Upgrade to 2.2.4 –> The VPN Shared Secret is incorrect



  • Hi there guys…

    I'm a single PFSense firewall installation at home. Running on an intel PC. I have one external user that connects from a Mac over vpn from time to time.
    He reported to me that he's receiving the error "The VPN Shared Secret is incorrect" ... this is after I upgraded to 2.2.4 a few days ago. I was previously running 2.2.3.
    I can confirm the error message as I'm getting the error as well when I try and log in to test.

    I have read a number of the other forum topics on the subject and some seem to be resolved by upgrading to 2.2.4.

    I'm not sure where to go next.

    Config:

    KeyExchange: V1
    IP: IPv4
    Interface: WAN

    Auth Method: Mutual PSK + Xauth
    Negotiation: Agressive
    My identifier: My ip address
    Peer identifier: Distinguished name ... blah blah blah
    pre-Shared Key: dxyz01!  (not really)

    Encryption: AES / 128 bits
    Hash algrothim: SHA1
    DH Key Group: 2 (1024 bit)
    Lifetime: 84400

    • David


  • Some configurations that were wrong before happened to work where they shouldn't have, though that description doesn't bring to mind a specific change that would impact it.

    This is using the VPN type OS X labels as "Cisco IPsec"? And your peer identifier/group name is an email address format? That type should actually be user distinguished name, not just distinguished name. Maybe that's it.



  • @cmb:

    Some configurations that were wrong before happened to work where they shouldn't have, though that description doesn't bring to mind a specific change that would impact it.

    This is using the VPN type OS X labels as "Cisco IPsec"? And your peer identifier/group name is an email address format? That type should actually be user distinguished name, not just distinguished name. Maybe that's it.

    Thank you for the reply.
    Yes, Cisco IPsec (pretty dam sure without recreating it). The group name is "xyz.com" - so not an e-mail address. I'll try a change and see what happens there. Back soon.

    • David


  • I changed distinguished name to user distinguished name –> david@xyz.com
    And changed the group specification on OS X to be the same.
    It still failed with the same error.

    Aug 4 14:33:10 charon: 11[IKE] <con2|11>INFORMATIONAL_V1 request with message ID 3158498826 processing failed
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>INFORMATIONAL_V1 request with message ID 3158498826 processing failed
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>ignore malformed INFORMATIONAL request
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>ignore malformed INFORMATIONAL request
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>message parsing failed
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>message parsing failed
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>sending NAT-T (RFC 3947) vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>sending NAT-T (RFC 3947) vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>sending FRAGMENTATION vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>sending FRAGMENTATION vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>sending Cisco Unity vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>sending Cisco Unity vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>sending DPD vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>sending DPD vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>sending XAuth vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <con2|11>sending XAuth vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> IKE_SA (unnamed)[11] state change: CREATED => CONNECTING
    Aug 4 14:33:10 charon: 11[IKE] <11> IKE_SA (unnamed)[11] state change: CREATED => CONNECTING
    Aug 4 14:33:10 charon: 11[IKE] <11> 192.168.10.140 is initiating a Aggressive Mode IKE_SA
    Aug 4 14:33:10 charon: 11[IKE] <11> 192.168.10.140 is initiating a Aggressive Mode IKE_SA
    Aug 4 14:33:10 charon: 11[IKE] <11> received DPD vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received DPD vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received Cisco Unity vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received Cisco Unity vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received XAuth vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received XAuth vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received draft-ietf-ipsec-nat-t-ike vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received NAT-T (RFC 3947) vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received NAT-T (RFC 3947) vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received FRAGMENTATION vendor ID
    Aug 4 14:33:10 charon: 11[IKE] <11> received FRAGMENTATION vendor ID
    Aug 4 14:33:09 charon: 11[IKE] <con2|10>IKE_SA con2[10] state change: CONNECTING => DESTROYING
    Aug 4 14:33:09 charon: 11[IKE] <con2|10>IKE_SA con2[10] state change: CONNECTING => DESTROYING</con2|10></con2|10></con2|11></con2|11></con2|11></con2|11></con2|11></con2|11></con2|11></con2|11></con2|11></con2|11></con2|11></con2|11></con2|11></con2|11></con2|11></con2|11>



  • Some additional information.

