Probleme mit IPSec seit Update auf 2.2.4



  • Hallo,

    wir haben unsere pfSense von 2.2.2 auf 2.2.4 aktualisiert und seitdem können unsere Road Warrior nicht mehr per VPN verbinden.

    Die pfSense hat eine statische IP während die Clients genattet sind und dynamische IPs nutzen.

    Die Identifier sind "My ip address" und "User distinguished name" in Form einer E-Mail-Addresse.

    Wir benutzen IKE V1 mit PSK und XAuth, aggressive mode, AES und SHA1, Group 5..

    Die Clients nutzen Shrew.

    "My identifier" manuell auf die IP zu setzen brachte nichts, "Peer Identifier" auf "any zu setzen brachte ebenfalls nichts.

    Hat jemand eine Idee oder werden mehr Informationen benötigt?

    Vielen Dank!

    Beste Grüße,

    Lars

    Log-Einträge (x.x.x.x = Ip der pfSense, y.y.y.y = Peer ip):

    
    Aug 12 12:08:33 	charon: 06[JOB] <con1|43>deleting half open IKE_SA after timeout
    Aug 12 12:08:28 	charon: 06[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes)
    Aug 12 12:08:28 	charon: 06[IKE] <con1|43>sending retransmit 3 of response message ID 0, seq 1
    Aug 12 12:08:28 	charon: 06[IKE] <con1|43>sending retransmit 3 of response message ID 0, seq 1
    Aug 12 12:08:15 	charon: 06[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes)
    Aug 12 12:08:15 	charon: 06[IKE] <con1|43>sending retransmit 2 of response message ID 0, seq 1
    Aug 12 12:08:15 	charon: 06[IKE] <con1|43>sending retransmit 2 of response message ID 0, seq 1
    Aug 12 12:08:08 	charon: 06[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes)
    Aug 12 12:08:08 	charon: 06[IKE] <con1|43>sending retransmit 1 of response message ID 0, seq 1
    Aug 12 12:08:08 	charon: 06[IKE] <con1|43>sending retransmit 1 of response message ID 0, seq 1
    Aug 12 12:08:04 	charon: 06[IKE] <con1|43>INFORMATIONAL_V1 request with message ID 1844034455 processing failed
    Aug 12 12:08:04 	charon: 06[IKE] <con1|43>INFORMATIONAL_V1 request with message ID 1844034455 processing failed
    Aug 12 12:08:04 	charon: 06[IKE] <con1|43>ignore malformed INFORMATIONAL request
    Aug 12 12:08:04 	charon: 06[IKE] <con1|43>ignore malformed INFORMATIONAL request
    Aug 12 12:08:04 	charon: 06[IKE] <con1|43>message parsing failed
    Aug 12 12:08:04 	charon: 06[IKE] <con1|43>message parsing failed
    Aug 12 12:08:04 	charon: 06[ENC] <con1|43>could not decrypt payloads
    Aug 12 12:08:04 	charon: 06[ENC] <con1|43>invalid HASH_V1 payload length, decryption failed?
    Aug 12 12:08:04 	charon: 06[NET] <con1|43>received packet: from y.y.y.y[4500] to x.x.x.x[4500] (92 bytes)
    Aug 12 12:08:04 	charon: 14[IKE] <con1|43>AGGRESSIVE request with message ID 0 processing failed
    Aug 12 12:08:04 	charon: 14[IKE] <con1|43>AGGRESSIVE request with message ID 0 processing failed
    Aug 12 12:08:04 	charon: 14[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (76 bytes)
    Aug 12 12:08:04 	charon: 14[ENC] <con1|43>generating INFORMATIONAL_V1 request 768892632 [ HASH N(PLD_MAL) ]
    Aug 12 12:08:04 	charon: 14[IKE] <con1|43>message parsing failed
    Aug 12 12:08:04 	charon: 14[IKE] <con1|43>message parsing failed
    Aug 12 12:08:04 	charon: 14[ENC] <con1|43>could not decrypt payloads
    Aug 12 12:08:04 	charon: 14[ENC] <con1|43>invalid HASH_V1 payload length, decryption failed?
    Aug 12 12:08:04 	charon: 14[NET] <con1|43>received packet: from y.y.y.y[4500] to x.x.x.x[4500] (108 bytes)
    Aug 12 12:08:04 	charon: 14[NET] <con1|43>sending packet: from x.x.x.x[500] to y.y.y.y[500] (496 bytes)
    Aug 12 12:08:04 	charon: 14[ENC] <con1|43>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
    Aug 12 12:08:04 	charon: 14[CFG] <43> selected peer config "con1"
    Aug 12 12:08:04 	charon: 14[CFG] <43> looking for XAuthInitPSK peer configs matching x.x.x.x...y.y.y.y[vpn@kv-viersen.drk.local]
    Aug 12 12:08:03 	charon: 14[IKE] <43> y.y.y.y is initiating a Aggressive Mode IKE_SA
    Aug 12 12:08:03 	charon: 14[IKE] <43> y.y.y.y is initiating a Aggressive Mode IKE_SA
    Aug 12 12:08:03 	charon: 14[IKE] <43> received Cisco Unity vendor ID
    Aug 12 12:08:03 	charon: 14[IKE] <43> received Cisco Unity vendor ID
    Aug 12 12:08:03 	charon: 14[ENC] <43> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
    Aug 12 12:08:03 	charon: 14[ENC] <43> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
    Aug 12 12:08:03 	charon: 14[ENC] <43> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
    Aug 12 12:08:03 	charon: 14[IKE] <43> received FRAGMENTATION vendor ID
    Aug 12 12:08:03 	charon: 14[IKE] <43> received FRAGMENTATION vendor ID
    Aug 12 12:08:03 	charon: 14[IKE] <43> received NAT-T (RFC 3947) vendor ID
    Aug 12 12:08:03 	charon: 14[IKE] <43> received NAT-T (RFC 3947) vendor ID
    Aug 12 12:08:03 	charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 12 12:08:03 	charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 12 12:08:03 	charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 12 12:08:03 	charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 12 12:08:03 	charon: 14[ENC] <43> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
    Aug 12 12:08:03 	charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Aug 12 12:08:03 	charon: 14[IKE] <43> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Aug 12 12:08:03 	charon: 14[IKE] <43> received XAuth vendor ID
    Aug 12 12:08:03 	charon: 14[IKE] <43> received XAuth vendor ID
    Aug 12 12:08:03 	charon: 14[ENC] <43> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V ]
    Aug 12 12:08:03 	charon: 14[NET] <43> received packet: from y.y.y.y[500] to x.x.x.x[500] (560 bytes)</con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43></con1|43> 
    

    PS.: Der Beitrag ist auch nochmal im englischen Forum, aber ich hoffe, dass um diese Tageszeit hier mehr Leute unterwegs sind. Ich hoffe, das ist soweit okay..