[Solved] IPSec IKEv2 in pfSense only allow one mobile client to connect.



  • A FIX IS HERE: https://github.com/pfsense/pfsense/commit/bfcb1e4a1cb43c8102978d98804adb53643a3c03

    –-------------------------------------------------------------------------------------------------------------------------------------------------------------

    This is a weird problem that I just encountered. One or more mobile clients connect using different identifiers would work; however, only one client at the time can send traffic.

    When no one is connected:

    First mobile client connected:

    SA when the first client connected:

    SP when the first:

    When the second client connects:

    SA when both clients are connected (notice how the first one got zeroed out):

    SP when both:

    The security policies are gone for the first client when the second client connects. However, whichever one disconnects, the other one will work.

    Log if interested:

    Feb  1 21:00:26 router charon: 08[CFG] rereading secrets
    Feb  1 21:00:26 router charon: 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb  1 21:00:26 router charon: 08[CFG]  loaded RSA private key from '/var/etc/ipsec/ipsec.d/private/cert-1.key'
    Feb  1 21:00:26 router charon: 08[CFG]  loaded EAP secret for %any Jerry@[redacted]
    Feb  1 21:00:26 router charon: 08[CFG]  loaded EAP secret for %any mobile@[redacted]
    Feb  1 21:00:26 router charon: 08[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb  1 21:00:26 router charon: 08[CFG]  loaded ca certificate "[redacted]" from '/var/etc/ipsec/ipsec.d/cacerts/c1cb1f2e.0.crt'
    Feb  1 21:00:26 router charon: 08[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb  1 21:00:26 router charon: 08[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb  1 21:00:26 router charon: 08[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb  1 21:00:26 router charon: 08[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb  1 21:02:08 router charon: 00[DMN] signal of type SIGINT received. Shutting down
    Feb  1 21:02:08 router ipsec_starter[52723]: charon stopped after 200 ms
    Feb  1 21:02:08 router ipsec_starter[52723]: ipsec starter stopped
    Feb  1 21:02:16 router ipsec_starter[95497]: Starting strongSwan 5.2.1 IPsec [starter]…
    Feb  1 21:02:16 router ipsec_starter[95497]: no netkey IPsec stack detected
    Feb  1 21:02:16 router ipsec_starter[95497]: no KLIPS IPsec stack detected
    Feb  1 21:02:16 router ipsec_starter[95497]: no known IPsec stack detected, ignoring!
    Feb  1 21:02:16 router charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, FreeBSD 10.1-RELEASE-p4, amd64)
    Feb  1 21:02:16 router charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
    Feb  1 21:02:16 router charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    Feb  1 21:02:16 router charon: 00[CFG] ipseckey plugin is disabled
    Feb  1 21:02:16 router charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Feb  1 21:02:16 router charon: 00[CFG]  loaded ca certificate "[redacted]" from '/var/etc/ipsec/ipsec.d/cacerts/c1cb1f2e.0.crt'
    Feb  1 21:02:16 router charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Feb  1 21:02:16 router charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Feb  1 21:02:16 router charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Feb  1 21:02:16 router charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
    Feb  1 21:02:16 router charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Feb  1 21:02:16 router charon: 00[CFG]  loaded RSA private key from '/var/etc/ipsec/ipsec.d/private/cert-1.key'
    Feb  1 21:02:16 router charon: 00[CFG]  loaded EAP secret for %any Jerry@[redacted]
    Feb  1 21:02:16 router charon: 00[CFG]  loaded EAP secret for %any mobile@[redacted]
    Feb  1 21:02:16 router charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
    Feb  1 21:02:16 router charon: 00[CFG] loaded 0 RADIUS server configurations
    Feb  1 21:02:16 router charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
    Feb  1 21:02:16 router charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
