Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgraded to 2.2.3, IPSec broke on Windows

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zllovesuki
      last edited by

      So….
      1. Upgraded to pfSense 2.2.3, my Android phones and Mac can connect to the VPN, but no traffic was passed thru. OK, this is already being taken care of, by turning off AES-NI...
      2. Then on my Windows 8.1 Pro machine, it throws an error: "Error 87: The parameter is incorrect"
      Here's the juicy log:

      Jul 13 20:33:23 charon: 15[NET] <1> received packet: from ClientIP[500] to IPSecIP[500] (616 bytes)
      Jul 13 20:33:23 charon: 15[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
      Jul 13 20:33:23 charon: 15[IKE] <1> received MS NT5 ISAKMPOAKLEY v9 vendor ID
      Jul 13 20:33:23 charon: 15[IKE] <1> received MS NT5 ISAKMPOAKLEY v9 vendor ID
      Jul 13 20:33:23 charon: 15[IKE] <1> received MS-Negotiation Discovery Capable vendor ID
      Jul 13 20:33:23 charon: 15[IKE] <1> received MS-Negotiation Discovery Capable vendor ID
      Jul 13 20:33:23 charon: 15[IKE] <1> received Vid-Initial-Contact vendor ID
      Jul 13 20:33:23 charon: 15[IKE] <1> received Vid-Initial-Contact vendor ID
      Jul 13 20:33:23 charon: 15[ENC] <1> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
      Jul 13 20:33:23 charon: 15[IKE] <1> ClientIP is initiating an IKE_SA
      Jul 13 20:33:23 charon: 15[IKE] <1> ClientIP is initiating an IKE_SA
      Jul 13 20:33:23 charon: 15[IKE] <1> remote host is behind NAT
      Jul 13 20:33:23 charon: 15[IKE] <1> remote host is behind NAT
      Jul 13 20:33:23 charon: 15[IKE] <1> sending cert request for "C=US, ST=California, L=San Leandro, O=Smart-Decision, redacted"
      Jul 13 20:33:23 charon: 15[IKE] <1> sending cert request for "C=US, ST=California, L=San Leandro, O=Smart-Decision, redactedet"
      Jul 13 20:33:23 charon: 15[IKE] <1> sending cert request for "C=US, ST=California, L=Santa Cruz, O=MirageSpace, redactedet"
      Jul 13 20:33:23 charon: 15[IKE] <1> sending cert request for "C=US, ST=California, L=Santa Cruz, O=MirageSpace, redactedt"
      Jul 13 20:33:23 charon: 15[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
      Jul 13 20:33:23 charon: 15[NET] <1> sending packet: from IPSecIP[500] to ClientIP[500] (357 bytes)
      Jul 13 20:33:53 charon: 16[JOB] <1> deleting half open IKE_SA after timeout

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Try with latest 2.2.4-DEVEL snapshot. http://snapshots.pfsense.org/

        1 Reply Last reply Reply Quote 0
        • Z
          zllovesuki
          last edited by

          @doktornotor:

          Try with latest 2.2.4-DEVEL snapshot. http://snapshots.pfsense.org/

          Negative, sir. Going to 2.2.4 did not make IPSec work Windows. It was working on 2.2.2.

          Thanks

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Try again in a couple of days perhaps – and watch Redmine. I gave up on IPsec.

            1 Reply Last reply Reply Quote 0
            • Z
              zllovesuki
              last edited by

              Actually, even after I downgraded it to 2.2.2, my Windows machine is still borking… I will reinstall Windows and test again.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.