Bug #4784
closed
IPsec mobile fails with VPNC and "Network List" after 2.2.x upgrade
0%
Description
We usually use a wrapper client (Shimo) for vpnc that helps us with some route automation, but for purposes of simplification in troubleshooting this, I have recreated the exact error with a bare vpnc install. Same error seen on any version of VPNC I have managed to try. Always recreated.
Error on Client side:
Jodys-MacBook-Pro:vpnc jrudolph$ sudo /usr/local/sbin/vpnc
Enter IPSec gateway address: X.X.X.X
Enter IPSec ID for X.X.X.X: user@domain.com
Enter IPSec secret for user@domain.com@X.X.X.X:
Enter username for X.X.X.X: jrudolph
Enter password for jrudolph@X.X.X.X:
configuration response rejected: (ISAKMP_N_PAYLOAD_MALFORMED)(16)
Error on Server Side:
Server:
Jun 21 17:32:27 charon: 05[CFG] <con1|12> lease 10.255.0.193 by 'jrudolph' went offline
Jun 21 17:32:27 charon: 05[IKE] <con1|12> deleting IKE_SA con112 between XXXXXXXXXXXXX....XXXXXXXXXXXX
Jun 21 17:32:27 charon: 05[IKE] <con1|12> deleting IKE_SA con112 between XXXXXXXXX...XXXXXXXXXXXXXXX
Jun 21 17:32:27 charon: 05[IKE] <con1|12> received DELETE for IKE_SA con112
Jun 21 17:32:27 charon: 05[IKE] <con1|12> received DELETE for IKE_SA con112
Jun 21 17:32:27 charon: 05[ENC] <con1|12> parsed INFORMATIONAL_V1 request 54 [ HASH D ]
Jun 21 17:32:27 charon: 05[NET] <con1|12> received packet: from XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Jun 21 17:32:27 charon: 11[IKE] <con1|12> received PAYLOAD_MALFORMED error notify
Jun 21 17:32:27 charon: 11[IKE] <con1|12> received PAYLOAD_MALFORMED error notify
All tunnels were working up until upgrade
Client OS: Latest Apple OSX
Client: vpnc
Auth Method: PSK + XAuth
PHASE 1 Settings:
Key Exchange: V1
IP: V4
Interface: Carp Virtual IP Interface
Auth Method: Mutual PSK + XAuth
Negotiation: Aggressive
My Id: My IP Address
Peer Id: UDN user@domain.com
psk: <psk here>
Enc: AES256 (or 128)
Hash: SHA1
DH Group: 2
NAT-T: Force/Auto
DPD: On 10/5 / or off
PHASE 2 Settings:
Mode: TunIP4
Type: Network
No NAT/BINAT
Protocol: ESP (tried auth only)
Enc: AES256 (or 128)
Hash: SHA1
PFS Key Group: 2
Lifetime: 28800 (tried many combos here)
Mobile Clients Settings:
User Auth: Local DB
Group Auth: System
Network List Checked
Save XAuth Checked (I think this was unchecked before but got checked during my 6 hours trying to make this work)
Phase 2 PFS Group: Checked and 2
Files
| ipsec.log (499 KB) ipsec.log | anonymized logfile | ||
| Screen Shot 2015-06-30 at 10.07.09.png (150 KB) Screen Shot 2015-06-30 at 10.07.09.png | |||
| Screen Shot 2015-06-30 at 10.07.49.png (116 KB) Screen Shot 2015-06-30 at 10.07.49.png | |||
| ipsec-log.rtf (40.1 KB) ipsec-log.rtf |
Updated by Chris Buechler almost 9 years ago
- Category set to IPsec
- Status changed from New to Confirmed
- Assignee set to Chris Buechler
- Target version set to 2.3
- Affected Version changed from 2.2.2 to 2.2.x
there is something wrong here, though it's not clear what. The issue is replicable with Jody's config, and a slightly different config that works with iOS and OS X. Not sure if that's an issue in vpnc or strongswan, will investigate further later. Doesn't appear to be a config problem or a problem in anything we're doing.
Updated by Edward Roper almost 9 years ago
I'm also having this issue. Please let me know if there is any specific information I can provide to assist. Everything was working on 2.2.2 and stopped working with the 2.2.3 upgrade.
Updated by Jim Pingle almost 9 years ago
Edward Roper wrote:
I'm also having this issue. Please let me know if there is any specific information I can provide to assist. Everything was working on 2.2.2 and stopped working with the 2.2.3 upgrade.
Your issue is likely #4791 and not related to this ticket.
Updated by Edward Roper almost 9 years ago
Jim P wrote:
Your issue is likely #4791 and not related to this ticket.
Thanks Jim,
That was my first thought, but it remains broken after disabling AESNI and rebooting (unless I did this incorrectly). It's still entirely possible that it's not related to this issue though.
root: kldstat Id Refs Address Size Name 1 3 0xffffffff80200000 22d84b0 kernel 2 1 0xffffffff82611000 cf4 coretemp.ko
Updated by David Harrigan almost 9 years ago
Hi,
I can confirm that this issue is still affecting me - with the disable AES-NI workaround enabled. My iOS clients cannot connect anymore - all failing with "Wrong Shared Secret".
=david=
Updated by David Harrigan almost 9 years ago
- File Screen Shot 2015-06-30 at 10.07.09.png Screen Shot 2015-06-30 at 10.07.09.png added
- File Screen Shot 2015-06-30 at 10.07.49.png Screen Shot 2015-06-30 at 10.07.49.png added
- File ipsec-log.rtf ipsec-log.rtf added
Hi,
Attached are the screenshots of the VPN configuration for this, along with a log file of the connection attempt. I hope it helps.
=david=
Updated by Chris Buechler almost 9 years ago
this ticket is specific to vpnc and only vpnc. iOS PSK issues in 2.2.3 is #4806
Updated by Carter Baller over 8 years ago
Looks like it has something to do with the "Network List" option in VPN: IPsec: Mobile section. If that is checked, I receive "ISAKMP_N_PAYLOAD_MALFORMED(16)" when attempting to use vpnc. ShrewSoft works fine.
I'm running 2.2.4.
Updated by Chris Buechler about 8 years ago
- Subject changed from ipsec mobile tunnels fail from VPNC after 2.2.2 upgrade (from 2.1.5) to IPsec mobile fails with VPNC and "Network List" after 2.2.x upgrade
- Status changed from Confirmed to Closed
- Target version deleted (
2.3)
this looks to be a problem in vpnc. It works fine if you leave the "Provide a list of accessible networks to clients" box unchecked. vpnc can be configured to work around it. It isn't used much so isn't worth digging into further at this time.
Updated by Edward Roper about 8 years ago
This is/was affecting a large number of my geographically dispersed Mac OS X users using the "Cisco IPSec" configuration. This regression has kept us at 2.2.2, which isn't ideal in the long run. If there's a viable workaround for these clients I'm not sure what it is. Could you please provide information?
Thanks,
Ed
Updated by Edward Roper about 8 years ago
Sorry I overlooked comment #7. I retract my previous comment on this bug ;)
Updated by Frederic Lietart about 8 years ago
Hi,
Same problem on version 2.3-RC built on Wed Apr 06 05:34:38 CDT 2016
It works fine if you leave the "Provide a list of accessible networks to clients" box unchecked. vpnc can be configured to work around it.
Thanks