / -iname \*smp\*
    /kernels/kernel_SMP.gz
    [2.2-ALPHA][root@pfsense.localdomain]/usr/local/lib/ipsec(5): ls -l plugins
    total 1220
    -rwxr-xr-x  1 root  wheel    9349 May  6 05:20 libstrongswan-addrblock.so
    -rwxr-xr-x  1 root  wheel   38028 May  6 05:20 libstrongswan-aes.so
    -rwxr-xr-x  1 root  wheel   12613 May  6 05:20 libstrongswan-attr.so
    -rwxr-xr-x  1 root  wheel   17666 May  6 05:20 libstrongswan-blowfish.so
    -rwxr-xr-x  1 root  wheel   10380 May  6 05:20 libstrongswan-cmac.so
    -rwxr-xr-x  1 root  wheel   12403 May  6 05:20 libstrongswan-constraints.so
    -rwxr-xr-x  1 root  wheel   10856 May  6 05:20 libstrongswan-curl.so
    -rwxr-xr-x  1 root  wheel   29206 May  6 05:20 libstrongswan-des.so
    -rwxr-xr-x  1 root  wheel    9161 May  6 05:20 libstrongswan-dnskey.so
    -rwxr-xr-x  1 root  wheel   19555 May  6 05:20 libstrongswan-eap-aka-3gpp2.so
    -rwxr-xr-x  1 root  wheel   21748 May  6 05:20 libstrongswan-eap-aka.so
    -rwxr-xr-x  1 root  wheel   10874 May  6 05:20 libstrongswan-eap-dynamic.so
    -rwxr-xr-x  1 root  wheel    9472 May  6 05:20 libstrongswan-eap-identity.so
    -rwxr-xr-x  1 root  wheel   11081 May  6 05:20 libstrongswan-eap-md5.so
    -rwxr-xr-x  1 root  wheel   25868 May  6 05:20 libstrongswan-eap-mschapv2.so
    -rwxr-xr-x  1 root  wheel   19188 May  6 05:20 libstrongswan-eap-peap.so
    -rwxr-xr-x  1 root  wheel   48981 May  6 05:20 libstrongswan-eap-radius.so
    -rwxr-xr-x  1 root  wheel   14671 May  6 05:20 libstrongswan-eap-sim-file.so
    -rwxr-xr-x  1 root  wheel   22144 May  6 05:20 libstrongswan-eap-sim.so
    -rwxr-xr-x  1 root  wheel    9642 May  6 05:20 libstrongswan-eap-tls.so
    -rwxr-xr-x  1 root  wheel   18983 May  6 05:20 libstrongswan-eap-ttls.so
    -rwxr-xr-x  1 root  wheel    9219 May  6 05:20 libstrongswan-fips-prf.so
    -rwxr-xr-x  1 root  wheel   34630 May  6 05:20 libstrongswan-gmp.so
    -rwxr-xr-x  1 root  wheel   10151 May  6 05:20 libstrongswan-hmac.so
    -rwxr-xr-x  1 root  wheel   12819 May  6 05:20 libstrongswan-ipseckey.so
    -rwxr-xr-x  1 root  wheel   36303 May  6 05:20 libstrongswan-kernel-pfkey.so
    -rwxr-xr-x  1 root  wheel   26592 May  6 05:20 libstrongswan-kernel-pfroute.so
    -rwxr-xr-x  1 root  wheel    9550 May  6 05:20 libstrongswan-md4.so
    -rwxr-xr-x  1 root  wheel   10110 May  6 05:20 libstrongswan-md5.so
    -rwxr-xr-x  1 root  wheel    7390 May  6 05:20 libstrongswan-nonce.so
    -rwxr-xr-x  1 root  wheel  103975 May  6 05:20 libstrongswan-openssl.so
    -rwxr-xr-x  1 root  wheel   19993 May  6 05:20 libstrongswan-pem.so
    -rwxr-xr-x  1 root  wheel   19897 May  6 05:20 libstrongswan-pgp.so
    -rwxr-xr-x  1 root  wheel   14472 May  6 05:20 libstrongswan-pkcs1.so
    -rwxr-xr-x  1 root  wheel   14979 May  6 05:20 libstrongswan-pkcs12.so
    -rwxr-xr-x  1 root  wheel   34623 May  6 05:20 libstrongswan-pkcs7.so
    -rwxr-xr-x  1 root  wheel    9657 May  6 05:20 libstrongswan-pkcs8.so
    -rwxr-xr-x  1 root  wheel   10008 May  6 05:20 libstrongswan-pubkey.so
    -rwxr-xr-x  1 root  wheel    9426 May  6 05:20 libstrongswan-random.so
    -rwxr-xr-x  1 root  wheel   10070 May  6 05:20 libstrongswan-rc2.so
    -rwxr-xr-x  1 root  wheel   12288 May  6 05:20 libstrongswan-resolve.so
    -rwxr-xr-x  1 root  wheel   15030 May  6 05:20 libstrongswan-revocation.so
    -rwxr-xr-x  1 root  wheel   14382 May  6 05:20 libstrongswan-sha1.so
    -rwxr-xr-x  1 root  wheel   16210 May  6 05:20 libstrongswan-sha2.so
    -rwxr-xr-x  1 root  wheel   14942 May  6 05:20 libstrongswan-socket-default.so
    -rwxr-xr-x  1 root  wheel   13568 May  6 05:20 libstrongswan-sshkey.so
    -rwxr-xr-x  1 root  wheel  101821 May  6 05:20 libstrongswan-stroke.so
    -rwxr-xr-x  1 root  wheel   16166 May  6 05:20 libstrongswan-unbound.so
    -rwxr-xr-x  1 root  wheel   15377 May  6 05:20 libstrongswan-updown.so
    -rwxr-xr-x  1 root  wheel   12132 May  6 05:20 libstrongswan-whitelist.so
    -rwxr-xr-x  1 root  wheel   90623 May  6 05:20 libstrongswan-x509.so
    -rwxr-xr-x  1 root  wheel   10314 May  6 05:20 libstrongswan-xauth-eap.so
    -rwxr-xr-x  1 root  wheel   12961 May  6 05:20 libstrongswan-xauth-generic.so
    -rwxr-xr-x  1 root  wheel   10345 May  6 05:20 libstrongswan-xcbc.so
    [2.2-ALPHA][root@pfsense.localdomain]/usr/local/lib/ipsec(6):
    
