Project

General

Profile

Bug #5245

iOS IPsec PSK mismatches

Added by Chris Buechler about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
10/03/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
Affected Architecture:

Description

iOS PSK mismatches are happening in some cases. Going back to pre-2.2.4 behavior works, done here. https://github.com/pfsense/pfsense/commit/41d968bd163112361c86d077bec8a4cd59dd6828

Needs additional review.

History

#1 Updated by Jim Thompson about 4 years ago

  • Status changed from Feedback to Confirmed
  • Assignee changed from Chris Buechler to Matthew Smith

I'm assigning this to Matt, and putting it back in Confirmed, so he can weigh-in.

#2 Updated by Matthew Smith about 4 years ago

Chris Buechler wrote:

iOS PSK mismatches are happening in some cases. Going back to pre-2.2.4 behavior works, done here. https://github.com/pfsense/pfsense/commit/41d968bd163112361c86d077bec8a4cd59dd6828

Needs additional review.

Under what conditions are PSK mismatches occurring? What version of IKE is being used and which authentication method (mutual psk, mutual psk with xauth, or eap-mschapv2) when this happens?

#3 Updated by Chris Buechler about 4 years ago

Thread where issue is discussed for reference:
https://forum.pfsense.org/index.php?topic=97530.0

Matthew Smith wrote:

Under what conditions are PSK mismatches occurring? What version of IKE is being used and which authentication method (mutual psk, mutual psk with xauth, or eap-mschapv2) when this happens?

We've discussed via email since then, but to add here: IKEv1 mutual PSK, with and without xauth. There's something more to it than just that though.

#4 Updated by Matthew Smith about 4 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

This is fine. According to this document https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets you cannot match an IKEv1 PSK connection against any ID's other than the IP address of the client when selecting the PSK to use. That is a value that is typically not known for mobile IPSec so it is reasonable to not specify ID's for PSK.

#5 Updated by Chris Buechler about 4 years ago

  • Status changed from Feedback to Resolved

That's true of main mode only, as aggressive sends the ID in the clear, but agree that this is fine now. The group doesn't get matched anyway when it is there.

Also available in: Atom PDF