[2.2] Mobile clients not connecting anymore



  • hi.
    Since the upgrade to 2.2 my Mobile clients aren't able to connect to the VPN anymore. I used this well done guide which has been working until the upgrade to openSWAN of 2.2. As posted on the upgrade guide I fixed the phase2 entry which was working with racoon, and the VPN works great with an Ubuntu client, but my androids are failing to establish the connection.

    Does anyone knows the needed changes for it to work again?
    Thanks



  • Look at this:
    https://forum.pfsense.org/index.php?topic=87553.0

    => there is a bug in PSK identiefier used like user@domain.com. Email based or neither fully qualified domain name identifier does not work for me. Change that to IP -identifier like 1.1.1.1 (not needed to be real ip)
    That identifier works now!

    Bud:
    https://redmine.pfsense.org/issues/4126



  • thanks for the reply. I checked the issue and the diff but it doesn't match the vpn.inc source in my pfSense 2.2 install.
    Any idea why?



  • When your Android devices fail, what IPsec logs do you get?

    @Clouseau:

    Look at this:
    https://forum.pfsense.org/index.php?topic=87553.0

    => there is a bug in PSK identiefier used like user@domain.com.

    That's not true and not relevant here, given Ubuntu machines work and just Android doesn't.



  • @cmb:

    That's not true and not relevant here, given Ubuntu machines work and just Android doesn't.

    Indeed this puzzled me… This is a portion of the log, I hope I got the correct lines since I have other vpns running:

    Jan 29 09:01:40 pfyo charon: 07[NET] received packet: from ANDROIDIP[61809] to PFSENSEIP[500] (656 bytes)
    Jan 29 09:01:40 pfyo charon: 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]
    Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received FRAGMENTATION vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] received FRAGMENTATION vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received NAT-T (RFC 3947) vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received XAuth vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] received XAuth vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received Cisco Unity vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] received Cisco Unity vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> received DPD vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] received DPD vendor ID
    Jan 29 09:01:40 pfyo charon: 07[IKE] <9397> ANDROIDIP is initiating a Aggressive Mode IKE_SA
    Jan 29 09:01:40 pfyo charon: 07[IKE] ANDROIDIP is initiating a Aggressive Mode IKE_SA
    Jan 29 09:01:40 pfyo charon: 07[CFG] looking for XAuthInitPSK peer configs matching PFSENSEIP...ANDROIDIP[vpnusers@domain.com]
    Jan 29 09:01:40 pfyo charon: 07[CFG] selected peer config "con4"
    Jan 29 09:01:40 pfyo charon: 07[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
    Jan 29 09:01:40 pfyo charon: 07[NET] sending packet: from PFSENSEIP[500] to ANDROIDIP[61809] (432 bytes)
    Jan 29 09:01:43 pfyo charon: 07[NET] received packet: from ANDROIDIP[61809] to PFSENSEIP[500] (656 bytes)
    Jan 29 09:01:43 pfyo charon: 07[IKE] <con4|9397>received retransmit of request with ID 0, retransmitting response
    Jan 29 09:01:43 pfyo charon: 07[IKE] received retransmit of request with ID 0, retransmitting response
    Jan 29 09:01:43 pfyo charon: 07[NET] sending packet: from PFSENSEIP[500] to ANDROIDIP[61809] (432 bytes)
    Jan 29 09:01:44 pfyo charon: 07[IKE] <con4|9397>sending retransmit 1 of response message ID 0, seq 1
    Jan 29 09:01:44 pfyo charon: 07[IKE] sending retransmit 1 of response message ID 0, seq 1
    Jan 29 09:01:44 pfyo charon: 07[NET] sending packet: from PFSENSEIP[500] to ANDROIDIP[61809] (432 bytes)
    Jan 29 09:01:45 pfyo charon: 07[IKE] <con1000|8701>sending DPD request
    Jan 29 09:01:45 pfyo charon: 07[IKE] sending DPD request
    Jan 29 09:01:45 pfyo charon: 07[ENC] generating INFORMATIONAL_V1 request 3656135092 [ HASH N(DPD) ]
    Jan 29 09:01:46 pfyo charon: 07[ENC] parsed INFORMATIONAL_V1 request 2519074927 [ HASH N(DPD_ACK) ]
    Jan 29 09:01:46 pfyo charon: 07[NET] received packet: from ANDROIDIP[61809] to PFSENSEIP[500] (656 bytes)
    Jan 29 09:01:46 pfyo charon: 07[IKE] <con4|9397>received retransmit of request with ID 0, retransmitting response
    Jan 29 09:01:46 pfyo charon: 07[IKE] received retransmit of request with ID 0, retransmitting response
    Jan 29 09:01:46 pfyo charon: 07[NET] sending packet: from PFSENSEIP[500] to ANDROIDIP[61809] (432 bytes)
    Jan 29 09:01:48 pfyo charon: 07[IKE] <con1000|8701>unable to reauthenticate in CHILD_SA REKEYING state, delaying for 18s
    Jan 29 09:01:48 pfyo charon: 07[IKE] unable to reauthenticate in CHILD_SA REKEYING state, delaying for 18s
    Jan 29 09:01:48 pfyo charon: 07[NET] received packet: from ANOTHERIP[500] to PFSENSEIP[500] (92 bytes)
    Jan 29 09:01:48 pfyo charon: 07[ENC] parsed INFORMATIONAL_V1 request 2836642412 [ HASH N(DPD) ]
    Jan 29 09:01:48 pfyo charon: 07[ENC] generating INFORMATIONAL_V1 request 2010749931 [ HASH N(DPD_ACK) ]
    Jan 29 09:01:48 pfyo charon: 07[NET] sending packet: from PFSENSEIP[500] to ANOTHERIP[500] (92 bytes)
    Jan 29 09:01:49 pfyo charon: 07[IKE] <con2000|8801>sending DPD request
    Jan 29 09:01:49 pfyo charon: 07[IKE] sending DPD request
    Jan 29 09:01:49 pfyo charon: 07[ENC] generating INFORMATIONAL_V1 request 3608059943 [ HASH N(DPD) ]</con2000|8801></con1000|8701></con4|9397></con1000|8701></con4|9397></con4|9397> 
    