    

    [edit: add system info]



  • Ok fixed should show up on upcoming snaps.

    Thank you for the help.



  • @ermal:

    Ok fixed should show up on upcoming snaps.

    Well, the smp plugin is loaded OK now and charon.xml socket is created in /var/run.  (I note on the StronSwan plugins wiki page, the smp plugin is still classified as 'in development / incomplete').  There are still some issues:

    • gui still shows that ipsec is stopped
    • I still get the "unable to load 6 plugin features (5 due to unmet dependencies)" in the ipsec log
    • Log level setting changes from the gui are not honored (but I do get the 'changes have been successfully applied' banner).
    • Strangely, each line in the log is duplicated; not initially, but only after "12[CFG] received stroke: loglevel 1 for cfg" line [1]

    [1] Actually the lines for negotiation are not exact duplicates: one line is preceded by the logging level like so:

    May  7 13:33:44 pfsense charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    May  7 13:33:44 pfsense charon: 08[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    
    

    But this is far enough along for me to dig deeper and try to figure out why the negotiation is failing.

    Thanks for looking into this.



  • As of: Current version: 2.2-ALPHA Built On: Sun May 11 03:46:29 CDT 2014

    @charliem:

    • gui still shows that ipsec is stopped

    This one is fixed

    • I still get the "unable to load 6 plugin features (5 due to unmet dependencies)" in the ipsec log

    This one is still there

    • Log level setting changes from the gui are not honored (but I do get the 'changes have been successfully applied' banner).

