Pfsense 2.2.1 - Cannot connect iPad iOS 8.3



  • Hi everyone,
    I am newbie to manage Pfsense ipsec tunnel for mobile.

    Our management requested that we get iPads devices and connect them to our intranet dedicated cloud .

    Although I followed some HOW TO

    I was not able to create any connexion sucessfully, iPad VPN error message "the vpn shared secret key is incorrect"… But I think we use the good informations...

    Below the settings of the iPsec phase 1 and 2, mobile, and user...

    I used in the ipad VPN ipsec

    • the server: the Pfsense WAN IP
      the  account/password: the user/password from usermanager
      the group name/secret : the peer identifier and pre-shared key from ipsec phase 1

    and below the logs I can see from IPSEC

    Apr 8 19:55:38 charon: 15[IKE] <83> xxx.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
    Apr 8 19:55:38 charon: 15[IKE] xxx.xxx.xxx.xxx is initiating a Aggressive Mode IKE_SA
    Apr 8 19:55:38 charon: 15[CFG] looking for XAuthInitPSK peer configs matching yyy.yyy.yyy.yyy…xxx.xxx.xxx.xxx[mobile@xxxxxx.com]
    Apr 8 19:55:38 charon: 15[CFG] selected peer config "con2"
    Apr 8 19:55:38 charon: 15[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
    Apr 8 19:55:38 charon: 15[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[45312] (428 bytes)
    Apr 8 19:55:38 charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[33170] to yyy.yyy.yyy.yyy[4500] (68 bytes)
    Apr 8 19:55:38 charon: 15[ENC] invalid HASH_V1 payload length, decryption failed?
    Apr 8 19:55:38 charon: 15[ENC] could not decrypt payloads
    Apr 8 19:55:38 charon: 15[IKE] <con2|83>message parsing failed
    Apr 8 19:55:38 charon: 15[IKE] message parsing failed
    Apr 8 19:55:38 charon: 15[IKE] <con2|83>ignore malformed INFORMATIONAL request
    Apr 8 19:55:38 charon: 15[IKE] ignore malformed INFORMATIONAL request
    Apr 8 19:55:38 charon: 15[IKE] <con2|83>INFORMATIONAL_V1 request with message ID 421246635 processing failed
    Apr 8 19:55:38 charon: 15[IKE] INFORMATIONAL_V1 request with message ID 421246635 processing failed
    Apr 8 19:55:40 charon: 15[IKE] <con11000|9>sending DPD request
    Apr 8 19:55:40 charon: 15[IKE] sending DPD request
    Apr 8 19:55:40 charon: 15[ENC] generating INFORMATIONAL_V1 request 1572735548 [ HASH N(DPD) ]
    Apr 8 19:55:40 charon: 15[NET] sending packet: from yyy.yyy.yyy.yyy[500] to 203.aaa.aaa.aaa[500] (92 bytes)
    Apr 8 19:55:40 charon: 15[IKE] <con14000|15>sending DPD request
    Apr 8 19:55:40 charon: 15[IKE] sending DPD request
    Apr 8 19:55:40 charon: 15[ENC] generating INFORMATIONAL_V1 request 2932759369 [ HASH N(DPD) ]
    Apr 8 19:55:40 charon: 15[NET] sending packet: from yyy.yyy.yyy.yyy[500] to 124.aaa.aaa.aaa[500] (92 bytes)
    Apr 8 19:55:40 charon: 15[NET] received packet: from 203.aaa.aaa.aaa[500] to yyy.yyy.yyy.yyy[500] (84 bytes)
    Apr 8 19:55:40 charon: 15[ENC] parsed INFORMATIONAL_V1 request 2146588398 [ HASH N(DPD_ACK) ]
    Apr 8 19:55:40 charon: 15[NET] received packet: from 124.aaa.aaa.aaa[500] to yyy.yyy.yyy.yyy[500] (84 bytes)
    Apr 8 19:55:40 charon: 15[ENC] parsed INFORMATIONAL_V1 request 2763260462 [ HASH N(DPD_ACK) ]
    Apr 8 19:55:42 charon: 15[IKE] <con2|83>sending retransmit 1 of response message ID 0, seq 1
    Apr 8 19:55:42 charon: 15[IKE] sending retransmit 1 of response message ID 0, seq 1
    Apr 8 19:55:42 charon: 15[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[45312] (428 bytes)
    Apr 8 19:55:42 charon: 15[IKE] <con7000|11>sending DPD request
