Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PSKs incorrect in ipsec.secrets - Still an Issue in 2.2.1

    Scheduled Pinned Locked Moved IPsec
    12 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anomaly0617
      last edited by

      This still appears to be an issue for me with 2.2.1, which has the new IPSec daemon, even though the Bug Status is set to "resolved".

      Reference

      Bug/Issue

      Here are my test steps:

      • I took a new firewall, freshly loaded and configured. Here's the System Information screen.

      • I set up a site-to-site VPN tunnel to my office. Works fine.

      • This firewall has never had RoadWarrior VPN set up on it prior to today.

      • I then referenced a pfSense 2.1.5 firewall that is at one of my customers and is in active RoadWarrior use on a daily basis by their travelling staff.
        I made sure to duplicate the settings exactly between them.
        I don't want to upgrade them to 2.2.x until I can successfully make this work. There are too many of them for me to run around (again) and set up new VPN profiles on all of their devices.

        • Mobile Clients Screen

        • Mobile Clients Phase 1

        • Mobile Clients Phase 2

        • Pre-Shared Keys Screen

        • My Pre-Shared Key Profile

      • I exported my working ShrewSoft VPN configuration for their office to a .vpn file.

      • I imported the file in, changing the name to my test firewall location.

      • I changed the hostname, the DNS/WINS IP addresses for name resolution, and the network topology settings. Otherwise I left everything else exactly the same.
        I did copy the PSK for my account from the test firewall's VPN -> IPSec -> Pre-Shared Keys -> [Edit My User] -> Pre-Shared Key field into the VPN profile's Pre-Shared Key field just to make absolutely positively sure that they match up perfectly.

        • ShrewSoft Profile General Tab

        • ShrewSoft Profile Client Tab

        • ShrewSoft Profile Name Resolution DNS Tab

        • ShrewSoft Profile Name Resolution DNS Tab

        • ShrewSoft Profile Name Resolution DNS Tab

        • ShrewSoft Profile Name Resolution DNS Tab

        • ShrewSoft Profile Name Resolution WINS Tab

        • ShrewSoft Profile Authentication Local ID Tab

        • ShrewSoft Profile Authentication Remote ID Tab

        • ShrewSoft Profile Authentication Credentials Tab

        • ShrewSoft Profile Phase 1

        • ShrewSoft Profile Phase 2

        • ShrewSoft Profile Policy

      • I went to the destination firewall via the external web admin access and cleared the VPN logs so I can maybe find the traffic I need (this new ipsec daemon is REALLY chatty!)

      • I made sure I had a public IP address on my laptop and could VPN to my customer's office (Success).

      • I try to VPN to my test firewall, and get a negotiation timeout occurred message.

      • I go look at the logs, and find the "no shared key found for" message for my email address.

      • I SSH in to the back end of the firewall, and look at [/var/etc/ipsec/ipsec.secrets

        It all looks good to me. Can anyone help me fix this problem?

        Let me know if you need further screenshots/documentation. :-)](http://i172.photobucket.com/albums/w17/anomaly0617/pfSense%20RoadWarrior%20VPN%20Bug/pfSense_IPSec_Secrets_zpslxcfskpj.jpg)

      Hope this Helps!

      1 Reply Last reply Reply Quote 0
      • A
        anomaly0617
        last edited by

        I hate to be that guy, but…. bump

        Hope this Helps!

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          That's not the same issue for sure. The only gotcha I see there is editing the user doesn't immediately update the ipsec.secrets, you have to go to VPN>IPsec and hit Save.

          You mentioned email, the username is actually what gets put into ipsec.secrets, there is no email associated with user accounts. If you just use your username, I'm guessing it'll work. They are put in there correctly.

          1 Reply Last reply Reply Quote 0
          • A
            anomaly0617
            last edited by

            @cmb:

            That's not the same issue for sure. The only gotcha I see there is editing the user doesn't immediately update the ipsec.secrets, you have to go to VPN>IPsec and hit Save.

            You mentioned email, the username is actually what gets put into ipsec.secrets, there is no email associated with user accounts. If you just use your username, I'm guessing it'll work. They are put in there correctly.

            Hi cmb,

            First, thanks for the response!

            I'm aware that email addresses do not necessarily equal user accounts, however many of us do have email accounts out there as the username because of how unique it really is… (I can have 5 dsmiths but only one dsmith@thatdomain.com)

            As a result, this method of setting a username and a PSK has worked from pfSense 1.2.3 on through 2.1.5 or 2.1.6, but as of 2.2 and beyond the @ sign or some other factor that I'm not aware of seems to have broken it.

            So the issue is that in cases where I have 30-50 road warrior users out there with their email address as their username, fixing it would require generating new accounts and touching every device prior to upgrading the firewall. If there's a fix to the problem on the horizon, I'd rather wait for it. :-)

            Hope this Helps!

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              I mis-read that "edit my user" part as meaning users in the user manager. The @ character isn't an accepted username for the user manager, and never has been. You're actually using the VPN>IPsec, PSK tab, where emails are fine. What you're describing should work, I'll double check that with the Shrew Soft config you're showing when I have a moment.

              1 Reply Last reply Reply Quote 0
              • A
                anomaly0617
                last edited by

                @cmb:

                I mis-read that "edit my user" part as meaning users in the user manager. The @ character isn't an accepted username for the user manager, and never has been. You're actually using the VPN>IPsec, PSK tab, where emails are fine. What you're describing should work, I'll double check that with the Shrew Soft config you're showing when I have a moment.

                Cool. Thanks, cmb! PM me if you need access to a test firewall. I can easily make one available to you.

                Hope this Helps!

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  Could you re-test this on 2.2.3? Snapshots available at https://snapshots.pfsense.org. I don't see any issues here.

                  1 Reply Last reply Reply Quote 0
                  • A
                    anomaly0617
                    last edited by

                    Sure, I'll test-upgrade a firewall over the weekend and see if the problem is resolved. :-)

                    Hope this Helps!

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by

                      Thanks. I'll be around this weekend, would like to look into it with you if it's still an issue.

                      1 Reply Last reply Reply Quote 0
                      • A
                        anomaly0617
                        last edited by

                        @cmb:

                        Thanks. I'll be around this weekend, would like to look into it with you if it's still an issue.

                        No luck, cmb. I'm going to PM you some remote login details now. :-)

                        Hope this Helps!

                        1 Reply Last reply Reply Quote 0
                        • C
                          cmb
                          last edited by

                          The issue was this:
                          https://redmine.pfsense.org/issues/4781

                          it works now. I applied that change to the 2.2.3 system you brought up, and can connect fine now. If you can confirm as well that'd be appreciated.

                          Thanks for your help!

                          1 Reply Last reply Reply Quote 0
                          • A
                            anomaly0617
                            last edited by

                            @cmb:

                            The issue was this:
                            https://redmine.pfsense.org/issues/4781

                            it works now. I applied that change to the 2.2.3 system you brought up, and can connect fine now. If you can confirm as well that'd be appreciated.

                            Thanks for your help!

                            I'll check this afternoon when I make it back to a location I can check it from. Thanks, cmb!

                            Hope this Helps!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.