On 09.02.2015 10:20, J. Echter wrote: > Am 09.02.2015 um 09:53 schrieb Claudio Thomas: >> Hi, >> at first: thanks for the great work! >> >> 1) After trying to update my pfSense 2.1.5 (i386) to 2.2 over >> web-interface it reboots as expected... But this was all. The firewall >> was not working anymore. After a while inspecting the problem I fixed >> the config, so that it seems to run again. Now I've tried to update by >> console... so that I could finally find the problem. My disk was full >> and the update seems to stop somewhere in between :-( >> I wiped out the harddisk at all to reinstall it and use the config-backup. >> This is ok for me, but probably not for every one. Maybe it would be a >> good practise to check the free disk space before starting the upgrade. >> Even better would be if the installer check it, so that fools like me >> don't stumble on such an evident error-case :-) >> >> 2) I have 2 Phase 1 entries. One for a AVM Fritzbox (still working) an a >> second for android road warriors. >> Since the upgrade my android clients can connect anymore. Phase 1 and >> Phase 2 configurations was not changed since the upgrade. Was anything >> changed on the IPsec environment? >> >> Thanks, >> Claudio >> >> _______________________________________________ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > Hi, > > did you read > https://doc.pfsense.org/index.php/Upgrade_Guide#IPsec_Changes already? Hi, yes... the iPsec config for android is exactly as described in the HowTo <https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To>. Because of this I've assumed, that my configuration is not a "unusual configuration". To the other points in the upgrade guide: - I also have only one phase 2 entry for each Phase 1 entry. - Prefer old IPsec SAs is disabled. - I've checked both phase 1 modes (main/aggressive) without any difference, so I let it on aggressive mode as described in HowTo. - glxsb Crypto: Encryption is AES 128 only, so this should not be a reason to fail. - My mobile client does not need to use ipsec for main internet traffic. - pfSense has a public IP and ist connected directly to the internet. My Identifier is "My IP address", but also tested "IP address" with any changes. The peer identifier is a "user destinguishes name", because peers may have a private IP address. Both exactly as described in the HowTo.
I've rechecked the HowTo to see if something has changed over the years: - Phase 1: "Policy Generation: Unique" and "Proposal Checking: Strict" are missing in actual Configurations Options. - On Android: I've no option to set " Pre-Shared Key Type: text". I can only set the IPsec Pre-shared Key directly (android 4.4.2). I don't have an option "Identity Type: User FQDN". I don't have the option " Internal Subnet IP". But all used devices has run without this 3 options at all, so I would wonder is this is the problem. I've annexed a log of a connection test. I've tried a connection with a Samsung tabled 4.4.2 (with private ip 10.x.x.x) to the WAN IP of the pfSense Computer. The visible IP address is translated NAT-IP of the mobile device. summarising: I can not find an error. I've checked the HowTo and the Upgrade Guide. Any suggestion which IP Sec debug-level I could increase to search for the problem? Thanks, Claudio
Feb 9 11:17:57 charon: 12[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ] Feb 9 11:17:57 charon: 12[IKE] <23> received FRAGMENTATION vendor ID Feb 9 11:17:57 charon: 12[IKE] received FRAGMENTATION vendor ID Feb 9 11:17:57 charon: 12[IKE] <23> received NAT-T (RFC 3947) vendor ID Feb 9 11:17:57 charon: 12[IKE] received NAT-T (RFC 3947) vendor ID Feb 9 11:17:57 charon: 12[IKE] <23> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Feb 9 11:17:57 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Feb 9 11:17:57 charon: 12[IKE] <23> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Feb 9 11:17:57 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Feb 9 11:17:57 charon: 12[IKE] <23> received draft-ietf-ipsec-nat-t-ike-00 vendor ID Feb 9 11:17:57 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID Feb 9 11:17:57 charon: 12[IKE] <23> received XAuth vendor ID Feb 9 11:17:57 charon: 12[IKE] received XAuth vendor ID Feb 9 11:17:57 charon: 12[IKE] <23> received Cisco Unity vendor ID Feb 9 11:17:57 charon: 12[IKE] received Cisco Unity vendor ID Feb 9 11:17:57 charon: 12[IKE] <23> received DPD vendor ID Feb 9 11:17:57 charon: 12[IKE] received DPD vendor ID Feb 9 11:17:57 charon: 12[IKE] <23> 80.187.100.247 is initiating a Aggressive Mode IKE_SA Feb 9 11:17:57 charon: 12[IKE] 80.187.100.247 is initiating a Aggressive Mode IKE_SA Feb 9 11:17:57 charon: 12[CFG] looking for XAuthInitPSK peer configs matching A.B.C.D...80.187.100.247[[email protected]] Feb 9 11:17:57 charon: 12[CFG] selected peer config "con1" Feb 9 11:17:57 charon: 12[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ] Feb 9 11:17:57 charon: 12[NET] sending packet: from A.B.C.D[500] to 80.187.100.247[500] (432 bytes) Feb 9 11:18:00 charon: 12[NET] received packet: from 80.187.100.247[500] to A.B.C.D[500] (654 bytes) Feb 9 11:18:00 charon: 12[IKE] <con1|23> received retransmit of request with ID 0, retransmitting response Feb 9 11:18:00 charon: 12[IKE] received retransmit of request with ID 0, retransmitting response Feb 9 11:18:00 charon: 12[NET] sending packet: from A.B.C.D[500] to 80.187.100.247[500] (432 bytes) Feb 9 11:18:01 charon: 12[IKE] <con1|23> sending retransmit 1 of response message ID 0, seq 1 Feb 9 11:18:01 charon: 12[IKE] sending retransmit 1 of response message ID 0, seq 1 Feb 9 11:18:01 charon: 12[NET] sending packet: from A.B.C.D[500] to 80.187.100.247[500] (432 bytes) Feb 9 11:18:03 charon: 12[NET] received packet: from 80.187.100.247[500] to A.B.C.D[500] (654 bytes) Feb 9 11:18:03 charon: 12[IKE] <con1|23> received retransmit of request with ID 0, retransmitting response Feb 9 11:18:03 charon: 12[IKE] received retransmit of request with ID 0, retransmitting response ... Feb 9 11:18:27 charon: 11[JOB] deleting half open IKE_SA after timeout
_______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