    Apr 8 19:55:42 charon: 15[IKE] sending DPD request
    Apr 8 19:55:42 charon: 15[ENC] generating INFORMATIONAL_V1 request 3226781116 [ HASH N(DPD) ]
    Apr 8 19:55:42 charon: 15[NET] sending packet: from yyy.yyy.yyy.yyy[500] to 212.aaa.aaa.aaa[500] (92 bytes)
    Apr 8 19:55:43 charon: 15[NET] received packet: from 212.aaa.aaa.aaa[500] to yyy.yyy.yyy.yyy[500] (84 bytes)
    Apr 8 19:55:43 charon: 15[ENC] parsed INFORMATIONAL_V1 request 2875292463 [ HASH N(DPD_ACK) ]
    Apr 8 19:55:43 charon: 14[IKE] <con12000|3>sending DPD request
    Apr 8 19:55:43 charon: 14[IKE] sending DPD request
    Apr 8 19:55:43 charon: 14[ENC] generating INFORMATIONAL_V1 request 2541364363 [ HASH N(DPD) ]
    Apr 8 19:55:43 charon: 14[NET] sending packet: from yyy.yyy.yyy.yyy[4500] to 50.aaa.aaa.aaa[4500] (92 bytes)
    Apr 8 19:55:43 charon: 14[NET] received packet: from 50.aaa.aaa.aaa[4500] to yyy.yyy.yyy.yyy[4500] (84 bytes)
    Apr 8 19:55:43 charon: 14[ENC] parsed INFORMATIONAL_V1 request 3236505569 [ HASH N(DPD_ACK) ]
    Apr 8 19:55:45 charon: 14[IKE] <con13000|8>sending DPD request
    Apr 8 19:55:45 charon: 14[IKE] sending DPD request
    Apr 8 19:55:45 charon: 14[ENC] generating INFORMATIONAL_V1 request 10916619 [ HASH N(DPD) ]
    Apr 8 19:55:45 charon: 14[NET] sending packet: from yyy.yyy.yyy.yyy[500] to 221.aaa.aaa.aaa[500] (92 bytes)
    Apr 8 19:55:45 charon: 14[NET] received packet: from 221.aaa.aaa.aaa[500] to yyy.yyy.yyy.yyy[500] (84 bytes)
    Apr 8 19:55:45 charon: 14[ENC] parsed INFORMATIONAL_V1 request 9766024 [ HASH N(DPD_ACK) ]
    Apr 8 19:55:46 charon: 14[IKE] <con3000|12>sending DPD request
    Apr 8 19:55:46 charon: 14[IKE] sending DPD request
    Apr 8 19:55:46 charon: 14[ENC] generating INFORMATIONAL_V1 request 3800429396 [ HASH N(DPD) ]
    Apr 8 19:55:46 charon: 14[NET] sending packet: from yyy.yyy.yyy.yyy[500] to 221.224.17.106[500] (92 bytes)
    Apr 8 19:55:47 charon: 14[IKE] <con10000|10>sending DPD request
    Apr 8 19:55:47 charon: 14[IKE] sending DPD request
    Apr 8 19:55:47 charon: 14[ENC] generating INFORMATIONAL_V1 request 1320029323 [ HASH N(DPD) ]
    Apr 8 19:55:47 charon: 14[NET] sending packet: from yyy.yyy.yyy.yyy[500] to 42.aaa.aaa.aaa[500] (92 bytes)
    Apr 8 19:55:47 charon: 14[NET] received packet: from 221.224.17.106[500] to yyy.yyy.yyy.yyy[500] (84 bytes)
    Apr 8 19:55:47 charon: 14[ENC] parsed INFORMATIONAL_V1 request 1661718833 [ HASH N(DPD_ACK) ]
    Apr 8 19:55:47 charon: 14[NET] received packet: from 42.aaa.aaa.aaa[500] to yyy.yyy.yyy.yyy[500] (84 bytes)
    Apr 8 19:55:47 charon: 14[ENC] parsed INFORMATIONAL_V1 request 1799981385 [ HASH N(DPD_ACK) ]
    Apr 8 19:55:47 charon: 14[IKE] <con1000|1>sending DPD request
    Apr 8 19:55:47 charon: 14[IKE] sending DPD request
    Apr 8 19:55:47 charon: 14[ENC] generating INFORMATIONAL_V1 request 3635940303 [ HASH N(DPD) ]
    Apr 8 19:55:47 charon: 14[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (92 bytes)
    Apr 8 19:55:47 charon: 14[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (176 bytes)
    Apr 8 19:55:47 charon: 14[ENC] parsed INFORMATIONAL_V1 request 1029596099 [ N(INVAL_IKE_SPI) ]
    Apr 8 19:55:47 charon: 14[ENC] ignoring unprotected INFORMATIONAL from xxx.xxx.xxx.xxx
    Apr 8 19:55:47 charon: 14[IKE] <con1000|1>message verification failed
    Apr 8 19:55:47 charon: 14[IKE] message verification failed
    Apr 8 19:55:47 charon: 14[IKE] <con1000|1>ignore malformed INFORMATIONAL request