    /var/etc/ipsec: cat ipsec.secrets
    203.97.236.202 @dgw.kiwi : PSK 0<changed to="" protect="" me="">=
    203.97.236.202 dgwilson : PSK 0<changed to="" protect="" me="">=

    In the gui the Distinguished name is defined as "dgw.kiwi" - without the quotes.

    • David</changed></changed>


  • I'm continuing to look and this and experiment by changing various settings… without success.

    Anyway...  I put the IKE SA debug mode to highest... below is the final part of the log file...  I trust this will be of assistance.

    ... this is a bug right? Do I need to log a bug for it?
    ... can I look at the code for this? Where do I look? not sure I want to go here...

    Aug 6 19:46:51 charon: 11[IKE] <con2|3>sending retransmit 1 of response message ID 0, seq 1
    Aug 6 19:46:51 charon: 11[IKE] <con2|3>sending retransmit 1 of response message ID 0, seq 1
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>INFORMATIONAL_V1 request with message ID 3698334349 processing failed
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>INFORMATIONAL_V1 request with message ID 3698334349 processing failed
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>ignore malformed INFORMATIONAL request
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>ignore malformed INFORMATIONAL request
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>message parsing failed
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>message parsing failed
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 79 A8 9B 58 75 8C 17 95 00 CF ED 66 9D 5C C8 9D y..Xu…...f...
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>next IV for MID 3698334349 => 16 bytes @ 0x29c52cc0
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 79 A8 9B 58 75 8C 17 95 00 CF ED 66 9D 5C C8 9D y..Xu…...f...
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>next IV for MID 3698334349 => 16 bytes @ 0x29c52cc0
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>16: 21 CC 87 A1 !…
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 13 3F 59 46 CD E8 8D C4 90 C4 CF 45 F7 7B 18 6A .?YF…....E.{.j
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>natd_hash => 20 bytes @ 0x288f4220
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>16: 21 CC 87 A1 !…
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 13 3F 59 46 CD E8 8D C4 90 C4 CF 45 F7 7B 18 6A .?YF…....E.{.j
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>natd_hash => 20 bytes @ 0x288f4220
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>16: C0 A8 0A 8C 01 F4 …...
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 76 F5 2A 36 4A CF BE 56 48 89 D8 53 79 59 FD 05 v.*6J..VH..SyY..
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>natd_chunk => 22 bytes @ 0xbeff3d70
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>16: C0 A8 0A 8C 01 F4 …...
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 76 F5 2A 36 4A CF BE 56 48 89 D8 53 79 59 FD 05 v.*6J..VH..SyY..
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>natd_chunk => 22 bytes @ 0xbeff3d70
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>16: 32 67 7D 21 2g}!
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 37 EB 39 57 FF 4D DB A5 B8 49 21 10 F0 99 47 F9 7.9W.M…I!...G.
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>HASH_R => 20 bytes @ 0x288f4220
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>16: 32 67 7D 21 2g}!
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>0: 37 EB 39 57 FF 4D DB A5 B8 49 21 10 F0 99 47 F9 7.9W.M…I!...G.
    Aug 6 19:46:47 charon: 11[IKE] <con2|3>HASH_R => 20 bytes @ 0x288f4220</con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3>



  • And more debug settings turned on…

    Invalid HASH_V1 payload length, description failed....
    could not decrypt payloads ...

    A problem with the IKEv1 decryption??????


