IPSec borked on 2.2.3-RELEASE for mobile



  • Hi,

    Did an update from 2.2.2 to 2.2.3 this morning and now have discovered that my mobile client(s) cannot connect where they could connect beforehand. The clients (iOS devices) are using IPSec (Cisco) as the VPN configuraiton.

    Everytime the client tries to connect, iOS is displaying "The VPN Shared Secret is incorrect." Just yesterday, before the upgrade, they were connecting successfully.

    Below is a capture of the log (in diag). Please do let me know if further debug information is required:

    Jun 25 16:34:13	charon: 07[IKE] <con1|24> sending retransmit 1 of response message ID 0, seq 1
    Jun 25 16:34:13	charon: 07[IKE] <con1|24> sending retransmit 1 of response message ID 0, seq 1
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> INFORMATIONAL_V1 request with message ID 2747084782 processing failed
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> INFORMATIONAL_V1 request with message ID 2747084782 processing failed
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> ignore malformed INFORMATIONAL request
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> ignore malformed INFORMATIONAL request
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> message parsing failed
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> message parsing failed
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending NAT-T (RFC 3947) vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending NAT-T (RFC 3947) vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending FRAGMENTATION vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending FRAGMENTATION vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending Cisco Unity vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending Cisco Unity vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending DPD vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending DPD vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending XAuth vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending XAuth vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> IKE_SA (unnamed)[24] state change: CREATED => CONNECTING
    Jun 25 16:34:09	charon: 07[IKE] <24> IKE_SA (unnamed)[24] state change: CREATED => CONNECTING
    Jun 25 16:34:09	charon: 07[IKE] <24> 188.29.164.91 is initiating a Aggressive Mode IKE_SA
    Jun 25 16:34:09	charon: 07[IKE] <24> 188.29.164.91 is initiating a Aggressive Mode IKE_SA
    Jun 25 16:34:09	charon: 07[IKE] <24> received DPD vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received DPD vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received Cisco Unity vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received Cisco Unity vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received XAuth vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received XAuth vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received NAT-T (RFC 3947) vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received NAT-T (RFC 3947) vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received FRAGMENTATION vendor ID
    Jun 25 16:34:09	charon: 07[IKE] <24> received FRAGMENTATION vendor ID</con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24>
    


  • Same problem here.

    Tried to reset IPsec pre-shared key and user password, but it didn't help.

    Any suggestions?



  • Hi,

    Yes,

    Disable aes-ni and reboot.

    This is dealt with here:

    https://redmine.pfsense.org/issues/4791

    -=david=-



  • same problem, not same resolution.

    disabled, rebooted, still doesn't work. Using iOS. "The VPN Shared Secret is incorrect." 2.2.2 and previous worked fine

    $ kldstat
    Id Refs Address            Size     Name
     1    3 0xffffffff80200000 22d84b0  kernel
     2    1 0xffffffff82611000 cf4      coretemp.ko
    
    


  • Is it possible to get the configuration you are using for this mobile VPN for ios/android?
    Cause i havnt got it working since 2.1.5.



  • Hi,

    There is an open bug for this:

    https://redmine.pfsense.org/issues/4784

    -=david=-



  • @dharrigan:

    Hi,

    There is an open bug for this:

    https://redmine.pfsense.org/issues/4784

    -=david=-

    But what is your VPN configuration? Same as in the bugreport above?



  • Hi,

    Very similar. I've updated the bug report with the configuration I have, along with a log file of the connection attempt.

    -=david=-



  • @dharrigan:

    Hi,

    Very similar. I've updated the bug report with the configuration I have, along with a log file of the connection attempt.

    -=david=-

    I had the exact same config.