Bug #8426
closed
Mobile IPSec login not working after upgrade from 2.4.2p1
Added by Michael Newton over 6 years ago.
Updated over 4 years ago.
Affected Architecture:
All
Description
Since performing the upgrade from 2.4.2p1 to 2.4.3, users have been unable to connect; OS X clients get an error suggesting the problem is with the shared secret.
Files
Yes, I can confirm this issue. Mobile Client ("Roadwarrior") IPSec access no longer works after upgrading to 2.4.3 (we're using IKEv1).
Apparently others are affected too: https://forum.pfsense.org/index.php?topic=145891.0
A quick fix for this would be very highly appreciated, because this is quite critical for us. Thanks a lot!
Seeing the same error ("The VPN Shared Secret is incorrect.") on iOS. Exact same config worked before the update to 2.4.3.
- Status changed from New to Confirmed
- Assignee set to Jim Pingle
Looks like the PSK for another tunnel is being used instead of the more exact match. It works when it is the only entry. I'll have a look.
Well, ipsec.secrets is written out identically on both a working (2.4.2) and non-working (2.4.3, 2.4.4, 2.3.6) setup and the only difference I see is the strongSwan version. 5.6.0 is working, 5.6.2_1 is not.
strongSwan 5.6.2 release notes say "The lookup for PSK secrets for IKEv1 has been improved for certain scenarios.", which seems to be associated with https://wiki.strongswan.org/issues/2497 but apparently that has broken secrets that were working previously.
There is probably a way to reformat ipsec.secrets to work around it. Lots of info on that strongSwan ticket to sort through.
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
I tested the diff and can confirm it works again. Thank you so much for fixing this so quickly Jim!
Was able to confirm fix worked.
- Status changed from Feedback to Resolved
- Target version changed from 2.4.4 to 2.4.3-p1
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 