    This one is fixed

    • Strangely, each line in the log is duplicated; not initially, but only after "12[CFG] received stroke: loglevel 1 for cfg" line [1]

    This one is still there

    To date I've not been able to get Ipsec to work; I'm trying to get PSK mode working in road warrior mode, and charon is claiming to not find a shared key.  Configuration was working with 2.1.2, though by now I've tried lots of different configs.  Could be the 'ipseckey plugin is disabled' that's causing the issue?:

    May 11 23:35:01 pfsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, FreeBSD 10.0-STABLE, amd64)
    May 11 23:35:01 pfsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
    May 11 23:35:01 pfsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    May 11 23:35:01 pfsense charon: 00[CFG] ipseckey plugin is disabled
    May 11 23:35:01 pfsense charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    May 11 23:35:01 pfsense charon: 00[CFG]  loaded ca certificate "C=US, ST=xxxxxxxxxxx CN=internal-ca" from '/var/etc/ipsec/ipsec.d/cacerts/067991fe.0'
    May 11 23:35:01 pfsense charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    May 11 23:35:01 pfsense charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    May 11 23:35:01 pfsense charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    May 11 23:35:01 pfsense charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
    May 11 23:35:01 pfsense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    May 11 23:35:01 pfsense charon: 00[CFG]**  loaded IKE secret for vpnusers@no_place_special.com**
    May 11 23:35:01 pfsense charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such fi
    le or directory
    May 11 23:35:01 pfsense charon: 00[CFG] loaded 0 RADIUS server configurations
    May 11 23:35:01 pfsense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5
    random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fip
    s-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap
    -sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xaut
    h-eap whitelist addrblock
    May 11 23:35:01 pfsense charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
    May 11 23:35:01 pfsense charon: 00[JOB] spawning 16 worker threads

    Failing to find PSK:

    May 12 16:48:01 pfsense charon: 11[IKE] IKE_SA con1-1[26] state change: CONNECTING => DESTROYING
    May 12 16:48:01 pfsense charon: 11[IKE] <con1-1|26>IKE_SA con1-1[26] state change: CONNECTING => DESTROYING
    May 12 16:48:06 pfsense charon: 11[NET] received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes)
    May 12 16:48:06 pfsense charon: 11[NET] <27> received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes)
    May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] received NAT-T (RFC 3947) vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] <27> received NAT-T (RFC 3947) vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] received FRAGMENTATION vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] <27> received FRAGMENTATION vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] received Cisco Unity vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] <27> received Cisco Unity vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] 173.xx.yy.zzz is initiating a Aggressive Mode IKE_SA
    May 12 16:48:06 pfsense charon: 11[IKE] <27> 173.xx.yy.zzz is initiating a Aggressive Mode IKE_SA
    May 12 16:48:06 pfsense charon: 11[IKE] IKE_SA (unnamed)[27] state change: CREATED => CONNECTING
    May 12 16:48:06 pfsense charon: 11[IKE] <27> IKE_SA (unnamed)[27] state change: CREATED => CONNECTING
    May 12 16:48:06 pfsense charon: 11[CFG] looking for pre-shared key peer configs matching 24.aa.bb.ccc...173.xx.yy.zzz[vpnusers@no_place_special.com]
    May 12 16:48:06 pfsense charon: 11[CFG] <27> looking for pre-shared key peer configs matching 24.aa.bb.ccc...173.xx.yy.zzz[vpnusers@no_place_special.com]
    May 12 16:48:06 pfsense charon: 11[CFG] selected peer config "con1-1"
    May 12 16:48:06 pfsense charon: 11[CFG] <27> selected peer config "con1-1"
    May 12 16:48:06 pfsense charon: 11[IKE] sending XAuth vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending XAuth vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] sending DPD vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending DPD vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] sending FRAGMENTATION vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending FRAGMENTATION vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] sending NAT-T (RFC 3947) vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending NAT-T (RFC 3947) vendor ID
    May 12 16:48:06 pfsense charon: 11[IKE] no shared key found for '24.aa.bb.ccc'[24.aa.bb.ccc] - 'vpnusers@no_place_special.com'[173.xx.yy.zzz]
    May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>no shared key found for '24.aa.bb.ccc'[24.aa.bb.ccc] - 'vpnusers@no_place_special.com'[173.xx.yy.zzz]
    May 12 16:48:06 pfsense charon: 11[IKE] queueing INFORMATIONAL task
    May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>queueing INFORMATIONAL task
    May 12 16:48:06 pfsense charon: 11[IKE] activating new tasks
    May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>activating new tasks
    May 12 16:48:06 pfsense charon: 11[IKE]   activating INFORMATIONAL task
    May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>activating INFORMATIONAL task
    May 12 16:48:06 pfsense charon: 11[NET] sending packet: from 24.aa.bb.ccc[500] to 173.xx.yy.zzz[500] (56 bytes)
    May 12 16:48:06 pfsense charon: 11[NET] <con1-1|27>sending packet: from 24.aa.bb.ccc[500] to 173.xx.yy.zzz[500] (56 bytes)
    May 12 16:48:06 pfsense charon: 11[IKE] IKE_SA con1-1[27] state change: CONNECTING => DESTROYING
    May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>IKE_SA con1-1[27] state change: CONNECTING => DESTROYING
    May 12 16:48:11 pfsense charon: 11[NET] received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes)
    May 12 16:48:11 pfsense charon: 11[NET] <28> received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500]</con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|26> 
    


