IPSec Issues after update to 2.2.4
-
Hello,
we upgraded our pfSense from 2.2.2 to 2.2.4 and all Road Warriors can no longer connect.
The pfSense is on a static IP while the clients are NATed and using dynamic IPs.
Identifiers are "My ip address" and a User distinguished name in the form of a email address.
We are using IKE V1 with PSK and XAuth, aggressive mode, AES and SHA1, Group 5.
The clients use the Shrew client.
Setting "My identifier" to the IP address manually didn't help. Setting "Peer identifier" to "any" didn't help.
Any ideas or any more information needed?
Tank you very much!
Kind regards,
Lars
Log entries (x.x.x.x = Ip of pfSense, y.y.y.y = Peer ip):
Aug 12 12:08:33 charon: 06[JOB] <con1|43>deleting half open IKE_SA after timeout Aug 12 12:08:28 charon: 06[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes) Aug 12 12:08:28 charon: 06[IKE] <con1|43>sending retransmit 3 of response message ID 0, seq 1 Aug 12 12:08:28 charon: 06[IKE] <con1|43>sending retransmit 3 of response message ID 0, seq 1 Aug 12 12:08:15 charon: 06[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes) Aug 12 12:08:15 charon: 06[IKE] <con1|43>sending retransmit 2 of response message ID 0, seq 1 Aug 12 12:08:15 charon: 06[IKE] <con1|43>sending retransmit 2 of response message ID 0, seq 1 Aug 12 12:08:08 charon: 06[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes) Aug 12 12:08:08 charon: 06[IKE] <con1|43>sending retransmit 1 of response message ID 0, seq 1 Aug 12 12:08:08 charon: 06[IKE] <con1|43>sending retransmit 1 of response message ID 0, seq 1 Aug 12 12:08:04 charon: 06[IKE] <con1|43>INFORMATIONAL_V1 request with message ID 1844034455 processing failed Aug 12 12:08:04 charon: 06[IKE] <con1|43>INFORMATIONAL_V1 request with message ID 1844034455 processing failed Aug 12 12:08:04 charon: 06[IKE] <con1|43>ignore malformed INFORMATIONAL request Aug 12 12:08:04 charon: 06[IKE] <con1|43>ignore malformed INFORMATIONAL request Aug 12 12:08:04 charon: 06[IKE] <con1|43>message parsing failed Aug 12 12:08:04 charon: 06[IKE] <con1|43>message parsing failed Aug 12 12:08:04 charon: 06[ENC] <con1|43>could not decrypt payloads Aug 12 12:08:04 charon: 06[ENC] <con1|43>invalid HASH_V1 payload length, decryption failed? Aug 12 12:08:04 charon: 06[NET] <con1|43>received packet: from y.y.y.y[4500] to x.x.x.x[4500] (92 bytes) Aug 12 12:08:04 charon: 14[IKE] <con1|43>AGGRESSIVE request with message ID 0 processing failed Aug 12 12:08:04 charon: 14[IKE] <con1|43>AGGRESSIVE request with message ID 0 processing failed Aug 12 12:08:04 charon: 14[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (76 bytes) Aug 12 12:08:04 charon: 14[ENC] <con1|43>generating INFORMATIONAL_V1 request 768892632 [ HASH N(PLD_MAL) ] Aug 12 12:08:04 charon: 14[IKE] <con1|43>message parsing failed Aug 12 12:08:04 charon: 14[IKE] <con1|43>message parsing failed Aug 12 12:08:04 charon: 14[ENC] <con1|43>could not decrypt payloads Aug 12 12:08:04 charon: 14[ENC] <con1|43>invalid HASH_V1 payload length, decryption failed? Aug 12 12:08:04 charon: 14[NET] <con1|43>received packet: from y.y.y.y[4500] to x.x.x.x[4500] (108 bytes) Aug 12 12:08:04 charon: 14[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes) Aug 12 12:08:04 charon: 14[ENC] <con1|43>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ] Aug 12 12:08:04 charon: 14[CFG] <43> selected peer config "con1" Aug 12 12:08:04 charon: 14[CFG] <43> looking for XAuthInitPSK peer configs matching x.x.x.x...y.y.y.y[vpn@kv-viersen.drk.local] Aug 12 12:08:03 charon: 14[IKE] <43> y.y.y.y is initiating a Aggressive Mode IKE_SA Aug 12 12:08:03 charon: 14[IKE] <43> y.y.y.y is initiating a Aggressive Mode IKE_SA Aug 12 12:08:03 charon: 14[IKE] <43> received Cisco Unity vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received Cisco Unity vendor ID Aug 12 12:08:03 charon: 14[ENC] <43> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b Aug 12 12:08:03 charon: 14[ENC] <43> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51 Aug 12 12:08:03 charon: 14[ENC] <43> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26 Aug 12 12:08:03 charon: 14[IKE] <43> received FRAGMENTATION vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received FRAGMENTATION vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received NAT-T (RFC 3947) vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received NAT-T (RFC 3947) vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 12 12:08:03 charon: 14[ENC] <43> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62 Aug 12 12:08:03 charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-00 vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-00 vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received XAuth vendor ID Aug 12 12:08:03 charon: 14[IKE] <43> received XAuth vendor ID Aug 12 12:08:03 charon: 14[ENC] <43> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V ] Aug 12 12:08:03 charon: 14[NET] <43> received packet: from y.y.y.y[500] to x.x.x.x[500] (560 bytes)</con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43> -
Based on strongswan
https://wiki.strongswan.org/issues/460try with modeconfig=pull
-
Upgrade to latest 2.2.5 snapshot, that's probably the same root cause as this (which is confirmed fixed by several people in 2.2.5).
Based on strongswan
https://wiki.strongswan.org/issues/460try with modeconfig=pull
That has no relation in this case.