    Feb  1 21:02:16 router charon: 00[JOB] spawning 16 worker threads
    Feb  1 21:02:16 router ipsec_starter[96111]: charon (96394) started after 40 ms
    Feb  1 21:02:16 router charon: 08[CFG] received stroke: add connection 'con1'
    Feb  1 21:02:16 router charon: 08[CFG] adding virtual IP address pool 10.0.100.0/25
    Feb  1 21:02:16 router charon: 08[CFG]  loaded certificate "[redacted]" from '/var/etc/ipsec/ipsec.d/certs/cert-1.crt'
    Feb  1 21:02:16 router charon: 08[CFG] added configuration 'con1'
    Feb  1 21:03:15 router charon: 15[NET] received packet: from [first client][36799] to [redacted][500] (996 bytes)
    Feb  1 21:03:15 router charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Feb  1 21:03:15 router charon: 15[IKE] <1> [first client] is initiating an IKE_SA
    Feb  1 21:03:15 router charon: 15[IKE] [first client] is initiating an IKE_SA
    Feb  1 21:03:15 router charon: 15[IKE] <1> remote host is behind NAT
    Feb  1 21:03:15 router charon: 15[IKE] remote host is behind NAT
    Feb  1 21:03:15 router charon: 15[IKE] <1> DH group MODP_2048 inacceptable, requesting MODP_1024
    Feb  1 21:03:15 router charon: 15[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
    Feb  1 21:03:15 router charon: 15[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
    Feb  1 21:03:15 router charon: 15[NET] sending packet: from [redacted][500] to [first client][36799] (38 bytes)
    Feb  1 21:03:15 router charon: 15[NET] received packet: from [first client][36799] to [redacted][500] (868 bytes)
    Feb  1 21:03:15 router charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Feb  1 21:03:15 router charon: 15[IKE] <2> [first client] is initiating an IKE_SA
    Feb  1 21:03:15 router charon: 15[IKE] [first client] is initiating an IKE_SA
    Feb  1 21:03:15 router charon: 15[IKE] <2> remote host is behind NAT
    Feb  1 21:03:15 router charon: 15[IKE] remote host is behind NAT
    Feb  1 21:03:15 router charon: 15[IKE] <2> sending cert request for "[redacted]"
    Feb  1 21:03:15 router charon: 15[IKE] sending cert request for "[redacted]"
    Feb  1 21:03:15 router charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
    Feb  1 21:03:15 router charon: 15[NET] sending packet: from [redacted][500] to [first client][36799] (345 bytes)
    Feb  1 21:03:15 router charon: 15[NET] received packet: from [first client][44620] to [redacted][4500] (544 bytes)
    Feb  1 21:03:15 router charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
    Feb  1 21:03:15 router charon: 15[IKE] <2> received cert request for "[redacted]"
    Feb  1 21:03:15 router charon: 15[IKE] received cert request for "[redacted]"
    Feb  1 21:03:15 router charon: 15[CFG] looking for peer configs matching [redacted][%any]…[first client][mobile@[redacted]]
    Feb  1 21:03:15 router charon: 15[CFG] selected peer config 'con1'
    Feb  1 21:03:15 router charon: 15[IKE] <con1|2>initiating EAP_IDENTITY method (id 0x00)
    Feb  1 21:03:15 router charon: 15[IKE] initiating EAP_IDENTITY method (id 0x00)
    Feb  1 21:03:15 router charon: 15[IKE] <con1|2>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Feb  1 21:03:15 router charon: 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Feb  1 21:03:15 router charon: 15[IKE] <con1|2>peer supports MOBIKE
    Feb  1 21:03:15 router charon: 15[IKE] peer supports MOBIKE
    Feb  1 21:03:15 router charon: 15[IKE] <con1|2>authentication of '[redacted]' (myself) with RSA signature successful
    Feb  1 21:03:15 router charon: 15[IKE] authentication of '[redacted]' (myself) with RSA signature successful
    Feb  1 21:03:15 router charon: 15[IKE] <con1|2>sending end entity cert "[redacted]"
    Feb  1 21:03:15 router charon: 15[IKE] sending end entity cert "[redacted]"
    Feb  1 21:03:15 router charon: 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    Feb  1 21:03:15 router charon: 15[ENC] splitting IKE message with length of 1696 bytes into 4 fragments
    Feb  1 21:03:15 router charon: 15[ENC] generating IKE_AUTH response 1 [ EF ]
    Feb  1 21:03:15 router charon: 15[ENC] generating IKE_AUTH response 1 [ EF ]
    Feb  1 21:03:15 router charon: 15[ENC] generating IKE_AUTH response 1 [ EF ]