    Apr 8 19:55:47 charon: 14[IKE] ignore malformed INFORMATIONAL request
    Apr 8 19:55:47 charon: 14[IKE] <con1000|1>INFORMATIONAL_V1 request with message ID 1029596099 processing failed
    Apr 8 19:55:47 charon: 14[IKE] INFORMATIONAL_V1 request with message ID 1029596099 processing failed
    Apr 8 19:55:50 charon: 08[IKE] <con2|83>sending retransmit 2 of response message ID 0, seq 1
    Apr 8 19:55:50 charon: 08[IKE] sending retransmit 2 of response message ID 0, seq 1
    Apr 8 19:55:50 charon: 08[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[45312] (428 bytes)
    Apr 8 19:55:50 charon: 08[IKE] <con11000|9>sending DPD request
    Apr 8 19:55:50 charon: 08[IKE] sending DPD request
    Apr 8 19:55:50 charon: 08[ENC] generating INFORMATIONAL_V1 request 3983477870 [ HASH N(DPD) ]
    Apr 8 19:55:50 charon: 08[NET] sending packet: from yyy.yyy.yyy.yyy[500] to 203.aaa.aaa.aaa[500] (92 bytes)
    Apr 8 19:55:50 charon: 08[IKE] <con14000|15>sending DPD request
    Apr 8 19:55:50 charon: 08[IKE] sending DPD request
    Apr 8 19:55:50 charon: 08[ENC] generating INFORMATIONAL_V1 request 208824927 [ HASH N(DPD) ]
    Apr 8 19:55:50 charon: 08[NET] sending packet: from yyy.yyy.yyy.yyy[500] to 124.aaa.aaa.aaa[500] (92 bytes)
    Apr 8 19:55:50 charon: 08[NET] received packet: from 203.aaa.aaa.aaa[500] to yyy.yyy.yyy.yyy[500] (84 bytes)
    Apr 8 19:55:50 charon: 08[ENC] parsed INFORMATIONAL_V1 request 127858904 [ HASH N(DPD_ACK) ]
    Apr 8 19:55:51 charon: 08[NET] received packet: from 124.aaa.aaa.aaa[500] to yyy.yyy.yyy.yyy[500] (84 bytes)
    Apr 8 19:55:51 charon: 08[ENC] parsed INFORMATIONAL_V1 request 790606552 [ HASH N(DPD_ACK) ]
    Apr 8 19:55:52 charon: 08[IKE] <con7000|11>sending DPD request
    Apr 8 19:55:52 charon: 08[IKE] sending DPD request
    Apr 8 19:55:52 charon: 08[ENC] generating INFORMATIONAL_V1 request 539439690 [ HASH N(DPD) ]
    Apr 8 19:55:52 charon: 08[NET] sending packet: from yyy.yyy.yyy.yyy[500] to 212.aaa.aaa.aaa[500] (92 bytes)
    Apr 8 19:55:53 charon: 08[NET] received packet: from 212.aaa.aaa.aaa[500] to yyy.yyy.yyy.yyy[500] (84 bytes)
    Apr 8 19:55:53 charon: 08[ENC] parsed INFORMATIONAL_V1 request 3886027621 [ HASH N(DPD_ACK) ]
    Apr 8 19:55:53 charon: 08[IKE] <con12000|3>sending DPD request
    Apr 8 19:55:53 charon: 08[IKE] sending DPD request
    Apr 8 19:55:53 charon: 08[ENC] generating INFORMATIONAL_V1 request 36687189 [ HASH N(DPD) ]
    Apr 8 19:55:53 charon: 08[NET] sending packet: from yyy.yyy.yyy.yyy[4500] to 50.aaa.aaa.aaa[4500] (92 bytes)
    Apr 8 19:55:53 charon: 08[NET] received packet: from 50.aaa.aaa.aaa[4500] to yyy.yyy.yyy.yyy[4500] (84 bytes)
    Apr 8 19:55:53 charon: 08[ENC] parsed INFORMATIONAL_V1 request 3255672529 [ HASH N(DPD_ACK) ]
    Apr 8 19:55:55 charon: 10[IKE] <con13000|8>sending DPD request
    Apr 8 19:55:55 charon: 10[IKE] sending DPD request
    Apr 8 19:55:55 charon: 10[ENC] generating INFORMATIONAL_V1 request 2152900824 [ HASH N(DPD) ]
    Apr 8 19:55:55 charon: 10[NET] sending packet: from yyy.yyy.yyy.yyy[500] to 221.aaa.aaa.aaa[500] (92 bytes)
    Apr 8 19:55:55 charon: 10[NET] received packet: from 221.aaa.aaa.aaa[500] to yyy.yyy.yyy.yyy[500] (84 bytes)
    Apr 8 19:55:55 charon: 10[ENC] parsed INFORMATIONAL_V1 request 3987926641 [ HASH N(DPD_ACK) ]</con13000|8></con12000|3></con7000|11></con14000|15></con11000|9></con2|83></con1000|1></con1000|1></con1000|1></con1000|1></con10000|10></con3000|12></con13000|8></con12000|3></con7000|11></con2|83></con14000|15></con11000|9></con2|83></con2|83></con2|83>

