Negotiation mode become Main after upgrade from 2.1.5 to 2.2.2
-
we performed upgrade to 2.2.2 and now IpSec doesn't work.
Error messages:
IKE] <109> found 2 matching configs, but none allows XAuthInitPSK authentication using Aggressive ModeThe problem looks to be the IPSec setting Phase 1 proposal, Negotiation mode become Main after the upgrade.
Problem is now it can't change to Aggressive.. bug?When I try to change it to agressive, below logs appear, but the change was not really saved:
Jun 5 15:47:08 fw1.riftio.com php-fpm[94760]: /rc.filter_synchronize: The other member is on older configuration version of pfSense. Sync will not be done to prevent problems!
Jun 5 15:47:08 fw1.riftio.com php-fpm[94760]: /rc.filter_synchronize: The other member is on older configuration version of pfSense. Sync will not be done to prevent problems!
Jun 5 15:47:11 fw1.riftio.com php-fpm[94760]: /vpn_ipsec.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Jun 5 15:47:11 fw1.riftio.com php-fpm[94760]: /vpn_ipsec.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.Suggestions are appreciated!
-
The upgrade doesn't change that. Is this for mobile users, or a site to site?
The log you're getting is what you get when i_dont_care_about_security_and_use_aggressive_mode_psk isn't applied. I seem to recall some circumstances where if you change that while the service is already running, you need to stop, then start (not restart), the IPsec service under Status>Services in order for it to take effect. Try that.
-
Was able to fix it:
Somehow Key Exchange version been changed to Auto, I changed it to ver 1 which i believe that it was, I then was able to change the Negotiation mode to aggressive.Thanks for the response!