    Feb  1 21:03:15 router charon: 15[ENC] generating IKE_AUTH response 1 [ EF ]
    Feb  1 21:03:15 router charon: 15[NET] sending packet: from [redacted][4500] to [first client][44620] (532 bytes)
    Feb  1 21:03:15 router charon: 15[NET] sending packet: from [redacted][4500] to [first client][44620] (532 bytes)
    Feb  1 21:03:15 router charon: 15[NET] sending packet: from [redacted][4500] to [first client][44620] (532 bytes)
    Feb  1 21:03:15 router charon: 15[NET] sending packet: from [redacted][4500] to [first client][44620] (308 bytes)
    Feb  1 21:03:15 router charon: 15[NET] received packet: from [first client][44620] to [redacted][4500] (112 bytes)
    Feb  1 21:03:15 router charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
    Feb  1 21:03:15 router charon: 15[IKE] <con1|2>received EAP identity 'mobile@[redacted]'
    Feb  1 21:03:15 router charon: 15[IKE] received EAP identity 'mobile@[redacted]'
    Feb  1 21:03:15 router charon: 15[IKE] <con1|2>initiating EAP_MSCHAPV2 method (id 0x73)
    Feb  1 21:03:15 router charon: 15[IKE] initiating EAP_MSCHAPV2 method (id 0x73)
    Feb  1 21:03:15 router charon: 15[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
    Feb  1 21:03:15 router charon: 15[NET] sending packet: from [redacted][4500] to [first client][44620] (112 bytes)
    Feb  1 21:03:15 router charon: 15[NET] received packet: from [first client][44620] to [redacted][4500] (160 bytes)
    Feb  1 21:03:15 router charon: 15[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
    Feb  1 21:03:15 router charon: 15[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
    Feb  1 21:03:15 router charon: 15[NET] sending packet: from [redacted][4500] to [first client][44620] (144 bytes)
    Feb  1 21:03:16 router charon: 15[NET] received packet: from [first client][44620] to [redacted][4500] (80 bytes)
    Feb  1 21:03:16 router charon: 15[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
    Feb  1 21:03:16 router charon: 15[IKE] <con1|2>EAP method EAP_MSCHAPV2 succeeded, MSK established
    Feb  1 21:03:16 router charon: 15[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
    Feb  1 21:03:16 router charon: 15[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
    Feb  1 21:03:16 router charon: 15[NET] sending packet: from [redacted][4500] to [first client][44620] (80 bytes)
    Feb  1 21:03:16 router charon: 15[NET] received packet: from [first client][44620] to [redacted][4500] (112 bytes)
    Feb  1 21:03:16 router charon: 15[ENC] parsed IKE_AUTH request 5 [ AUTH ]
    Feb  1 21:03:16 router charon: 15[IKE] <con1|2>authentication of 'mobile@[redacted]' with EAP successful
    Feb  1 21:03:16 router charon: 15[IKE] authentication of 'mobile@[redacted]' with EAP successful
    Feb  1 21:03:16 router charon: 15[IKE] <con1|2>authentication of '[redacted]' (myself) with EAP
    Feb  1 21:03:16 router charon: 15[IKE] authentication of '[redacted]' (myself) with EAP
    Feb  1 21:03:16 router charon: 15[IKE] <con1|2>IKE_SA con1[2] established between [redacted][[redacted]]…[first client][mobile@[redacted]]
    Feb  1 21:03:16 router charon: 15[IKE] IKE_SA con1[2] established between [redacted][[redacted]]…[first client][mobile@[redacted]]
    Feb  1 21:03:16 router charon: 15[IKE] <con1|2>scheduling reauthentication in 27857s
    Feb  1 21:03:16 router charon: 15[IKE] scheduling reauthentication in 27857s
    Feb  1 21:03:16 router charon: 15[IKE] <con1|2>maximum IKE_SA lifetime 28397s
    Feb  1 21:03:16 router charon: 15[IKE] maximum IKE_SA lifetime 28397s
    Feb  1 21:03:16 router charon: 15[IKE] <con1|2>peer requested virtual IP %any
    Feb  1 21:03:16 router charon: 15[IKE] peer requested virtual IP %any
    Feb  1 21:03:16 router charon: 15[CFG] assigning new lease to 'mobile@[redacted]'
    Feb  1 21:03:16 router charon: 15[IKE] <con1|2>assigning virtual IP 10.0.100.1 to peer 'mobile@[redacted]'
    Feb  1 21:03:16 router charon: 15[IKE] assigning virtual IP 10.0.100.1 to peer 'mobile@[redacted]'
    Feb  1 21:03:16 router charon: 15[IKE] <con1|2>peer requested virtual IP %any6
    Feb  1 21:03:16 router charon: 15[IKE] peer requested virtual IP %any6
