Project

General

Profile

Bug #8426

Mobile IPSec login not working after upgrade from 2.4.2p1

Added by Michael Newton 12 months ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
04/03/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.3
Affected Architecture:
All

Description

Since performing the upgrade from 2.4.2p1 to 2.4.3, users have been unable to connect; OS X clients get an error suggesting the problem is with the shared secret.

Screenshot 2018-04-02 10.43.09.png (98.5 KB) Screenshot 2018-04-02 10.43.09.png Michael Newton, 04/03/2018 02:45 PM

Associated revisions

Revision af7c0311 (diff)
Added by Jim Pingle 11 months ago

For IPsec mobile clients, write out a more specific ipsec.secrets line to help clients find the right key with strongSwan's new lookup code. Fixes #8426

Revision fad13c41 (diff)
Added by Jim Pingle 11 months ago

For IPsec mobile clients, write out a more specific ipsec.secrets line to help clients find the right key with strongSwan's new lookup code. Fixes #8426

(cherry picked from commit af7c0311b89656198e00ded91c1a2a87f34c331b)

History

#1 Updated by Jay2k1 * 12 months ago

Yes, I can confirm this issue. Mobile Client ("Roadwarrior") IPSec access no longer works after upgrading to 2.4.3 (we're using IKEv1).

Apparently others are affected too: https://forum.pfsense.org/index.php?topic=145891.0

A quick fix for this would be very highly appreciated, because this is quite critical for us. Thanks a lot!

#2 Updated by Daniel Becker 12 months ago

Seeing the same error ("The VPN Shared Secret is incorrect.") on iOS. Exact same config worked before the update to 2.4.3.

#3 Updated by Jim Pingle 11 months ago

  • Status changed from New to Confirmed
  • Assignee set to Jim Pingle

Looks like the PSK for another tunnel is being used instead of the more exact match. It works when it is the only entry. I'll have a look.

#4 Updated by Jim Pingle 11 months ago

Well, ipsec.secrets is written out identically on both a working (2.4.2) and non-working (2.4.3, 2.4.4, 2.3.6) setup and the only difference I see is the strongSwan version. 5.6.0 is working, 5.6.2_1 is not.

strongSwan 5.6.2 release notes say "The lookup for PSK secrets for IKEv1 has been improved for certain scenarios.", which seems to be associated with https://wiki.strongswan.org/issues/2497 but apparently that has broken secrets that were working previously.

There is probably a way to reformat ipsec.secrets to work around it. Lots of info on that strongSwan ticket to sort through.

#5 Updated by Jim Pingle 11 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#6 Updated by Jay2k1 * 11 months ago

I tested the diff and can confirm it works again. Thank you so much for fixing this so quickly Jim!

#7 Updated by Chris Macmahon 11 months ago

Was able to confirm fix worked.

#8 Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Resolved

#9 Updated by Jim Pingle 11 months ago

  • Target version changed from 2.4.4 to 2.4.3_1

Also available in: Atom PDF