IPSec borked on 2.2.3-RELEASE for mobile

dharrigan

Hi,

Did an update from 2.2.2 to 2.2.3 this morning and now have discovered that my mobile client(s) cannot connect where they could connect beforehand. The clients (iOS devices) are using IPSec (Cisco) as the VPN configuraiton.

Everytime the client tries to connect, iOS is displaying "The VPN Shared Secret is incorrect." Just yesterday, before the upgrade, they were connecting successfully.

Below is a capture of the log (in diag). Please do let me know if further debug information is required:

Jun 25 16:34:13	charon: 07[IKE] <con1|24> sending retransmit 1 of response message ID 0, seq 1
Jun 25 16:34:13	charon: 07[IKE] <con1|24> sending retransmit 1 of response message ID 0, seq 1
Jun 25 16:34:09	charon: 07[IKE] <con1|24> INFORMATIONAL_V1 request with message ID 2747084782 processing failed
Jun 25 16:34:09	charon: 07[IKE] <con1|24> INFORMATIONAL_V1 request with message ID 2747084782 processing failed
Jun 25 16:34:09	charon: 07[IKE] <con1|24> ignore malformed INFORMATIONAL request
Jun 25 16:34:09	charon: 07[IKE] <con1|24> ignore malformed INFORMATIONAL request
Jun 25 16:34:09	charon: 07[IKE] <con1|24> message parsing failed
Jun 25 16:34:09	charon: 07[IKE] <con1|24> message parsing failed
Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending NAT-T (RFC 3947) vendor ID
Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending NAT-T (RFC 3947) vendor ID
Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending FRAGMENTATION vendor ID
Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending FRAGMENTATION vendor ID
Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending Cisco Unity vendor ID
Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending Cisco Unity vendor ID
Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending DPD vendor ID
Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending DPD vendor ID
Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending XAuth vendor ID
Jun 25 16:34:09	charon: 07[IKE] <con1|24> sending XAuth vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> IKE_SA (unnamed)[24] state change: CREATED => CONNECTING
Jun 25 16:34:09	charon: 07[IKE] <24> IKE_SA (unnamed)[24] state change: CREATED => CONNECTING
Jun 25 16:34:09	charon: 07[IKE] <24> 188.29.164.91 is initiating a Aggressive Mode IKE_SA
Jun 25 16:34:09	charon: 07[IKE] <24> 188.29.164.91 is initiating a Aggressive Mode IKE_SA
Jun 25 16:34:09	charon: 07[IKE] <24> received DPD vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received DPD vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received Cisco Unity vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received Cisco Unity vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received XAuth vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received XAuth vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received draft-ietf-ipsec-nat-t-ike vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received NAT-T (RFC 3947) vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received NAT-T (RFC 3947) vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received FRAGMENTATION vendor ID
Jun 25 16:34:09	charon: 07[IKE] <24> received FRAGMENTATION vendor ID</con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24></con1|24>

phuka

Same problem here.

Tried to reset IPsec pre-shared key and user password, but it didn't help.

Any suggestions?

dharrigan

Hi,

Yes,

Disable aes-ni and reboot.

This is dealt with here:

https://redmine.pfsense.org/issues/4791

-=david=-

Sn3ak

same problem, not same resolution.

disabled, rebooted, still doesn't work. Using iOS. "The VPN Shared Secret is incorrect." 2.2.2 and previous worked fine

$ kldstat
Id Refs Address            Size     Name
 1    3 0xffffffff80200000 22d84b0  kernel
 2    1 0xffffffff82611000 cf4      coretemp.ko

rightnow

Is it possible to get the configuration you are using for this mobile VPN for ios/android?
Cause i havnt got it working since 2.1.5.

dharrigan

Hi,

There is an open bug for this:

https://redmine.pfsense.org/issues/4784

-=david=-

rightnow

@dharrigan:

Hi,

There is an open bug for this:

https://redmine.pfsense.org/issues/4784

-=david=-

But what is your VPN configuration? Same as in the bugreport above?

dharrigan

Hi,

Very similar. I've updated the bug report with the configuration I have, along with a log file of the connection attempt.

-=david=-

rightnow

@dharrigan:

Hi,

Very similar. I've updated the bug report with the configuration I have, along with a log file of the connection attempt.

-=david=-

I had the exact same config.