Ipsec problem after update to latest snapshot 2.2.4



  • Hallo everybody,

    After upgrading to latest 2.2.4 snapshot (used them successfully for more than 15 days) the IPsec tunnel configured with ikev2 and EAP-MSChapv2, as per pfsense doc (https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2), is not working anymore no connection with WP8.1 nor windows 7/8.1.
    How to troubleshoot this
    Help please

    daxpfacc


  • Rebel Alliance Developer Netgate

    How is it failing?  That's one thing we tested repeatedly since we fixed the certificates to have the proper EKU value to make Windows happy.

    You might try generating a new server certificate now that you are on 2.2.4 and then picking that for IPsec.



  • Thanks for answering.

    I was already on 2.2.4, just upgraded to the latest and stopped working.

    pfSense-Full-Update-2.2.4-DEVELOPMENT-i386-2015..> 23-Jul-2015 14:52            97959020  WORKING

    pfSense-Full-Update-2.2.4-DEVELOPMENT-i386-2015..> 24-Jul-2015 00:24            97952257 NOT WORKING

    Tried to revert to previous snapshot and worked again.
    While on latest snapshot tried rebuilding CA and server certs but no luck.
    Could it be related to me having CN and SAN to the same dynamic dns value?
    If nedded can provide the working config file to test

    daxpfacc


  • Rebel Alliance Developer Netgate

    We found that Windows ignored the SAN entirely. The CN is all it cared about.

    What is the exact error you're seeing on Windows? Or in the logs?

    The only commit that looks like it might be relevant is https://github.com/pfsense/pfsense/commit/021a97b58a3ab24a66773ccc61670365015c85e5

    Though maybe you had Key Exchange on Auto rather than IKEv2? https://github.com/pfsense/pfsense/commit/4d7568404c276ea8fd10583e8d769f5ba82587aa

    You could try reverting one or both of those using the System Patches package



  • key exchange set to ikev2

    windows 7 and WP8.1 error is 13801

    IPsec confug:

    This file is automatically generated. Do not edit

    config setup
    uniqueids = yes
    charondebug=""

    conn con1
    fragmentation = yes
    keyexchange = ikev2
    reauth = yes
    forceencaps = no
    mobike = yes
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = clear
    dpddelay = 10s
    dpdtimeout = 60s
    auto = add
    left = 83.33.17.200
    right = %any
    leftid = fqdn:myhome.doesntexist.com
    ikelifetime = 28800s
    lifetime = 3600s
    rightsourceip = 192.168.111.0/24
    ike = aes256-sha256-modp1024!
    esp = aes256-sha1!
    eap_identity=%any
    leftauth=pubkey
    rightauth=eap-mschapv2
    leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
    leftsubnet = 192.168.200.0/24

    pfSense logs:
    ul 25 21:49:12 charon: 16[NET] <6> sending packet: from 85.55.13.202[4500] to 83.33.17.200[5587] (80 bytes)
    Jul 25 21:49:12 charon: 16[ENC] <6> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Jul 25 21:49:12 charon: 16[IKE] <6> peer supports MOBIKE
    Jul 25 21:49:12 charon: 16[IKE] <6> peer supports MOBIKE
    Jul 25 21:49:12 charon: 16[CFG] <6> no matching peer config found
    Jul 25 21:49:12 charon: 16[CFG] <6> looking for peer configs matching 85.55.13.202[%any]…83.33.17.200[10.167.123.157]
    Jul 25 21:49:12 charon: 16[IKE] <6> received 48 cert requests for an unknown ca
    Jul 25 21:49:12 charon: 16[IKE] <6> received 48 cert requests for an unknown ca
    Jul 25 21:49:12 charon: 16[IKE] <6> received cert request for "C=US, ST=texas, L=austin, O=company, E=admin@mycompany.com, CN=something-ca"
    Jul 25 21:49:12 charon: 16[IKE] <6> received cert request for "C=US, ST=texas, L=austin, O=company, E=admin@mycompany.com, CN=something-ca"
    Jul 25 21:49:12 charon: 16[ENC] <6> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Jul 25 21:49:12 charon: 16[NET] <6> received packet: from 83.33.17.200[5587] to 85.55.13.202[4500] (1328 bytes)
    Jul 25 21:49:12 charon: 13[NET] <6> sending packet: from 85.55.13.202[500] to 83.33.17.200[5621] (337 bytes)
    Jul 25 21:49:12 charon: 13[ENC] <6> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Jul 25 21:49:12 charon: 13[IKE] <6> sending cert request for "C=US, ST=texas, L=austin, O=company, E=admin@mycompany.com, CN=something-ca"
    Jul 25 21:49:12 charon: 13[IKE] <6> sending cert request for "C=US, ST=texas, L=austin, O=company, E=admin@mycompany.com, CN=something-ca"
    Jul 25 21:49:12 charon: 13[IKE] <6> remote host is behind NAT
    Jul 25 21:49:12 charon: 13[IKE] <6> remote host is behind NAT
    Jul 25 21:49:12 charon: 13[IKE] <6> 83.33.17.200 is initiating an IKE_SA
    Jul 25 21:49:12 charon: 13[IKE] <6> 83.33.17.200 is initiating an IKE_SA
    Jul 25 21:49:12 charon: 13[ENC] <6> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Jul 25 21:49:12 charon: 13[IKE] <6> received Vid-Initial-Contact vendor ID
    Jul 25 21:49:12 charon: 13[IKE] <6> received Vid-Initial-Contact vendor ID
    Jul 25 21:49:12 charon: 13[IKE] <6> received MS-Negotiation Discovery Capable vendor ID
    Jul 25 21:49:12 charon: 13[IKE] <6> received MS-Negotiation Discovery Capable vendor ID
    Jul 25 21:49:12 charon: 13[IKE] <6> received MS NT5 ISAKMPOAKLEY v9 vendor ID
    Jul 25 21:49:12 charon: 13[IKE] <6> received MS NT5 ISAKMPOAKLEY v9 vendor ID
    Jul 25 21:49:12 charon: 13[ENC] <6> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Jul 25 21:49:12 charon: 13[NET] <6> received packet: from 83.33.17.200[5621] to 85.55.13.202[500] (616 bytes)

    IPs and ddns are fantasy


  • Rebel Alliance Developer Netgate

    Is the client connecting to the DDNS or IP address?

    Whatever the client connects to has to match the CN of the server cert exactly (unless you have EKU checking disabled in the windows registry)



  • Client is connecting to DDNS and that matches exactly CN of server cert



  • Found that the IPsec config file changes after upgrade, only difference is this line added:

    rightid = userfqdn:user@example.com



  • Your rightid was configured wrong to begin with, it just wasn't being put into the config previously so it didn't matter. Fixing other problem areas broke that one, we're looking at best option to address. Probably need a new ID option for "any" in that case. Thanks for the report!



  • New option "any" added for peer ID, and config upgrade code added so EAP types have their peer ID changed so it continues to match previous behavior. Rebuilding 2.2.4-RELEASE with that change. You can gitsync RELENG_2_2 now to fix that on your system.