    Aug 6 20:02:25 charon: 04[IKE] <con2|4>message parsing failed
    Aug 6 20:02:25 charon: 04[IKE] <con2|4>message parsing failed
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>could not decrypt payloads
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>could not decrypt payloads
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>invalid HASH_V1 payload length, decryption failed?
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>invalid HASH_V1 payload length, decryption failed?
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>32: 9F 20 CA 1E 76 43 21 1C F9 55 32 CA 7A 41 B9 06 . ..vC!..U2.zA..
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>16: B1 88 23 C1 87 78 7C 65 7D 48 18 28 B0 C5 F1 E3 ..#..x|e}H.(….
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>0: CD B2 1F 0E DA FC 34 8A 7D EF AE A9 87 55 3E 7E …...4.}....U>~
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>plain => 48 bytes @ 0x2a093160
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>32: 9F 20 CA 1E 76 43 21 1C F9 55 32 CA 7A 41 B9 06 . ..vC!..U2.zA..
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>16: B1 88 23 C1 87 78 7C 65 7D 48 18 28 B0 C5 F1 E3 ..#..x|e}H.(….
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>0: CD B2 1F 0E DA FC 34 8A 7D EF AE A9 87 55 3E 7E …...4.}....U>~
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>plain => 48 bytes @ 0x2a093160
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>32: 7E 9F 84 3A CA 15 B9 B0 9C F2 59 42 8C 89 8F 4F ~..:…...YB...O
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>16: BB E9 E4 BC 7B EF F4 9E 5E 85 28 EC A0 56 21 E8 ….{...^.(..V!.
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>0: F2 A5 D0 0C 60 E8 C7 2E FE 0F 52 33 53 D3 AC 1A …......R3S... Aug 6 20:02:25 charon: 04[ENC] <con2|4>encrypted => 48 bytes @ 0x2a093160 Aug 6 20:02:25 charon: 04[ENC] <con2|4>32: 7E 9F 84 3A CA 15 B9 B0 9C F2 59 42 8C 89 8F 4F ~..:…...YB...O Aug 6 20:02:25 charon: 04[ENC] <con2|4>16: BB E9 E4 BC 7B EF F4 9E 5E 85 28 EC A0 56 21 E8 ….{...^.(..V!. Aug 6 20:02:25 charon: 04[ENC] <con2|4>0: F2 A5 D0 0C 60 E8 C7 2E FE 0F 52 33 53 D3 AC 1A …......R3S...
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>encrypted => 48 bytes @ 0x2a093160
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>decrypting payloads:
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>decrypting payloads:
    Aug 6 20:02:25 charon: 04[IKE] <con2|4>0: C4 A3 00 AE 5C EE 73 4F D3 78 C4 62 79 3E 18 03 …..sO.x.by>..
    Aug 6 20:02:25 charon: 04[IKE] <con2|4>next IV for MID 3073414076 => 16 bytes @ 0x29c4e800
    Aug 6 20:02:25 charon: 04[IKE] <con2|4>0: C4 A3 00 AE 5C EE 73 4F D3 78 C4 62 79 3E 18 03 …..sO.x.by>..
    Aug 6 20:02:25 charon: 04[IKE] <con2|4>next IV for MID 3073414076 => 16 bytes @ 0x29c4e800
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>found an encrypted payload
    Aug 6 20:02:25 charon: 04[ENC] <con2|4>found an encrypted payload

    –------------------------------------------------------------------------------------------------------------------

    And more debug settings...
    IKEv1
    Authentication: Mutual PSK + Xauth
    Negotiation: Agressive

    --> invalid shared secret

    ... yes I'm trying to connect internally on the network to test. It's worked in the past.