  • Can you try next snapshots?

    Also if you get issues on matching the ID try using an PSK with a name of 'allusers'.



  • Works for me now, thanks.  I did add 'any' and 'allusers', and also changed the client to use ip address as remote identity rather than 'key identifier'.  Not sure which did it.


  • Rebel Alliance Developer Netgate

    Check the format of ipsec.secrets. I added some code yesterday to make it properly honor the mobile tunnel identifier when it otherwise wouldn't.

    Using allusers can help but it sets up an anonymous PSK which may not be what you want for general mobile IPsec (but it would be what someone wants for L2TP+IPsec)



  • Yep, the image I'm using already has that commit.  Just now I took out the anonymous allusers and any PSK, and added the remote IP address.  It still connects OK with IP, I'll try to test key id later.

    I'm seeing the connection being destroyed due to initiator not reauthenticating though, but that may well be a config problem on the client end (shrewsoft).  Client is unaware that the connection is dropped.  Not sure why a timeout is announced 9 minutes before it's scheduled, and then the connection is dropped immediately.  What happened to the 9 minutes?

    May 16 13:14:29 pfsense charon: 05[IKE] <con1-1|19>initiator did not reauthenticate as requested
    May 16 13:14:29 pfsense charon: 05[IKE] IKE_SA con1-1[19] will timeout in 9 minutes
    May 16 13:14:29 pfsense charon: 05[IKE] <con1-1|19>IKE_SA con1-1[19] will timeout in 9 minutes
    May 16 13:14:56 pfsense charon: 07[IKE] <con1-1|19>delaying task initiation, QUICK_MODE exchange in progress
    May 16 13:15:00 pfsense charon: 07[IKE] giving up after 5 retransmits
    May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>giving up after 5 retransmits
    May 16 13:15:00 pfsense charon: 07[IKE] unable to reestablish IKE_SA due to asymmetric setup
    May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>unable to reestablish IKE_SA due to asymmetric setup
    May 16 13:15:00 pfsense charon: 07[IKE] IKE_SA con1-1[19] state change: ESTABLISHED => DESTROYING
    May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>IKE_SA con1-1[19] state change: ESTABLISHED => DESTROYING
    May 16 13:15:00 pfsense charon: 07[CFG] lease 192.168.3.1 by '10.5.60.58' went offline
    May 16 13:15:00 pfsense charon: 07[CFG] <con1-1|19>lease 192.168.3.1 by '10.5.60.58' went offline</con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19> 
    

  • Rebel Alliance Developer Netgate

    There are still some issues, some fixed by the commits made today (gitsync if you can't wait) but a couple more I'm about to create tickets for as they're not so simple.


  • Rebel Alliance Developer Netgate

    In short:

    • Snap from this morning can't have more than one concurrent user connected, fixed now
    • "Provide a list of accessible networks to clients" doesn't seem to work, but it does work if you specify the policy on the client (Shrew, Android) or if the client ignores that and tunnels everything anyway (iOS).
    • "Tunnel All" only works if you add a P2 with 0.0.0.0/0 as local
    • If the same user connects twice, the first connection is cut off (good/intentional behavior, but may be different from 2.1)


  • [2.2-ALPHA][root@pfsense.localdomain]/root(4): cat /etc/version.buildtime
    Mon May 19 13:13:23 CDT 2014
    [2.2-ALPHA][root@pfsense.localdomain]/root(5): ipsec pki
    exec: /usr/local/bin/pki: not found
    [2.2-ALPHA][root@pfsense.localdomain]/root(6): find / -iname pki
    [2.2-ALPHA][root@pfsense.localdomain]/root(7):
    
    

    Is this intentional?  Any valid reason not to include it?