    Feb  1 21:03:16 router charon: 15[IKE] <con1|2>no virtual IP found for %any6 requested by 'mobile@[redacted]'
    Feb  1 21:03:16 router charon: 15[IKE] no virtual IP found for %any6 requested by 'mobile@[redacted]'
    Feb  1 21:03:16 router charon: 15[IKE] <con1|2>CHILD_SA con1{1} established with SPIs cc016020_i 68467b31_o and TS 10.0.0.0/24|/0 10.20.30.0/24|/0 192.168.99.0/24|/0 10.20.40.0/24|/0 === 10.0.100.0/25|/0
    Feb  1 21:03:16 router charon: 15[IKE] CHILD_SA con1{1} established with SPIs cc016020_i 68467b31_o and TS 10.0.0.0/24|/0 10.20.30.0/24|/0 192.168.99.0/24|/0 10.20.40.0/24|/0 === 10.0.100.0/25|/0
    Feb  1 21:03:16 router charon: 15[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR SUBNET DNS U_SPLITINC U_SPLITINC U_SPLITINC U_SPLITINC U_SAVEPWD U_PFS) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
    Feb  1 21:03:16 router charon: 15[NET] sending packet: from [redacted][4500] to [first client][44620] (464 bytes)
    Feb  1 21:03:51 router charon: 15[NET] received packet: from [second client][8525] to [redacted][500] (616 bytes)
    Feb  1 21:03:51 router charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Feb  1 21:03:51 router charon: 15[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
    Feb  1 21:03:51 router charon: 15[ENC] received unknown vendor ID: fb:1d:e3💿f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    Feb  1 21:03:51 router charon: 15[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    Feb  1 21:03:51 router charon: 15[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Feb  1 21:03:51 router charon: 15[IKE] <3> [second client] is initiating an IKE_SA
    Feb  1 21:03:51 router charon: 15[IKE] [second client] is initiating an IKE_SA
    Feb  1 21:03:51 router charon: 15[IKE] <3> remote host is behind NAT
    Feb  1 21:03:51 router charon: 15[IKE] remote host is behind NAT
    Feb  1 21:03:51 router charon: 15[IKE] <3> sending cert request for "[redacted]"
    Feb  1 21:03:51 router charon: 15[IKE] sending cert request for "[redacted]"
    Feb  1 21:03:51 router charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Feb  1 21:03:51 router charon: 15[NET] sending packet: from [redacted][500] to [second client][8525] (337 bytes)
    Feb  1 21:03:51 router charon: 13[NET] received packet: from [second client][8537] to [redacted][4500] (880 bytes)
    Feb  1 21:03:51 router charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Feb  1 21:03:51 router charon: 13[IKE] <3> received cert request for "[redacted]"
    Feb  1 21:03:51 router charon: 13[IKE] received cert request for "[redacted]"
    Feb  1 21:03:51 router charon: 13[IKE] <3> received 26 cert requests for an unknown ca
    Feb  1 21:03:51 router charon: 13[IKE] received 26 cert requests for an unknown ca
    Feb  1 21:03:51 router charon: 13[CFG] looking for peer configs matching [redacted][%any]…[second client][192.168.43.26]
    Feb  1 21:03:51 router charon: 13[CFG] selected peer config 'con1'
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>initiating EAP_IDENTITY method (id 0x00)
    Feb  1 21:03:51 router charon: 13[IKE] initiating EAP_IDENTITY method (id 0x00)
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>peer supports MOBIKE
    Feb  1 21:03:51 router charon: 13[IKE] peer supports MOBIKE
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>authentication of '[redacted]' (myself) with RSA signature successful
    Feb  1 21:03:51 router charon: 13[IKE] authentication of '[redacted]' (myself) with RSA signature successful
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>sending end entity cert "[redacted]"
    Feb  1 21:03:51 router charon: 13[IKE] sending end entity cert "[redacted]"
    Feb  1 21:03:51 router charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    Feb  1 21:03:51 router charon: 13[NET] sending packet: from [redacted][4500] to [second client][8537] (1696 bytes)
    Feb  1 21:03:51 router charon: 13[NET] received packet: from [second client][8537] to [redacted][4500] (112 bytes)
    Feb  1 21:03:51 router charon: 13[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>received EAP identity 'Jerry@[redacted]'
