pfSense Support Subscription

Author Topic: Upgrading to 2.4.2 broke my IPSEC VPN!  (Read 160 times)

0 Members and 1 Guest are viewing this topic.

Offline XakEp

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Upgrading to 2.4.2 broke my IPSEC VPN!
« on: December 05, 2017, 04:46:43 pm »
When i try to connect, now I get this in my logs... No change to the config, was working a day before the upgrade. Help? Client is StrongSwan on Android.


Time   Process   PID   Message
Dec 5 15:16:09   charon      01[NET] <3> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[9313] (36 bytes)
Dec 5 15:16:09   charon      01[ENC] <3> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Dec 5 15:16:09   charon      01[IKE] <3> received proposals inacceptable
Dec 5 15:16:09   charon      01[IKE] <3> remote host is behind NAT
Dec 5 15:16:09   charon      01[CFG] <3> received supported signature hash algorithms: sha256 sha384 sha512 identity
Dec 5 15:16:09   charon      01[CFG] <3> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Dec 5 15:16:09   charon      01[CFG] <3> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048
Dec 5 15:16:09   charon      01[CFG] <3> no acceptable ENCRYPTION_ALGORITHM found
Dec 5 15:16:09   charon      01[CFG] <3> selecting proposal:
Dec 5 15:16:09   charon      01[CFG] <3> no acceptable DIFFIE_HELLMAN_GROUP found
Dec 5 15:16:09   charon      01[CFG] <3> selecting proposal:

Dec 5 15:16:09   charon      01[IKE] <3> xxx.xxx.xxx.xxx is initiating an IKE_SA
Dec 5 15:16:09   charon      01[CFG] <3> found matching ike config: xxx.xxx.xxx.xxx...%any with prio 1052
Dec 5 15:16:09   charon      01[CFG] <3> candidate: xxx.xxx.xxx.xxx...%any, prio 1052
Dec 5 15:16:09   charon      01[CFG] <3> candidate: %any...%any, prio 24
Dec 5 15:16:09   charon      01[CFG] <3> looking for an ike config for xxx.xxx.xxx.xxx...xxx.xxx.xxx.xxx
Dec 5 15:16:09   charon      01[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 5 15:16:09   charon      01[NET] <3> received packet: from xxx.xxx.xxx.xxx[9313] to xxx.xxx.xxx.xxx[500] (704 bytes)

Client error is -

Dec  5 15:46:50 00[DMN] Starting IKE charon daemon (strongSwan 5.6.1dr3, Android 7.0 - NRD90M.G955USQU1AQK3/2017-10-01, SM-G955U - samsung/dream2qltesq/samsung, Linux 4.4.16-11982677, aarch64)
Dec  5 15:46:50 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Dec  5 15:46:50 00[JOB] spawning 16 worker threads
Dec  5 15:46:50 08[IKE] initiating IKE_SA android[32] to xxx.xxx.xxx.xxx
Dec  5 15:46:50 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec  5 15:46:50 08[NET] sending packet: from xxx.xxx.xxx.xxx[55518] to xxx.xxx.xxx.xxx[500] (704 bytes)
Dec  5 15:46:50 09[NET] received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[55518] (36 bytes)
Dec  5 15:46:50 09[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Dec  5 15:46:50 09[IKE] received NO_PROPOSAL_CHOSEN notify error

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9250
  • Karma: +1054/-308
    • View Profile
Re: Upgrading to 2.4.2 broke my IPSEC VPN!
« Reply #1 on: December 05, 2017, 05:49:19 pm »
Your side is configured to use this:

IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

The other side is configured to use these:

IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048 <-- No MODP_1024
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048

None of them match. PFS Group 2 (MODP_1024) is not acceptable to the other side in the Phase 1. Try Group 14 (MODP_2048) there.

Might be a good time to switch to AES_CBC_128 and HMAC_SHA2_256_128 while you're messing with it.

You might need to do the same kind of thing for the Phase 2. Those will look similar in the logs but be prefixed by ESP: instead of IKE:

« Last Edit: December 05, 2017, 05:56:00 pm by Derelict »
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline XakEp

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Upgrading to 2.4.2 broke my IPSEC VPN!
« Reply #2 on: December 05, 2017, 06:30:05 pm »
Well honk my hooter you're right! When I'm back in the building later tonight I'll fiddle with it an update.

Thank you very much, it's a pain for my old eyes to spot that stuff these days, it's much appreciated.

Offline XakEp

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Upgrading to 2.4.2 broke my IPSEC VPN!
« Reply #3 on: December 05, 2017, 11:28:01 pm »
Update - you were absolutely right! Switching DH groups fixed it. Wish I had spotted that, thank you!