PSKs incorrect in ipsec.secrets - Still an Issue in 2.2.1
-
This still appears to be an issue for me with 2.2.1, which has the new IPSec daemon, even though the Bug Status is set to "resolved".
Here are my test steps:
-
I took a new firewall, freshly loaded and configured. Here's the System Information screen.
-
I set up a site-to-site VPN tunnel to my office. Works fine.
-
This firewall has never had RoadWarrior VPN set up on it prior to today.
-
I then referenced a pfSense 2.1.5 firewall that is at one of my customers and is in active RoadWarrior use on a daily basis by their travelling staff.
I made sure to duplicate the settings exactly between them.
I don't want to upgrade them to 2.2.x until I can successfully make this work. There are too many of them for me to run around (again) and set up new VPN profiles on all of their devices. -
I exported my working ShrewSoft VPN configuration for their office to a .vpn file.
-
I imported the file in, changing the name to my test firewall location.
-
I changed the hostname, the DNS/WINS IP addresses for name resolution, and the network topology settings. Otherwise I left everything else exactly the same.
I did copy the PSK for my account from the test firewall's VPN -> IPSec -> Pre-Shared Keys -> [Edit My User] -> Pre-Shared Key field into the VPN profile's Pre-Shared Key field just to make absolutely positively sure that they match up perfectly. -
I went to the destination firewall via the external web admin access and cleared the VPN logs so I can maybe find the traffic I need (this new ipsec daemon is REALLY chatty!)
-
I made sure I had a public IP address on my laptop and could VPN to my customer's office (Success).
-
I try to VPN to my test firewall, and get a negotiation timeout occurred message.
-
I go look at the logs, and find the "no shared key found for" message for my email address.
-
I SSH in to the back end of the firewall, and look at [/var/etc/ipsec/ipsec.secrets
It all looks good to me. Can anyone help me fix this problem?
Let me know if you need further screenshots/documentation. :-)](http://i172.photobucket.com/albums/w17/anomaly0617/pfSense RoadWarrior VPN Bug/pfSense_IPSec_Secrets_zpslxcfskpj.jpg)
-
-
I hate to be that guy, but…. bump
-
That's not the same issue for sure. The only gotcha I see there is editing the user doesn't immediately update the ipsec.secrets, you have to go to VPN>IPsec and hit Save.
You mentioned email, the username is actually what gets put into ipsec.secrets, there is no email associated with user accounts. If you just use your username, I'm guessing it'll work. They are put in there correctly.
-
@cmb:
That's not the same issue for sure. The only gotcha I see there is editing the user doesn't immediately update the ipsec.secrets, you have to go to VPN>IPsec and hit Save.
You mentioned email, the username is actually what gets put into ipsec.secrets, there is no email associated with user accounts. If you just use your username, I'm guessing it'll work. They are put in there correctly.
Hi cmb,
First, thanks for the response!
I'm aware that email addresses do not necessarily equal user accounts, however many of us do have email accounts out there as the username because of how unique it really is… (I can have 5 dsmiths but only one dsmith@thatdomain.com)
As a result, this method of setting a username and a PSK has worked from pfSense 1.2.3 on through 2.1.5 or 2.1.6, but as of 2.2 and beyond the @ sign or some other factor that I'm not aware of seems to have broken it.
So the issue is that in cases where I have 30-50 road warrior users out there with their email address as their username, fixing it would require generating new accounts and touching every device prior to upgrading the firewall. If there's a fix to the problem on the horizon, I'd rather wait for it. :-)
-
I mis-read that "edit my user" part as meaning users in the user manager. The @ character isn't an accepted username for the user manager, and never has been. You're actually using the VPN>IPsec, PSK tab, where emails are fine. What you're describing should work, I'll double check that with the Shrew Soft config you're showing when I have a moment.
-
@cmb:
I mis-read that "edit my user" part as meaning users in the user manager. The @ character isn't an accepted username for the user manager, and never has been. You're actually using the VPN>IPsec, PSK tab, where emails are fine. What you're describing should work, I'll double check that with the Shrew Soft config you're showing when I have a moment.
Cool. Thanks, cmb! PM me if you need access to a test firewall. I can easily make one available to you.
-
Could you re-test this on 2.2.3? Snapshots available at https://snapshots.pfsense.org. I don't see any issues here.
-
Sure, I'll test-upgrade a firewall over the weekend and see if the problem is resolved. :-)
-
Thanks. I'll be around this weekend, would like to look into it with you if it's still an issue.
-
@cmb:
Thanks. I'll be around this weekend, would like to look into it with you if it's still an issue.
No luck, cmb. I'm going to PM you some remote login details now. :-)
-
The issue was this:
https://redmine.pfsense.org/issues/4781it works now. I applied that change to the 2.2.3 system you brought up, and can connect fine now. If you can confirm as well that'd be appreciated.
Thanks for your help!
-
@cmb:
The issue was this:
https://redmine.pfsense.org/issues/4781it works now. I applied that change to the 2.2.3 system you brought up, and can connect fine now. If you can confirm as well that'd be appreciated.
Thanks for your help!
I'll check this afternoon when I make it back to a location I can check it from. Thanks, cmb!