Upgraded to 2.2.3, IPSec broke on Windows



  • So….
    1. Upgraded to pfSense 2.2.3, my Android phones and Mac can connect to the VPN, but no traffic was passed thru. OK, this is already being taken care of, by turning off AES-NI...
    2. Then on my Windows 8.1 Pro machine, it throws an error: "Error 87: The parameter is incorrect"
    Here's the juicy log:

    Jul 13 20:33:23 charon: 15[NET] <1> received packet: from ClientIP[500] to IPSecIP[500] (616 bytes)
    Jul 13 20:33:23 charon: 15[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Jul 13 20:33:23 charon: 15[IKE] <1> received MS NT5 ISAKMPOAKLEY v9 vendor ID
    Jul 13 20:33:23 charon: 15[IKE] <1> received MS NT5 ISAKMPOAKLEY v9 vendor ID
    Jul 13 20:33:23 charon: 15[IKE] <1> received MS-Negotiation Discovery Capable vendor ID
    Jul 13 20:33:23 charon: 15[IKE] <1> received MS-Negotiation Discovery Capable vendor ID
    Jul 13 20:33:23 charon: 15[IKE] <1> received Vid-Initial-Contact vendor ID
    Jul 13 20:33:23 charon: 15[IKE] <1> received Vid-Initial-Contact vendor ID
    Jul 13 20:33:23 charon: 15[ENC] <1> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Jul 13 20:33:23 charon: 15[IKE] <1> ClientIP is initiating an IKE_SA
    Jul 13 20:33:23 charon: 15[IKE] <1> ClientIP is initiating an IKE_SA
    Jul 13 20:33:23 charon: 15[IKE] <1> remote host is behind NAT
    Jul 13 20:33:23 charon: 15[IKE] <1> remote host is behind NAT
    Jul 13 20:33:23 charon: 15[IKE] <1> sending cert request for "C=US, ST=California, L=San Leandro, O=Smart-Decision, redacted"
    Jul 13 20:33:23 charon: 15[IKE] <1> sending cert request for "C=US, ST=California, L=San Leandro, O=Smart-Decision, redactedet"
    Jul 13 20:33:23 charon: 15[IKE] <1> sending cert request for "C=US, ST=California, L=Santa Cruz, O=MirageSpace, redactedet"
    Jul 13 20:33:23 charon: 15[IKE] <1> sending cert request for "C=US, ST=California, L=Santa Cruz, O=MirageSpace, redactedt"
    Jul 13 20:33:23 charon: 15[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Jul 13 20:33:23 charon: 15[NET] <1> sending packet: from IPSecIP[500] to ClientIP[500] (357 bytes)
    Jul 13 20:33:53 charon: 16[JOB] <1> deleting half open IKE_SA after timeout


  • Banned

    Try with latest 2.2.4-DEVEL snapshot. http://snapshots.pfsense.org/



  • @doktornotor:

    Try with latest 2.2.4-DEVEL snapshot. http://snapshots.pfsense.org/

    Negative, sir. Going to 2.2.4 did not make IPSec work Windows. It was working on 2.2.2.

    Thanks


  • Banned

    Try again in a couple of days perhaps – and watch Redmine. I gave up on IPsec.



  • Actually, even after I downgraded it to 2.2.2, my Windows machine is still borking… I will reinstall Windows and test again.


Log in to reply