    Feb  1 21:03:51 router charon: 13[IKE] received EAP identity 'Jerry@[redacted]'
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>initiating EAP_MSCHAPV2 method (id 0x7A)
    Feb  1 21:03:51 router charon: 13[IKE] initiating EAP_MSCHAPV2 method (id 0x7A)
    Feb  1 21:03:51 router charon: 13[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
    Feb  1 21:03:51 router charon: 13[NET] sending packet: from [redacted][4500] to [second client][8537] (112 bytes)
    Feb  1 21:03:51 router charon: 13[NET] received packet: from [second client][8537] to [redacted][4500] (160 bytes)
    Feb  1 21:03:51 router charon: 13[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
    Feb  1 21:03:51 router charon: 13[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
    Feb  1 21:03:51 router charon: 13[NET] sending packet: from [redacted][4500] to [second client][8537] (144 bytes)
    Feb  1 21:03:51 router charon: 13[NET] received packet: from [second client][8537] to [redacted][4500] (80 bytes)
    Feb  1 21:03:51 router charon: 13[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>EAP method EAP_MSCHAPV2 succeeded, MSK established
    Feb  1 21:03:51 router charon: 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
    Feb  1 21:03:51 router charon: 13[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
    Feb  1 21:03:51 router charon: 13[NET] sending packet: from [redacted][4500] to [second client][8537] (80 bytes)
    Feb  1 21:03:51 router charon: 13[NET] received packet: from [second client][8537] to [redacted][4500] (112 bytes)
    Feb  1 21:03:51 router charon: 13[ENC] parsed IKE_AUTH request 5 [ AUTH ]
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>authentication of '192.168.43.26' with EAP successful
    Feb  1 21:03:51 router charon: 13[IKE] authentication of '192.168.43.26' with EAP successful
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>authentication of '[redacted]' (myself) with EAP
    Feb  1 21:03:51 router charon: 13[IKE] authentication of '[redacted]' (myself) with EAP
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>IKE_SA con1[3] established between [redacted][[redacted]]…[second client][192.168.43.26]
    Feb  1 21:03:51 router charon: 13[IKE] IKE_SA con1[3] established between [redacted][[redacted]]…[second client][192.168.43.26]
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>scheduling reauthentication in 28073s
    Feb  1 21:03:51 router charon: 13[IKE] scheduling reauthentication in 28073s
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>maximum IKE_SA lifetime 28613s
    Feb  1 21:03:51 router charon: 13[IKE] maximum IKE_SA lifetime 28613s
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>peer requested virtual IP %any
    Feb  1 21:03:51 router charon: 13[IKE] peer requested virtual IP %any
    Feb  1 21:03:51 router charon: 13[CFG] assigning new lease to 'Jerry@[redacted]'
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>assigning virtual IP 10.0.100.2 to peer 'Jerry@[redacted]'
    Feb  1 21:03:51 router charon: 13[IKE] assigning virtual IP 10.0.100.2 to peer 'Jerry@[redacted]'
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>peer requested virtual IP %any6
    Feb  1 21:03:51 router charon: 13[IKE] peer requested virtual IP %any6
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>no virtual IP found for %any6 requested by 'Jerry@[redacted]'
    Feb  1 21:03:51 router charon: 13[IKE] no virtual IP found for %any6 requested by 'Jerry@[redacted]'
    Feb  1 21:03:51 router charon: 13[IKE] <con1|3>CHILD_SA con1{2} established with SPIs c02378fe_i 7bd9e152_o and TS 10.0.0.0/24|/0 10.20.30.0/24|/0 192.168.99.0/24|/0 10.20.40.0/24|/0 === 10.0.100.0/25|/0
    Feb  1 21:03:51 router charon: 13[IKE] CHILD_SA con1{2} established with SPIs c02378fe_i 7bd9e152_o and TS 10.0.0.0/24|/0 10.20.30.0/24|/0 192.168.99.0/24|/0 10.20.40.0/24|/0 === 10.0.100.0/25|/0
    Feb  1 21:03:51 router charon: 13[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR SUBNET DNS U_SPLITINC U_SPLITINC U_SPLITINC U_SPLITINC U_SAVEPWD U_PFS) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
    Feb  1 21:03:51 router charon: 13[NET] sending packet: from [redacted][4500] to [second client][8537] (464 bytes)
