Bug #8426
closedMobile IPSec login not working after upgrade from 2.4.2p1
100%
Description
Since performing the upgrade from 2.4.2p1 to 2.4.3, users have been unable to connect; OS X clients get an error suggesting the problem is with the shared secret.
Files
Updated by Jay2k1 * over 6 years ago
Yes, I can confirm this issue. Mobile Client ("Roadwarrior") IPSec access no longer works after upgrading to 2.4.3 (we're using IKEv1).
Apparently others are affected too: https://forum.pfsense.org/index.php?topic=145891.0
A quick fix for this would be very highly appreciated, because this is quite critical for us. Thanks a lot!
Updated by Daniel Becker over 6 years ago
Seeing the same error ("The VPN Shared Secret is incorrect.") on iOS. Exact same config worked before the update to 2.4.3.
Updated by Jim Pingle over 6 years ago
- Status changed from New to Confirmed
- Assignee set to Jim Pingle
Looks like the PSK for another tunnel is being used instead of the more exact match. It works when it is the only entry. I'll have a look.
Updated by Jim Pingle over 6 years ago
Well, ipsec.secrets is written out identically on both a working (2.4.2) and non-working (2.4.3, 2.4.4, 2.3.6) setup and the only difference I see is the strongSwan version. 5.6.0 is working, 5.6.2_1 is not.
strongSwan 5.6.2 release notes say "The lookup for PSK secrets for IKEv1 has been improved for certain scenarios.", which seems to be associated with https://wiki.strongswan.org/issues/2497 but apparently that has broken secrets that were working previously.
There is probably a way to reformat ipsec.secrets to work around it. Lots of info on that strongSwan ticket to sort through.
Updated by Jim Pingle over 6 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset af7c0311b89656198e00ded91c1a2a87f34c331b.
Updated by Jay2k1 * over 6 years ago
I tested the diff and can confirm it works again. Thank you so much for fixing this so quickly Jim!
Updated by Jim Pingle over 6 years ago
- Target version changed from 2.4.4 to 2.4.3-p1