Ipsec problem after update to latest snapshot 2.2.4
-
Hallo everybody,
After upgrading to latest 2.2.4 snapshot (used them successfully for more than 15 days) the IPsec tunnel configured with ikev2 and EAP-MSChapv2, as per pfsense doc (https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2), is not working anymore no connection with WP8.1 nor windows 7/8.1.
How to troubleshoot this
Help pleasedaxpfacc
-
How is it failing? That's one thing we tested repeatedly since we fixed the certificates to have the proper EKU value to make Windows happy.
You might try generating a new server certificate now that you are on 2.2.4 and then picking that for IPsec.
-
Thanks for answering.
I was already on 2.2.4, just upgraded to the latest and stopped working.
pfSense-Full-Update-2.2.4-DEVELOPMENT-i386-2015..> 23-Jul-2015 14:52 97959020 WORKING
pfSense-Full-Update-2.2.4-DEVELOPMENT-i386-2015..> 24-Jul-2015 00:24 97952257 NOT WORKING
Tried to revert to previous snapshot and worked again.
While on latest snapshot tried rebuilding CA and server certs but no luck.
Could it be related to me having CN and SAN to the same dynamic dns value?
If nedded can provide the working config file to testdaxpfacc
-
We found that Windows ignored the SAN entirely. The CN is all it cared about.
What is the exact error you're seeing on Windows? Or in the logs?
The only commit that looks like it might be relevant is https://github.com/pfsense/pfsense/commit/021a97b58a3ab24a66773ccc61670365015c85e5
Though maybe you had Key Exchange on Auto rather than IKEv2? https://github.com/pfsense/pfsense/commit/4d7568404c276ea8fd10583e8d769f5ba82587aa
You could try reverting one or both of those using the System Patches package
-
key exchange set to ikev2
windows 7 and WP8.1 error is 13801
IPsec confug:
This file is automatically generated. Do not edit
config setup
uniqueids = yes
charondebug=""conn con1
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = no
mobike = yes
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
auto = add
left = 83.33.17.200
right = %any
leftid = fqdn:myhome.doesntexist.com
ikelifetime = 28800s
lifetime = 3600s
rightsourceip = 192.168.111.0/24
ike = aes256-sha256-modp1024!
esp = aes256-sha1!
eap_identity=%any
leftauth=pubkey
rightauth=eap-mschapv2
leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
leftsubnet = 192.168.200.0/24pfSense logs:
ul 25 21:49:12 charon: 16[NET] <6> sending packet: from 85.55.13.202[4500] to 83.33.17.200[5587] (80 bytes)
Jul 25 21:49:12 charon: 16[ENC] <6> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 25 21:49:12 charon: 16[IKE] <6> peer supports MOBIKE
Jul 25 21:49:12 charon: 16[IKE] <6> peer supports MOBIKE
Jul 25 21:49:12 charon: 16[CFG] <6> no matching peer config found
Jul 25 21:49:12 charon: 16[CFG] <6> looking for peer configs matching 85.55.13.202[%any]…83.33.17.200[10.167.123.157]
Jul 25 21:49:12 charon: 16[IKE] <6> received 48 cert requests for an unknown ca
Jul 25 21:49:12 charon: 16[IKE] <6> received 48 cert requests for an unknown ca
Jul 25 21:49:12 charon: 16[IKE] <6> received cert request for "C=US, ST=texas, L=austin, O=company, E=admin@mycompany.com, CN=something-ca"
Jul 25 21:49:12 charon: 16[IKE] <6> received cert request for "C=US, ST=texas, L=austin, O=company, E=admin@mycompany.com, CN=something-ca"
Jul 25 21:49:12 charon: 16[ENC] <6> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jul 25 21:49:12 charon: 16[NET] <6> received packet: from 83.33.17.200[5587] to 85.55.13.202[4500] (1328 bytes)
Jul 25 21:49:12 charon: 13[NET] <6> sending packet: from 85.55.13.202[500] to 83.33.17.200[5621] (337 bytes)
Jul 25 21:49:12 charon: 13[ENC] <6> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 25 21:49:12 charon: 13[IKE] <6> sending cert request for "C=US, ST=texas, L=austin, O=company, E=admin@mycompany.com, CN=something-ca"
Jul 25 21:49:12 charon: 13[IKE] <6> sending cert request for "C=US, ST=texas, L=austin, O=company, E=admin@mycompany.com, CN=something-ca"
Jul 25 21:49:12 charon: 13[IKE] <6> remote host is behind NAT
Jul 25 21:49:12 charon: 13[IKE] <6> remote host is behind NAT
Jul 25 21:49:12 charon: 13[IKE] <6> 83.33.17.200 is initiating an IKE_SA
Jul 25 21:49:12 charon: 13[IKE] <6> 83.33.17.200 is initiating an IKE_SA
Jul 25 21:49:12 charon: 13[ENC] <6> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul 25 21:49:12 charon: 13[IKE] <6> received Vid-Initial-Contact vendor ID
Jul 25 21:49:12 charon: 13[IKE] <6> received Vid-Initial-Contact vendor ID
Jul 25 21:49:12 charon: 13[IKE] <6> received MS-Negotiation Discovery Capable vendor ID
Jul 25 21:49:12 charon: 13[IKE] <6> received MS-Negotiation Discovery Capable vendor ID
Jul 25 21:49:12 charon: 13[IKE] <6> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul 25 21:49:12 charon: 13[IKE] <6> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul 25 21:49:12 charon: 13[ENC] <6> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul 25 21:49:12 charon: 13[NET] <6> received packet: from 83.33.17.200[5621] to 85.55.13.202[500] (616 bytes)IPs and ddns are fantasy
-
Is the client connecting to the DDNS or IP address?
Whatever the client connects to has to match the CN of the server cert exactly (unless you have EKU checking disabled in the windows registry)
-
Client is connecting to DDNS and that matches exactly CN of server cert
-
Found that the IPsec config file changes after upgrade, only difference is this line added:
rightid = userfqdn:user@example.com
-
Your rightid was configured wrong to begin with, it just wasn't being put into the config previously so it didn't matter. Fixing other problem areas broke that one, we're looking at best option to address. Probably need a new ID option for "any" in that case. Thanks for the report!
-
New option "any" added for peer ID, and config upgrade code added so EAP types have their peer ID changed so it continues to match previous behavior. Rebuilding 2.2.4-RELEASE with that change. You can gitsync RELENG_2_2 now to fix that on your system.