Project

General

Profile

Bug #4806

Mobile IPSec Broken on iOS devices after 2.2.3 Upgrade from 2.2.2

Added by Andrew Stuart over 4 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
High
Category:
IPsec
Target version:
Start date:
06/30/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2.3
Affected Architecture:

Description

Since others are posting to [[https://redmine.pfsense.org/issues/4784]]. I figured it's worth opening a new ticket instead.

A perfectly working 2.2-2.2.2 Mobile IPSec configuration has failed on 2.2.3.
for myself, on two different sites, configured as specified here: [[https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To]]

I've reset the shared keys, I've tried shorter, I've tried 1234, I've tried abc.

iOS error "The VPN Shared Secret is incorrect".

My setup is identical to the document mentioned above, other than my id / psk.

( I do wonder, since KeyID Tag is also broken after upgrade, if there is a off by 1 or something skewing the later options )
Btw, as Subject suggests I was using AES-NI, I've turned it off/rebooted since and verified with kldstat that it isn't loaded.

History

#1 Updated by Chris Buechler over 4 years ago

  • Subject changed from Mobile IPSec Broken on iOS devices after 2.2.3 Upgrade from 2.2.2 unrelated? to AES-NI Bug. to Mobile IPSec Broken on iOS devices after 2.2.3 Upgrade from 2.2.2
  • Status changed from New to Confirmed
  • Priority changed from Normal to High

fixing some mobile IPsec scenarios broke iOS PSKs, I'm already looking into it.

#2 Updated by Chris Buechler over 4 years ago

  • Assignee set to Chris Buechler

this diff will fix iOS.

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 6e4d71d..3b09f54 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -613,7 +613,7 @@ EOD;
                                $key['ident'] = '%any';
                        if (empty($key['type']))
                                $key['type'] = 'PSK';
-                       $pskconf .= "{$myid} {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-k
+                       $pskconf .= ": {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n";
                }
                unset($key);
        }

but break some other mobile circumstances. Fix needs more investigation, but the above change will work for iOS, OS X and similar mobile clients with PSK+Xauth.

#3 Updated by Arno Tilroe over 4 years ago

Chris Buechler wrote:

this diff will fix iOS.

[... @ -613,7 +613,7 @ EOD; ...]

I saw this issue before updateing an tested the VPN before and after.
Just updated from 2.2.1 to 2.2.3 ipsec mobile clients have the same error message after update.

I had to change the patch to make it work in the 'system patches' package https://doc.pfsense.org/index.php/System_Patches#Adding_a_patch
for the following line:

@@ -613,4 +613,4 @@ EOD;

The patch did not fix the problem for me, i'm the onlyone using it currently.

Regards,
Arno

#4 Updated by Chris Buechler over 4 years ago

  • Status changed from Confirmed to Feedback

looks to be fixed in 2.2.4 after gitsync, next snapshot will include those changes.

#5 Updated by Chris Buechler over 4 years ago

  • Status changed from Feedback to Resolved

fixed

#6 Updated by Rein van Meeteren over 4 years ago

We are running version 2.2.4 but we still appear to have this issue.

We followed the guide at:
https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

Client system is Mac OSX (Mavericks) and the error message is "The VPN Shared Secret is incorrect".

Do other people also still have this issue?

#7 Updated by Martin Gollowitzer over 1 year ago

Hi,

I am running two pfSense firewalls on version 2.4.3 and I think this issue is still there. On both machines, I have Apple IOS clients with an old IPsec configuratio according to the wiki. They haven't been used for some time but now that I tried again I get the error "wrong shared secret" although nothing was changed and I even re-entered the information on those devices.

#8 Updated by Jim Pingle over 1 year ago

This ticket isn't relevant to 2.4.3. See #8426 for details and a patch.

Also available in: Atom PDF