Mobile IPSec login not working after upgrade from 2.4.2p1
Since performing the upgrade from 2.4.2p1 to 2.4.3, users have been unable to connect; OS X clients get an error suggesting the problem is with the shared secret.
For IPsec mobile clients, write out a more specific ipsec.secrets line to help clients find the right key with strongSwan's new lookup code. Fixes #8426
#1 Updated by Jay2k1 * about 3 years ago
Yes, I can confirm this issue. Mobile Client ("Roadwarrior") IPSec access no longer works after upgrading to 2.4.3 (we're using IKEv1).
Apparently others are affected too: https://forum.pfsense.org/index.php?topic=145891.0
A quick fix for this would be very highly appreciated, because this is quite critical for us. Thanks a lot!
#4 Updated by Jim Pingle about 3 years ago
Well, ipsec.secrets is written out identically on both a working (2.4.2) and non-working (2.4.3, 2.4.4, 2.3.6) setup and the only difference I see is the strongSwan version. 5.6.0 is working, 5.6.2_1 is not.
strongSwan 5.6.2 release notes say "The lookup for PSK secrets for IKEv1 has been improved for certain scenarios.", which seems to be associated with https://wiki.strongswan.org/issues/2497 but apparently that has broken secrets that were working previously.
There is probably a way to reformat ipsec.secrets to work around it. Lots of info on that strongSwan ticket to sort through.