  • no ideas? anyone else using mobile IPSec on 2.2? thanks



  • Hi,

    Just to add my voice to this, my iOS devices connect successfully, as do my Mac clients.

    Android just fails to connect.

    Same setup from pfSense 2.1, but on pfSense 2.2, Android devices just fail (sidenote, I wish I could see logs on Android of the connection/failure so I can at least try and figure out what Android is doing…)

    -=david=-



  • 
    Jan 29 09:01:46 pfyo charon: 07[NET] received packet: from ANDROIDIP[61809] to PFSENSEIP[500] (656 bytes)
    
    

    Seeing this there seems a device doing nat in front of the Android device and changing ports which do not make ipsec happy in general.
    Without having full details its a bit of a problem to diagnostic.



  • @ermal:

    Seeing this there seems a device doing nat in front of the Android device and changing ports which do not make ipsec happy in general.
    Without having full details its a bit of a problem to diagnostic.

    Well, most of my Android VPN connections come from a NATted connection (i.e. when I'm at home connected to my wifi), and it has been working fine in 2.1.
    What full detail do you need? I'll try to provide them.



  • @maxxer:

    no ideas? anyone else using mobile IPSec on 2.2? thanks

    Having the same problem here, mobile devices (iPhone, iPad and Android) can't connect after 2.2 upgrade.



  • i can't ipsec into pfsense 2.2 box from iphone anymore. used to work on 2.1.3



  • I am having the same issues with IPSEC and 2.2. Most of the Pfsense online guides are for versions less than 2.1.5. Does anyone have a step by step guide that they can post for a verified working configuration utilizing PSEC on 2.2 with Shrew Client and Android 4.4 as the clients. Thanks!

    Joe



  • Please provide the logs to analyze this.
    Also read the RELEASE notes about the new update and changes with things to conisder.



  • Moved…



  • Please open a new thread for your issue but probably its related that you need on pfSense side to set the phase2 to 0.0.0.0/0 for the client.
    It is on the release notes.



  • @ermal:

    Please open a new thread for your issue but probably its related that you need on pfSense side to set the phase2 to 0.0.0.0/0 for the client.
    It is on the release notes.

    Is this under the Local Network field? Currently I have it set to "LAN Subnet."