    Feb  1 21:03:53 router charon: 13[NET] received packet: from [second client][8537] to [redacted][4500] (112 bytes)
    Feb  1 21:03:53 router charon: 13[ENC] parsed IKE_AUTH request 5 [ AUTH ]
    Feb  1 21:03:53 router charon: 13[IKE] <con1|3>received retransmit of request with ID 5, retransmitting response
    Feb  1 21:03:53 router charon: 13[IKE] received retransmit of request with ID 5, retransmitting response
    Feb  1 21:03:53 router charon: 13[NET] sending packet: from [redacted][4500] to [second client][8537] (464 bytes)
    Feb  1 21:04:17 router charon: 06[NET] received packet: from [second client][8537] to [redacted][4500] (80 bytes)
    Feb  1 21:04:17 router charon: 06[ENC] parsed INFORMATIONAL request 6 [ D ]
    Feb  1 21:04:17 router charon: 06[IKE] <con1|3>received DELETE for ESP CHILD_SA with SPI 7bd9e152
    Feb  1 21:04:17 router charon: 06[IKE] received DELETE for ESP CHILD_SA with SPI 7bd9e152
    Feb  1 21:04:17 router charon: 06[IKE] <con1|3>closing CHILD_SA con1{2} with SPIs c02378fe_i (0 bytes) 7bd9e152_o (0 bytes) and TS 10.0.0.0/24|/0 10.20.30.0/24|/0 192.168.99.0/24|/0 10.20.40.0/24|/0 === 10.0.100.0/25|/0
    Feb  1 21:04:17 router charon: 06[IKE] closing CHILD_SA con1{2} with SPIs c02378fe_i (0 bytes) 7bd9e152_o (0 bytes) and TS 10.0.0.0/24|/0 10.20.30.0/24|/0 192.168.99.0/24|/0 10.20.40.0/24|/0 === 10.0.100.0/25|/0
    Feb  1 21:04:17 router charon: 06[IKE] <con1|3>sending DELETE for ESP CHILD_SA with SPI c02378fe
    Feb  1 21:04:17 router charon: 06[IKE] sending DELETE for ESP CHILD_SA with SPI c02378fe
    Feb  1 21:04:17 router charon: 06[IKE] <con1|3>CHILD_SA closed
    Feb  1 21:04:17 router charon: 06[IKE] CHILD_SA closed
    Feb  1 21:04:17 router charon: 06[ENC] generating INFORMATIONAL response 6 [ D ]
    Feb  1 21:04:17 router charon: 06[NET] sending packet: from [redacted][4500] to [second client][8537] (80 bytes)
    Feb  1 21:04:17 router charon: 06[NET] received packet: from [second client][8537] to [redacted][4500] (80 bytes)
    Feb  1 21:04:17 router charon: 06[ENC] parsed INFORMATIONAL request 7 [ D ]
    Feb  1 21:04:17 router charon: 06[IKE] <con1|3>received DELETE for IKE_SA con1[3]
    Feb  1 21:04:17 router charon: 06[IKE] received DELETE for IKE_SA con1[3]
    Feb  1 21:04:17 router charon: 06[IKE] <con1|3>deleting IKE_SA con1[3] between [redacted][[redacted]]…[second client][192.168.43.26]
    Feb  1 21:04:17 router charon: 06[IKE] deleting IKE_SA con1[3] between [redacted][[redacted]]…[second client][192.168.43.26]
    Feb  1 21:04:17 router charon: 06[IKE] <con1|3>IKE_SA deleted
    Feb  1 21:04:17 router charon: 06[IKE] IKE_SA deleted
    Feb  1 21:04:17 router charon: 06[ENC] generating INFORMATIONAL response 7 [ ]
    Feb  1 21:04:17 router charon: 06[NET] sending packet: from [redacted][4500] to [second client][8537] (80 bytes)
    Feb  1 21:04:17 router charon: 06[CFG] lease 10.0.100.2 by 'Jerry@[redacted]' went offline
    Feb  1 21:04:30 router charon: 12[NET] received packet: from [first client][44620] to [redacted][4500] (80 bytes)
    Feb  1 21:04:30 router charon: 12[ENC] parsed INFORMATIONAL request 6 [ D ]
    Feb  1 21:04:30 router charon: 12[IKE] <con1|2>received DELETE for IKE_SA con1[2]
    Feb  1 21:04:30 router charon: 12[IKE] received DELETE for IKE_SA con1[2]
    Feb  1 21:04:30 router charon: 12[IKE] <con1|2>deleting IKE_SA con1[2] between [redacted][[redacted]]…[first client][mobile@[redacted]]
    Feb  1 21:04:30 router charon: 12[IKE] deleting IKE_SA con1[2] between [redacted][[redacted]]…[first client][mobile@[redacted]]
    Feb  1 21:04:30 router charon: 12[IKE] <con1|2>IKE_SA deleted
    Feb  1 21:04:30 router charon: 12[IKE] IKE_SA deleted
    Feb  1 21:04:30 router charon: 12[ENC] generating INFORMATIONAL response 6 [ ]
    Feb  1 21:04:30 router charon: 12[NET] sending packet: from [redacted][4500] to [first client][44620] (80 bytes)
    Feb  1 21:04:30 router charon: 12[CFG] lease 10.0.100.1 by 'mobile@[redacted]' went offline</con1|2></con1|2></con1|2></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|3></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2>