    Aug 6 20:24:09 charon: 09[NET] <con2|1>sending packet: from 203.97.236.202[500] to 192.168.10.140[500] (432 bytes)
    Aug 6 20:24:09 charon: 09[IKE] <con2|1>sending retransmit 1 of response message ID 0, seq 1
    Aug 6 20:24:09 charon: 09[IKE] <con2|1>sending retransmit 1 of response message ID 0, seq 1
    Aug 6 20:24:05 charon: 09[IKE] <con2|1>INFORMATIONAL_V1 request with message ID 2747622485 processing failed
    Aug 6 20:24:05 charon: 09[IKE] <con2|1>INFORMATIONAL_V1 request with message ID 2747622485 processing failed
    Aug 6 20:24:05 charon: 09[IKE] <con2|1>ignore malformed INFORMATIONAL request
    Aug 6 20:24:05 charon: 09[IKE] <con2|1>ignore malformed INFORMATIONAL request
    Aug 6 20:24:05 charon: 09[IKE] <con2|1>message parsing failed
    Aug 6 20:24:05 charon: 09[IKE] <con2|1>message parsing failed
    Aug 6 20:24:05 charon: 09[ENC] <con2|1>could not decrypt payloads
    Aug 6 20:24:05 charon: 09[ENC] <con2|1>invalid HASH_V1 payload length, decryption failed?
    Aug 6 20:24:05 charon: 09[NET] <con2|1>received packet: from 192.168.10.140[4500] to 203.97.236.202[4500] (76 bytes)
    Aug 6 20:24:05 charon: 09[NET] <con2|1>sending packet: from 203.97.236.202[500] to 192.168.10.140[500] (432 bytes)
    Aug 6 20:24:05 charon: 09[ENC] <con2|1>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
    Aug 6 20:24:05 charon: 09[CFG] <1> selected peer config "con2"
    Aug 6 20:24:05 charon: 09[CFG] <1> looking for XAuthInitPSK peer configs matching 203.97.236.202…192.168.10.140[dgw.kiwi]
    Aug 6 20:24:05 charon: 09[IKE] <1> 192.168.10.140 is initiating a Aggressive Mode IKE_SA
    Aug 6 20:24:05 charon: 09[IKE] <1> 192.168.10.140 is initiating a Aggressive Mode IKE_SA
    Aug 6 20:24:05 charon: 09[IKE] <1> received DPD vendor ID
    Aug 6 20:24:05 charon: 09[IKE] <1> received DPD vendor ID
    Aug 6 20:24:05 charon: 09[IKE] <1> received Cisco Unity vendor ID
    Aug 6 20:24:05 charon: 09[IKE] <1> received Cisco Unity vendor ID
    Aug 6 20:24:05 charon: 09[IKE] <1> received XAuth vendor ID
    Aug 6 20:24:05 charon: 09[IKE] <1> received XAuth vendor ID</con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4></con2|4>



  • You have the client connecting to an IP or hostname?



  • Client is connecting to an IP Address.

    Always has. Hmmm, recommended config change somewhere? Interesting.

    • David


  • Was curious if by FQDN, in case that made it not match ipsec.secrets for some reason.

    Try changing your IP in ipsec.secrets to:

    %any @dgw.kiwi : PSK ...
    

    Then run 'ipsec stop && ipsec start' and try to connect again. If you have other connections you don't want to drop, just a 'ipsec rereadall' will suffice, a stop/start just makes really sure everything previous is cleared out, and any SAs are deleted.

    If that doesn't work, try omitting the %any part in the above. If that doesn't work, take the leading part out entirely so you have something like:

     : PSK ...
    

    And let us know the results.



  • I changed ipsec.secrets to:
    %any @dgw.kiwi : PSK 0<deleted>=
    203.97.236.202 dgwilson : PSK 0<deleted>=

    Initiated the stop and start… from the command line.
    Received the same error... Shared Secret is incorrect.

    I confirm that the contents of ipsec.secrets was correct before and after the connection.
    Stopping and starting the service via the GUI causes ipsec.secrets to be re-created. (I suspect you knew that. :-) )