  • I managed to install a fresh new 2.2, configure using this howto, and captured this log. I hope this can help debug.
    Let me know if you need further debugging.
    thanks for the help.



  • I made some searches and tests myself.
    First I found a possible issue with missing leftsendcert=always, but doesn't seem to apply to this problem.
    Then I found an old thread about android and 2.2, and that seem to matter!

    I had to do two changes:

    • on the server set IPSec mobile to main mode

    • on the Android client remove the IPSec identifier field (leave blank)

    This way the VPN connection is established.
    Can anyone else please confirm?

    Sadly this way I have a regression: Ubuntu client won't connect anymore, it seems it's starting an aggressive mode connection thus fails…



  • Hi Maxxer, can you post a screenshot of your Phase 1 and Phase 2 screens? (with applicable info blacked out). Fighting the same issue here, trying to get Android and iPhone clients connected.



  • @vocatus:

    Hi Maxxer, can you post a screenshot of your Phase 1 and Phase 2 screens? (with applicable info blacked out). Fighting the same issue here, trying to get Android and iPhone clients connected.

    attaching here a working configuration for Android. Tested just with one device running Lollipop. NOT working with Ubuntu (seems it doesn't like main mode, just aggressive).
    IKE mode works both in auto, v1 or v2. Just make sure to leave blank group identifier on the phone configuration.






  • here is my config. works on mac os, ios 7.1.1, ios 8.0. cisco ipsec vpn












  • @maxxer:

    @vocatus:

    Hi Maxxer, can you post a screenshot of your Phase 1 and Phase 2 screens? (with applicable info blacked out). Fighting the same issue here, trying to get Android and iPhone clients connected.

    attaching here a working configuration for Android. Tested just with one device running Lollipop. NOT working with Ubuntu (seems it doesn't like main mode, just aggressive).
    IKE mode works both in auto, v1 or v2. Just make sure to leave blank group identifier on the phone configuration.

    if we make Key Exchange version = auto
    then Negotiation mode - switches from agressive, mode main.

    In this case mac os ios not work.



  • @maxxer:

    I had to do two changes:

    • on the server set IPSec mobile to main mode

    • on the Android client remove the IPSec identifier field (leave blank)

    Some time ago, I stumbled upon, that leaving the IPSec identifier blank android will initiate with main mode, having something in this field will switch it to aggressive mode. This still applies for android 5.0



  • Hi,

    I can confirm too that by setting mode to main and removing the ipsec identifier, I'm able to connect to my VPN again using Android with Lollipop.

    So, is this a bug with Android and nothing we can do on pfSense, or is this something that we can fix on pfSense?

    Now then, will this configuration work for iOS….. :-)

    -=david=-



  • Do you see on the logs anything related to identity?

    This seems like android is not sending the proper identity as configured hence it works when left blank because it sends its ip.



  • Hi,

    I don't think it is only that tbh.

    First, I enabled "main" on my IPsec phase 1 entry, then removed from my Android the IPSec Identifier. I was able to connect successfully on Android.

    I then disconnected my Android, enabled "aggressive" on my IPsec phase 1 entry, kept the IPSec Identifier missing on Android. I was unable to connect successfully.

    Switching back to "main" allowed my Android to reconnect again.

    Then:

    Keeping "main" on my IPsec phase 1 entry, but this time filling in the IPSec identifier in Android to match the user distinguished name for my peer identifier doesn't result in a successful connection.

    Changing to "aggressive", keeping the IPsec identifier in Android doesn't result in a successful connection.

    Therefore, it appears to me (at least) that the only way I can get Android to connect is to enable "main" on pfSense and remove the IPsec identifier from Android's configuration.

    Hope this helps!

    -=david=-



  • Without logs no since i do not have an andorid device!



  • I finally gave on Ipsec after iOS and PC clients could not connect after 2.2.  I spent a few hours trying to get it working…got connections, but never figured out how to fix LAN routing.

    I gave OpenVPN a try and was pleasantly surprised after 15 minutes of reading/wizards to get both iOS and PC clients connected and routing perfectly.  Maybe the easiest VPN configuration ever.  Thanks to the pfsense crew for making it so easy :-)



  • @ermal:

    Do you see on the logs anything related to identity?

    This seems like android is not sending the proper identity as configured hence it works when left blank because it sends its ip.