  • From what it seems to me you have the same issue as https://forum.pfsense.org/index.php?topic=87857.0

    Check the solutions provided there and see if it fixes your issues.



  • @ermal:

    From what it seems to me you have the same issue as https://forum.pfsense.org/index.php?topic=87857.0

    Check the solutions provided there and see if it fixes your issues.

    Hi,

    I changed uniqueids to be 'no'. However I don't think the two problems are similar. In the other thread, additional client is flat out not connecting. In my case, additional client with different identifiers would connect (hence not the uniqueids problem). Instead, only the SP (security policies) for the newest client connected is retained/used/displayed. Disconnect any other one would restore the SP for the client previously connected.



  • Strange.

    Using a pool for ip breaks things:

    This file is automatically generated. Do not edit

    config setup
    uniqueids = no
    charondebug=""

    conn con1
    fragmentation = yes
    keyexchange = ikev2
    reauth = yes
    forceencaps = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = clear
    dpddelay = 10s
    dpdtimeout = 60s
    left = 64.62.136.2
    leftid = @[redacted]
    ikelifetime = 28800s
    lifetime = 3600s
    rightsourceip = 10.0.100.0/24
    right = %any
    rightauth=eap-mschapv2
    rightsubnet = 10.0.100.0/24
    auto = add
    ike = aes256-sha256-modp1024!
    esp = aes256-sha1-modp1024,aes256-sha1-modp1024,aes256-sha1-modp1024,aes256-sha1-modp1024!
    eap_identity=%any
    leftauth=pubkey
    leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
    leftsubnet = 10.0.0.0/24,10.20.30.0/24,192.168.99.0/24,10.20.40.0/24

    However defining IP for each client works:

    This file is automatically generated. Do not edit

    config setup
    uniqueids = no
    charondebug=""

    #conn con1
    conn %default
    fragmentation = yes
    keyexchange = ikev2
    reauth = yes
    forceencaps = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = clear
    dpddelay = 10s
    dpdtimeout = 60s
    left = 64.62.136.2
    leftid = @[redacted]
    ikelifetime = 28800s
    lifetime = 3600s
    ike = aes256-sha256-modp1024!
    esp = aes256-sha1-modp1024,aes256-sha1-modp1024,aes256-sha1-modp1024,aes256-sha1-modp1024!
    eap_identity=%any
    leftauth=pubkey
    leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
    leftsubnet = 10.0.0.0/24,10.20.30.0/24,192.168.99.0/24,10.20.40.0/24

    conn Jerry
    rightsourceip = 10.0.100.2
    right = %any
    rightauth=eap-mschapv2
    rightid = Jerry@[redacted]
    auto = add

    conn mobile
    rightsourceip = 10.0.100.3
    right = %any
    rightauth=eap-mschapv2
    rightid = mobile@[redacted]
    auto = add

    conn mbp
    rightsourceip = 10.0.100.4
    right = %any
    rightauth=eap-mschapv2
    rightid = mbp@[redacted]
    auto = add

    conn any
    rightsourceip = 10.0.100.128/25
    rightsubnet = 10.0.100.128/25
    right = %any
    rightid = %any
    rightauth=eap-mschapv2
    auto = add

    Security policies (Two clients under same NAT, one under another NAT):



  • Got'em coach.

    The problem is that the generated conf is for site-to-site (presumably). Therefore it adds "rightsubnet" to the configuration, even though it is for mobile clients. If "rightsubnet" exists, every time a new mobile client connects, the SP gets replaced.