    Aug 7 17:39:31 charon: 15[NET] <con2|1>sending packet: from 203.97.236.202[500] to 192.168.10.140[500] (432 bytes)
    Aug 7 17:39:31 charon: 15[IKE] <con2|1>sending retransmit 1 of response message ID 0, seq 1
    Aug 7 17:39:31 charon: 15[IKE] <con2|1>sending retransmit 1 of response message ID 0, seq 1
    Aug 7 17:39:27 charon: 15[IKE] <con2|1>INFORMATIONAL_V1 request with message ID 3403150820 processing failed
    Aug 7 17:39:27 charon: 15[IKE] <con2|1>INFORMATIONAL_V1 request with message ID 3403150820 processing failed
    Aug 7 17:39:27 charon: 15[IKE] <con2|1>ignore malformed INFORMATIONAL request
    Aug 7 17:39:27 charon: 15[IKE] <con2|1>ignore malformed INFORMATIONAL request
    Aug 7 17:39:27 charon: 15[IKE] <con2|1>message parsing failed
    Aug 7 17:39:27 charon: 15[IKE] <con2|1>message parsing failed
    Aug 7 17:39:27 charon: 15[ENC] <con2|1>could not decrypt payloads
    Aug 7 17:39:27 charon: 15[ENC] <con2|1>invalid HASH_V1 payload length, decryption failed?
    Aug 7 17:39:27 charon: 15[NET] <con2|1>received packet: from 192.168.10.140[4500] to 203.97.236.202[4500] (76 bytes)
    Aug 7 17:39:27 charon: 15[NET] <con2|1>sending packet: from 203.97.236.202[500] to 192.168.10.140[500] (432 bytes)
    Aug 7 17:39:27 charon: 15[ENC] <con2|1>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
    Aug 7 17:39:27 charon: 15[CFG] <1> selected peer config "con2"
    Aug 7 17:39:27 charon: 15[CFG] <1> looking for XAuthInitPSK peer configs matching 203.97.236.202…192.168.10.140[dgw.kiwi]
    Aug 7 17:39:27 charon: 15[IKE] <1> 192.168.10.140 is initiating a Aggressive Mode IKE_SA
    Aug 7 17:39:27 charon: 15[IKE] <1> 192.168.10.140 is initiating a Aggressive Mode IKE_SA
    Aug 7 17:39:27 charon: 15[IKE] <1> received DPD vendor ID
    Aug 7 17:39:27 charon: 15[IKE] <1> received DPD vendor ID
    Aug 7 17:39:27 charon: 15[IKE] <1> received Cisco Unity vendor ID
    Aug 7 17:39:27 charon: 15[IKE] <1> received Cisco Unity vendor ID
    Aug 7 17:39:27 charon: 15[IKE] <1> received XAuth vendor ID
    Aug 7 17:39:27 charon: 15[IKE] <1> received XAuth vendor ID
    Aug 7 17:39:27 charon: 15[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 7 17:39:27 charon: 15[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></deleted></deleted>



  • I have continued… removing the %any
    ... that met with the same fate of Shared Secret is incorrect.

    and continuing again to remove the dgw.kiwi so that I'm left with : PSK...

    and... we have a connection! Success.

    I'm happy to continue the playing and experimenting to assist with the fault diagnosis.
    Let me know what you'd like me to do.

    • David


  • @dgwilson:

    and continuing again to remove the dgw.kiwi so that I'm left with : PSK…

    and... we have a connection! Success.

    I had the same issue (Update from 2.1 -> 2.2.4, IPsec Phase1 keeps failing)

    I can confirm, this worked for me as well….

    woohoo!



  • @dgwilson:

    Stopping and starting the service via the GUI causes ipsec.secrets to be re-created. (I suspect you knew that. :-) )

    Yeah, I meant to run those commands from the shell, which won't regenerate the conf files.

    @dgwilson:

    and… we have a connection! Success.

    Ok good, thanks for that. I'll check into that further to see what the difference is.



  • @juniper80:

    I had the same issue (Update from 2.1 -> 2.2.4, IPsec Phase1 keeps failing)

    I can confirm, this worked for me as well….

    With iOS and/or OS X mobile clients?



  • I have tested on iOS as well.

    The connection failed until I repeated the edits required on ipsec.secrets by making it look like…

    : PSK ...

    • David


  • Issue and solution confirmed. Thanks for all the help.



  • @cmb:

    @juniper80:

    I had the same issue (Update from 2.1 -> 2.2.4, IPsec Phase1 keeps failing)

    I can confirm, this worked for me as well….

    With iOS and/or OS X mobile clients?

    For me this solved the issue on Windows with Shrewsoft VPN Client.