    Any help will be apprecied, because I cannot understand why it doesn't want to work..

    thx in advance.



  • Try disabling DPD and setting encryption to AES 256bits.

    I have a similar problem, but no quite the same. In my case I cannot connect from the WAN, just inside the LAN, which does not make any sense in using a IPsec tunnel to your own LAN.



  • Hi,
    thnaks for reply

    @viniciusferrao:

    Try disabling DPD and setting encryption to AES 256bits.

    I have a similar problem, but no quite the same. In my case I cannot connect from the WAN, just inside the LAN, which does not make any sense in using a IPsec tunnel to your own LAN.

    unfortunately, no luck, still same error message "the vpn shared secret key is incorrect"…  :-\



  • Upgraded pfsense to 2.2.2

    Followed the again the step to : https://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/ as talked in the topic https://forum.pfsense.org/index.php?topic=92417.0

    same error: "the vpn shared secret key is incorrect" for iPad or android smartphone

    Tested with the topic : https://forum.pfsense.org/index.php?topic=92197.0

    same error: "the vpn shared secret key is incorrect" for iPad or android smartphone



  • Are you connecting the iPad via a public IP that has a site to site IPsec VPN to the same remote location? In that case, it'll try to match the site to site config and error out with an incorrect shared secret.



  • Hi,

    • I tried connect with iPAd (iOS 8.3) didn't have yet the sim card through our internal wifi network office to the public IP of the Pfsense, and yes, we have a site to site IPSEC VPN between our office and the Pfsense.

    • I tried connect with ipad from my home also, same error message.

    • II tried connect in VPN with my nexus 5 (3G/4G connexion) android 5.1 and it failed too.



  • I have setting up again following step by step the blog: https://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/, but still same error message…

    Some questions about these steps:

    • in the IPSEC PHASE 1

      • the blogger dooesn’t sepcify the KEY EXCHANGE VERSION he used.

      • the 2 following settings doesn’t exist in the Version 2.2.1 or 2.2.2:

      • Policy Generation: Unique

      • Proposal Checking: Default



  • The only way at the moment I could connect in VPN to our CLOUD with iPad, was to install sonicwall VPN client, then connect to our own firewall through SSL to be redirected to our CLOUD network, which is not the best way to us.  ::)


Log in to reply