    To solve the problem, edit /etc/inc/vpn.inc, comment out (only if you are only using mobile client):

    
    if (!empty($rightsubnet_spec)) {
    	$tempsubnets = array();
    	foreach ($rightsubnet_spec as $rightsubnet)
    		$tempsubnets[$rightsubnet] = $rightsubnet;
    	$ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n";
    	unset($tempsubnets, $rightsubnet);
    }
    


  • Ok a fix has been pushed.
    Thank you for analysis.



  • sorry for hijacking the thread, but I'm having troubles in connecting from my mobile clients since the upgrade to 2.2.
    From your post I see it's working for you, so would you mind sharing your config with us? Or at least tell what's the difference between the wiki doc, or the changes you applied after the upgrade…

    thanks



  • @maxxer:

    sorry for hijacking the thread, but I'm having troubles in connecting from my mobile clients since the upgrade to 2.2.
    From your post I see it's working for you, so would you mind sharing your config with us? Or at least tell what's the difference between the wiki doc, or the changes you applied after the upgrade…

    thanks

    +1



  • A similar change has been applied to make the config work.
    https://github.com/pfsense/pfsense/commit/034a23f0ab3eb765eba53f44ec256272b3e80b17



  • @maxxer:

    sorry for hijacking the thread, but I'm having troubles in connecting from my mobile clients since the upgrade to 2.2.
    From your post I see it's working for you, so would you mind sharing your config with us? Or at least tell what's the difference between the wiki doc, or the changes you applied after the upgrade…

    thanks

    You have to understand the fundamental changes between IKEv2 and V1. V2 does not require peers to agree on what method to use to authenticate. Instead, Phase 1 is always (in a laymans term) encrypted with X.509 certificate, then authenticated based on the SAN in the certificate (IP, DNS, etc). It is then peers (most likely right) authenticate using EAP or IKEv2 identity via MSCHAPv2 (this is one way of doing it). Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well.



  • @ermal:

    A similar change has been applied to make the config work.
    https://github.com/pfsense/pfsense/commit/034a23f0ab3eb765eba53f44ec256272b3e80b17

    tried but with no change…



  • @zllovesuki:

    You have to understand the fundamental changes between IKEv2 and V1. V2 does not require peers to agree on what method to use to authenticate. Instead, Phase 1 is always (in a laymans term) encrypted with X.509 certificate, then authenticated based on the SAN in the certificate (IP, DNS, etc). It is then peers (most likely right) authenticate using EAP or IKEv2 identity via MSCHAPv2 (this is one way of doing it). Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well.

    but I didn't switch to IKEv2, I'm still on v1. And other than that my Ubuntu client connect without problems, just androids fail :( I will gather some logs asap



  • Check the algorithms being used, mobiles are picky about those in general.
    Usually you increase the log level on the IKE SA to see what the client proposes.



  • @maxxer:

    @zllovesuki:

    You have to understand the fundamental changes between IKEv2 and V1. V2 does not require peers to agree on what method to use to authenticate. Instead, Phase 1 is always (in a laymans term) encrypted with X.509 certificate, then authenticated based on the SAN in the certificate (IP, DNS, etc). It is then peers (most likely right) authenticate using EAP or IKEv2 identity via MSCHAPv2 (this is one way of doing it). Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well.

    but I didn't switch to IKEv2, I'm still on v1. And other than that my Ubuntu client connect without problems, just androids fail :( I will gather some logs asap

    I am on V2 and, surprisingly, V1 is actually making things more difficult.



  • @zllovesuki:

    Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well.

    So to use IPsec with IKEv2 you need to import a cert on the mobile client?

    I managed to get IPSec back to work with IKEv1, but now my Ubuntu client won't connect anymore. I was wondering if moving to IKEv2 could solve both issues, but cannot manage it to authenticate.
    i found here that android 4.4 should work with EAP-MSCHAPv2, which from what I understand is still a user/pass method, but it won't work here…



  • @maxxer:

    @zllovesuki:

    Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well.

    So to use IPsec with IKEv2 you need to import a cert on the mobile client?

    I managed to get IPSec back to work with IKEv1, but now my Ubuntu client won't connect anymore. I was wondering if moving to IKEv2 could solve both issues, but cannot manage it to authenticate.
    i found here that android 4.4 should work with EAP-MSCHAPv2, which from what I understand is still a user/pass method, but it won't work here…

    Yes, you need to install/import the CA that issued the e IPSec certificate.