    This is the full log taken during my tests.

    Given this, isn't it better to work in main mode? Or does removing the identifier creates a security problem? thanks
    [tough this is not yet an acceptable solution to me, I cannot connect using Ubuntu's network manager strongswan]



  • This is quite clear here

    
    Feb 10 13:55:51 pfSense charon: 15[IKE] <con1|113>no EAP key found for hosts 'C=US, ST=State, L=Locality, O=pfSense webConfigurator Self-Signed Certificate, E=admin@pfSense.localdomain, CN=pfSense-54d4d54a8beac' - 'admin'
    Feb 10 13:55:51 pfSense charon: 15[IKE] no EAP key found for hosts 'C=US, ST=State, L=Locality, O=pfSense webConfigurator Self-Signed Certificate, E=admin@pfSense.localdomain, CN=pfSense-54d4d54a8beac' - 'admin'
    Feb 10 13:55:51 pfSense charon: 15[IKE] <con1|113>EAP-MS-CHAPv2 verification failed, retry (1)</con1|113></con1|113> 
    

    Your ids are not matching with the ones you entered under EAP on pre-shared secrets.



  • @ermal:

    This is quite clear here

    
    Feb 10 13:55:51 pfSense charon: 15[IKE] <con1|113>no EAP key found for hosts 'C=US, ST=State, L=Locality, O=pfSense webConfigurator Self-Signed Certificate, E=admin@pfSense.localdomain, CN=pfSense-54d4d54a8beac' - 'admin'
    Feb 10 13:55:51 pfSense charon: 15[IKE] no EAP key found for hosts 'C=US, ST=State, L=Locality, O=pfSense webConfigurator Self-Signed Certificate, E=admin@pfSense.localdomain, CN=pfSense-54d4d54a8beac' - 'admin'
    Feb 10 13:55:51 pfSense charon: 15[IKE] <con1|113>EAP-MS-CHAPv2 verification failed, retry (1)</con1|113></con1|113> 
    

    Your ids are not matching with the ones you entered under EAP on pre-shared secrets.

    sorry for mixing things up, this must be the test I made from Ubuntu (strongswan client doesn't allow to enter a PSK)



  • @maxxer:

    @ermal:

    Do you see on the logs anything related to identity?

    This seems like android is not sending the proper identity as configured hence it works when left blank because it sends its ip.

    This is the full log taken during my tests.

    Given this, isn't it better to work in main mode? Or does removing the identifier creates a security problem? thanks
    [tough this is not yet an acceptable solution to me, I cannot connect using Ubuntu's network manager strongswan]

    Hi,

    Unfortunately, it seems that if you run main mode, then iOS clients fail to connect. It has to be aggressive for them!

    -=david=-



  • It means this will be fixed when support for multiple mobile sections is merged in.



  • rocking and rolling!!!! :-)

    mucho gracious! :-)

    -=david=-



  • Hi Again,

    would you happen to have the ticket/issue number for the new code to be merged in? I would like to add myself as a watcher :-)

    -=david=-



  • @ermal:

    It means this will be fixed when support for multiple mobile sections is merged in.

    what?



  • I have the same problem after upgrade to 2.2 versione. Android client going in time-out, Shrew client work (but I'd must change local network in 0.0.0.0/0 in phase 2).

    The solution for me was change to main mode, so in pfSense I changed the negotiantion mode in phase 1, in the Shrew I changed the configuration to main mode, in Android clients I can't specify this mode, but if I leave blank the IPsec identifier, the client change authenticaion in main mode.

    I don't know if this is a bug or what, I'll test better next time before upgrade ;-) (I've another problem with php version in another installation).

    Thank you



  • @maxxer:

    I had to do two changes:

    • on the server set IPSec mobile to main mode

    • on the Android client remove the IPSec identifier field (leave blank)

    To confirm, I had the same problem with my Android clients, and these two steps fixed it. I am now able to connect to my VPN from both of my Android 5.0 devices.



  • For the android clients there is strongswan app in market and it works, but quite differently, for me it does not route all traffic to VPN, only LAN subnet traffic.
    Anyway I did not have any luck with empty ID field on 4.1.2 android.



  • Empty ID field didn't work for us either, sadly.


Log in to reply