  • Added mostly an oversight.

    Though why would one need it in a GUI environment is out of me.


  • Rebel Alliance Developer Netgate

    @jimp:

    • Snap from this morning can't have more than one concurrent user connected, fixed now

    Fixed on current snaps.

    @jimp:

    • "Provide a list of accessible networks to clients" doesn't seem to work, but it does work if you specify the policy on the client (Shrew, Android) or if the client ignores that and tunnels everything anyway (iOS).

    Should be fixed on the next new snaps.

    @jimp:

    • "Tunnel All" only works if you add a P2 with 0.0.0.0/0 as local

    That appears to be a difference in how strongswan and racoon operate mobile connections. It's going to be required to add that manually unless we add an option to automatically add it.

    Also L2TP+IPsec is almost working. More on that later.



  • @ermal:

    Though why would one need it in a GUI environment is out of me.

    So newbies like me can follow how-tos on the 'net, trying to learn  :)



  • Thanks for working on this.  I'm seeing the following (ask for more details if needed):

    • banner doesn't appear (shrewsoft client, banner appeared with racoon)
    • re-auth fails, client is oblivious (psk road warrior config)
    • No SAs or SPs appear on the web gui when connected
    • connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )

    Let me know if there is any particular testing or other info you need!  I'm pretty new to IPSEC, just trying to get my 2.1 config working under 2.2.

    BTW, the change to weakswan under psk aggressive is a strong motivator to learn a proper config ….


  • Rebel Alliance Developer Netgate

    @charliem:

    • banner doesn't appear (shrewsoft client, banner appeared with racoon)

    It shows up for me. Are you sure you're on a current snapshot?
    Though it appears to only allow a single line banner, where racoon allowed a multi-line banner.

    @charliem:

    • re-auth fails, client is oblivious (psk road warrior config)

    re-auth when? When the P1 expires? Or when the server restarts?

    @charliem:

    • No SAs or SPs appear on the web gui when connected

    That's expected at the moment, there's a ticket open. Those tabs may go away, all the info is on the first tab there's a button under each connection to view the child SAs.

    @charliem:

    • connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )

    What does that mean? Using the key id or IP address where on the client/server?



  • @jimp:

    @charliem:

    • banner doesn't appear (shrewsoft client, banner appeared with racoon)

    It shows up for me. Are you sure you're on a current snapshot?
    Though it appears to only allow a single line banner, where racoon allowed a multi-line banner.

    Current as of last night

    @jimp:

    @charliem:

    • re-auth fails, client is oblivious (psk road warrior config)

    re-auth when? When the P1 expires? Or when the server restarts?

    When P1 expires:

