Bug #4806
closedMobile IPSec Broken on iOS devices after 2.2.3 Upgrade from 2.2.2
0%
Description
Since others are posting to [[https://redmine.pfsense.org/issues/4784]]. I figured it's worth opening a new ticket instead.
A perfectly working 2.2-2.2.2 Mobile IPSec configuration has failed on 2.2.3.
for myself, on two different sites, configured as specified here: [[https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To]]
I've reset the shared keys, I've tried shorter, I've tried 1234, I've tried abc.
iOS error "The VPN Shared Secret is incorrect".
My setup is identical to the document mentioned above, other than my id / psk.
( I do wonder, since KeyID Tag is also broken after upgrade, if there is a off by 1 or something skewing the later options )
Btw, as Subject suggests I was using AES-NI, I've turned it off/rebooted since and verified with kldstat that it isn't loaded.
Updated by Chris Buechler over 9 years ago
- Subject changed from Mobile IPSec Broken on iOS devices after 2.2.3 Upgrade from 2.2.2 unrelated? to AES-NI Bug. to Mobile IPSec Broken on iOS devices after 2.2.3 Upgrade from 2.2.2
- Status changed from New to Confirmed
- Priority changed from Normal to High
fixing some mobile IPsec scenarios broke iOS PSKs, I'm already looking into it.
Updated by Chris Buechler over 9 years ago
- Assignee set to Chris Buechler
this diff will fix iOS.
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 6e4d71d..3b09f54 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -613,7 +613,7 @@ EOD; $key['ident'] = '%any'; if (empty($key['type'])) $key['type'] = 'PSK'; - $pskconf .= "{$myid} {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-k + $pskconf .= ": {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n"; } unset($key); }
but break some other mobile circumstances. Fix needs more investigation, but the above change will work for iOS, OS X and similar mobile clients with PSK+Xauth.
Updated by Arno Tilroe over 9 years ago
Chris Buechler wrote:
this diff will fix iOS.
[...
@ -613,7 +613,7
@ EOD; ...]
I saw this issue before updateing an tested the VPN before and after.
Just updated from 2.2.1 to 2.2.3 ipsec mobile clients have the same error message after update.
I had to change the patch to make it work in the 'system patches' package https://doc.pfsense.org/index.php/System_Patches#Adding_a_patch
for the following line:
@@ -613,4 +613,4 @@ EOD;
The patch did not fix the problem for me, i'm the onlyone using it currently.
Regards,
Arno
Updated by Chris Buechler over 9 years ago
- Status changed from Confirmed to Feedback
looks to be fixed in 2.2.4 after gitsync, next snapshot will include those changes.
Updated by Rein van Meeteren about 9 years ago
We are running version 2.2.4 but we still appear to have this issue.
We followed the guide at:
https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To
Client system is Mac OSX (Mavericks) and the error message is "The VPN Shared Secret is incorrect".
Do other people also still have this issue?
Updated by Martin Gollowitzer over 6 years ago
Hi,
I am running two pfSense firewalls on version 2.4.3 and I think this issue is still there. On both machines, I have Apple IOS clients with an old IPsec configuratio according to the wiki. They haven't been used for some time but now that I tried again I get the error "wrong shared secret" although nothing was changed and I even re-entered the information on those devices.
Updated by Jim Pingle over 6 years ago
This ticket isn't relevant to 2.4.3. See #8426 for details and a patch.