Bug #8404
closed
IPSec pre-shared key
0%
Description
After upgrading from 2.4.2_p1 to 2.4.3, just the last added (active) IPSec tunnel <PSK> matches in PHASE-1.
All other tunnel with PSK fail.
If you use the PSK from the last (aktive) entry in the list -> we have a connection.
So maybe it is a problem with %any and the way pfsense try to match PSK?
If you need more information/log files, please specify which information is important for you.
Two active IPsec tunnel:
/var/etc/ipsec/ipsec.secret
<WANIP> @<DN> : PSK <01-PSK> : PSK <01-PSK>
%any <IP-OTHER-SIDE> : PSK <02-PSK>
IPsec conf (cause it's for mac):
Auth method: Mutual PSK + Xauth
Negotiation mode: Aggressice
My identifier: My IP adresse
Peer identifier: Distinguished name : <DN>
Pre-Shared key: <01-PSK>
Further, the mobile clients authenticate against an external RADIUS.
The second one (side-to-side):
Auth method: Mutual PSK
Negotiation mode: Main
My identifier: My IP adresse
Peer identifier: Peer IP address
Pre-Shared key: <02-PSK>
Updated by Lasse not relevant about 6 years ago
Same behavior as described in #6668
As long as the second (side-to-side) is aktiv, the only PSK that will match is <02-PSK>.
If you deactivate the second IPsec tunnel you can connect with <01-PSK>.
Updated by Jim Pingle about 6 years ago
- Status changed from New to Duplicate
Try the patch on the other ticket and add comments there.
Updated by Lasse not relevant over 4 years ago
I have tried 2.4.4_3 today, but it shows the same behavior.
Still need to disable the VPN dashboard plugin to access the dashboard, otherwise it is broken.
The IPSec status page isn't loading, but if I disable all IPSec P1s (except one), the aktiv one is working.
So at least in 2.4.4_3 the problem still exist. I will try to set up a test bench for 2.5, but this will need more effort.
Latest known good version is 2.4.3_1.