    May 21 10:33:46 pfsense charon: 01[IKE] <con1-1|4>IKE_SA con1-1[4] established between 24.74.xx.yy[24.74.xx.yy]…173.15.aa.bb[10.5.60.58]
    May 21 10:33:46 pfsense charon: 01[IKE] scheduling reauthentication in 2828s
    May 21 10:33:46 pfsense charon: 01[IKE] <con1-1|4>scheduling reauthentication in 2828s</con1-1|4>
    May 21 10:33:46 pfsense charon: 01[IKE] maximum IKE_SA lifetime 3368s
    .
    .
    .
    May 21 11:20:06 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
    May 21 11:20:26 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
    May 21 11:20:26 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
    May 21 11:20:46 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
    May 21 11:20:46 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
    May 21 11:20:54 pfsense charon: 16[IKE] initiator did not reauthenticate as requested  <== 2828 sec expires here
    May 21 11:20:54 pfsense charon: 16[IKE] <con1-1|4>initiator did not reauthenticate as requested
    May 21 11:20:54 pfsense charon: 16[IKE] IKE_SA con1-1[4] will timeout in 9 minutes
    May 21 11:20:54 pfsense charon: 16[IKE] <con1-1|4>IKE_SA con1-1[4] will timeout in 9 minutes
    May 21 11:20:54 pfsense charon: 11[KNL] creating rekey job for ESP CHILD_SA with SPI c3d88eca and reqid {1}
    May 21 11:20:54 pfsense charon: 11[ENC] generating QUICK_MODE request 2100136337 [ HASH SA No ID ID ]
    May 21 11:20:54 pfsense charon: 11[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
    May 21 11:20:58 pfsense charon: 16[IKE] sending retransmit 1 of request message ID 2100136337, seq 1
    May 21 11:20:58 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 1 of request message ID 2100136337, seq 1
    May 21 11:20:58 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
    May 21 11:21:06 pfsense charon: 16[IKE] sending retransmit 2 of request message ID 2100136337, seq 1
    May 21 11:21:06 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 2 of request message ID 2100136337, seq 1
    May 21 11:21:06 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
    May 21 11:21:19 pfsense charon: 16[IKE] sending retransmit 3 of request message ID 2100136337, seq 1
    May 21 11:21:19 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 3 of request message ID 2100136337, seq 1
    May 21 11:21:19 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
    May 21 11:21:38 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
    May 21 11:21:38 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
    May 21 11:21:42 pfsense charon: 16[IKE] sending retransmit 4 of request message ID 2100136337, seq 1
    May 21 11:21:42 pfsense charon: 16[IKE] <con1-1|4>sending retransmit 4 of request message ID 2100136337, seq 1
    May 21 11:21:42 pfsense charon: 16[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
    May 21 11:21:42 pfsense charon: 16[KNL] creating rekey job for ESP CHILD_SA with SPI c71c158f and reqid {1}
    May 21 11:22:01 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
    May 21 11:22:01 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
    May 21 11:22:21 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
    May 21 11:22:21 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
    May 21 11:22:24 pfsense charon: 01[IKE] sending retransmit 5 of request message ID 2100136337, seq 1
    May 21 11:22:24 pfsense charon: 01[IKE] <con1-1|4>sending retransmit 5 of request message ID 2100136337, seq 1
    May 21 11:22:24 pfsense charon: 01[NET] sending packet: from 24.74.xx.yy[4500] to 173.15.aa.bb[4500] (252 bytes)
    May 21 11:22:43 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
    May 21 11:22:43 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
    May 21 11:23:03 pfsense charon: 01[IKE] sending keep alive to 173.15.aa.bb[4500]
    May 21 11:23:03 pfsense charon: 01[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
    May 21 11:23:23 pfsense charon: 16[IKE] sending keep alive to 173.15.aa.bb[4500]
    May 21 11:23:23 pfsense charon: 16[IKE] <con1-1|4>sending keep alive to 173.15.aa.bb[4500]
    May 21 11:23:39 pfsense charon: 16[IKE] giving up after 5 retransmits
    May 21 11:23:39 pfsense charon: 16[IKE] <con1-1|4>giving up after 5 retransmits
    May 21 11:23:39 pfsense charon: 16[IKE] unable to reestablish IKE_SA due to asymmetric setup
    May 21 11:23:39 pfsense charon: 16[IKE] <con1-1|4>unable to reestablish IKE_SA due to asymmetric setup
    May 21 11:23:39 pfsense charon: 16[KNL] unable to delete SAD entry with SPI ca40ad92: No such file or directory (2)
    May 21 11:23:39 pfsense charon: 16[CFG] lease 192.168.3.2 by '10.5.60.58' went offline</con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4></con1-1|4>

    @charliem:

    • connect by key-id doesn't work, but connect by ip-address does work (again, psk aggressive, aka weakswan :) )

    What does that mean? Using the key id or IP address where on the client/server?

    On pfSense I have to configure PSK entries for the ip addresses , and configure the shrewsoft client to use 'ip address (discovered remote host address)'.  Can't get 'key id' to work.  I'll pay more attention and give better details, or set up proper certs.


  • Rebel Alliance Developer Netgate

    It works for me using an ID, though I use "User FQDN" as the type. My "mobile" config is the same as what we have documented on the doc wiki for mobile IPsec on 2.x, since we are trying to ensure a smooth transition using the same settings as before.

    The reauth bit looks like the client didn't do what it should. I'm not sure what the server can do there to help, if anything.


Log in to reply