Project

General

Profile

Actions

Bug #8426

closed

Mobile IPSec login not working after upgrade from 2.4.2p1

Added by Michael Newton over 3 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
04/03/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.3
Affected Architecture:
All

Description

Since performing the upgrade from 2.4.2p1 to 2.4.3, users have been unable to connect; OS X clients get an error suggesting the problem is with the shared secret.


Files

Screenshot 2018-04-02 10.43.09.png (98.5 KB) Screenshot 2018-04-02 10.43.09.png Michael Newton, 04/03/2018 02:45 PM
Actions #1

Updated by Jay2k1 * over 3 years ago

Yes, I can confirm this issue. Mobile Client ("Roadwarrior") IPSec access no longer works after upgrading to 2.4.3 (we're using IKEv1).

Apparently others are affected too: https://forum.pfsense.org/index.php?topic=145891.0

A quick fix for this would be very highly appreciated, because this is quite critical for us. Thanks a lot!

Actions #2

Updated by Daniel Becker over 3 years ago

Seeing the same error ("The VPN Shared Secret is incorrect.") on iOS. Exact same config worked before the update to 2.4.3.

Actions #3

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Confirmed
  • Assignee set to Jim Pingle

Looks like the PSK for another tunnel is being used instead of the more exact match. It works when it is the only entry. I'll have a look.

Actions #4

Updated by Jim Pingle over 3 years ago

Well, ipsec.secrets is written out identically on both a working (2.4.2) and non-working (2.4.3, 2.4.4, 2.3.6) setup and the only difference I see is the strongSwan version. 5.6.0 is working, 5.6.2_1 is not.

strongSwan 5.6.2 release notes say "The lookup for PSK secrets for IKEv1 has been improved for certain scenarios.", which seems to be associated with https://wiki.strongswan.org/issues/2497 but apparently that has broken secrets that were working previously.

There is probably a way to reformat ipsec.secrets to work around it. Lots of info on that strongSwan ticket to sort through.

Actions #5

Updated by Jim Pingle over 3 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Jay2k1 * over 3 years ago

I tested the diff and can confirm it works again. Thank you so much for fixing this so quickly Jim!

Actions #7

Updated by Chris Macmahon over 3 years ago

Was able to confirm fix worked.

Actions #8

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Resolved
Actions #9

Updated by Jim Pingle about 3 years ago

  • Target version changed from 2.4.4 to 2.4.3-p1
Actions

Also available in: Atom PDF