[pfSense] pfSense 2.2 upgrade experiences

2015-02-09 Thread Claudio Thomas 
Hi,
at first: thanks for the great work!

1) After trying to update my pfSense 2.1.5 (i386) to 2.2 over
web-interface it reboots as expected... But this was all. The firewall
was not working anymore. After a while inspecting the problem I fixed
the config, so that it seems to run again. Now I've tried to update by
console... so that I could finally find the problem. My disk was full
and the update seems to stop somewhere in between :-(
I wiped out the harddisk at all to reinstall it and use the config-backup.
This is ok for me, but probably not for every one. Maybe it would be a
good practise to check the free disk space before starting the upgrade.
Even better would be if the installer check it, so that fools like me
don't stumble on such an evident error-case :-)

2) I have 2 Phase 1 entries. One for a AVM Fritzbox (still working) an a
second for android road warriors.
Since the upgrade my android clients can connect anymore. Phase 1 and
Phase 2 configurations was not changed since the upgrade. Was anything
changed on the IPsec environment?

Thanks,
Claudio

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.2 upgrade experiences

2015-02-09 Thread J. Echter 
Am 09.02.2015 um 09:53 schrieb Claudio Thomas:
 Hi,
 at first: thanks for the great work!

 1) After trying to update my pfSense 2.1.5 (i386) to 2.2 over
 web-interface it reboots as expected... But this was all. The firewall
 was not working anymore. After a while inspecting the problem I fixed
 the config, so that it seems to run again. Now I've tried to update by
 console... so that I could finally find the problem. My disk was full
 and the update seems to stop somewhere in between :-(
 I wiped out the harddisk at all to reinstall it and use the config-backup.
 This is ok for me, but probably not for every one. Maybe it would be a
 good practise to check the free disk space before starting the upgrade.
 Even better would be if the installer check it, so that fools like me
 don't stumble on such an evident error-case :-)

 2) I have 2 Phase 1 entries. One for a AVM Fritzbox (still working) an a
 second for android road warriors.
 Since the upgrade my android clients can connect anymore. Phase 1 and
 Phase 2 configurations was not changed since the upgrade. Was anything
 changed on the IPsec environment?

 Thanks,
 Claudio

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
Hi,

did you read
https://doc.pfsense.org/index.php/Upgrade_Guide#IPsec_Changes already?

Have a nice day
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.2 upgrade experiences

2015-02-09 Thread Claudio Thomas 
On 09.02.2015 10:20, J. Echter wrote:
 Am 09.02.2015 um 09:53 schrieb Claudio Thomas:
 Hi,
 at first: thanks for the great work!

 1) After trying to update my pfSense 2.1.5 (i386) to 2.2 over
 web-interface it reboots as expected... But this was all. The firewall
 was not working anymore. After a while inspecting the problem I fixed
 the config, so that it seems to run again. Now I've tried to update by
 console... so that I could finally find the problem. My disk was full
 and the update seems to stop somewhere in between :-(
 I wiped out the harddisk at all to reinstall it and use the config-backup.
 This is ok for me, but probably not for every one. Maybe it would be a
 good practise to check the free disk space before starting the upgrade.
 Even better would be if the installer check it, so that fools like me
 don't stumble on such an evident error-case :-)

 2) I have 2 Phase 1 entries. One for a AVM Fritzbox (still working) an a
 second for android road warriors.
 Since the upgrade my android clients can connect anymore. Phase 1 and
 Phase 2 configurations was not changed since the upgrade. Was anything
 changed on the IPsec environment?

 Thanks,
 Claudio

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 Hi,

 did you read
 https://doc.pfsense.org/index.php/Upgrade_Guide#IPsec_Changes already?
Hi,
yes...
the iPsec config for android is exactly as described in the HowTo
https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To.
Because of this I've assumed, that my configuration is not a unusual
configuration. To the other points in the upgrade guide:
- I also have only one phase 2 entry for each Phase 1 entry.
- Prefer old IPsec SAs is disabled.
- I've checked both phase 1 modes (main/aggressive) without any
difference, so I let it on aggressive mode as described in HowTo.
- glxsb Crypto: Encryption is AES 128 only, so this should not be a
reason to fail.
- My mobile client does not need to use ipsec for main internet traffic.
- pfSense has a public IP and ist connected directly to the internet. My
Identifier is My IP address, but also tested IP address with any
changes. The peer identifier is a user destinguishes name, because
peers may have a private IP address. Both exactly as described in the HowTo.

I've rechecked the HowTo to see if something has changed over the years:
- Phase 1: Policy Generation: Unique and Proposal Checking: Strict
are missing in actual Configurations Options.
- On Android: I've no option to set  Pre-Shared Key Type: text. I can
only set the IPsec Pre-shared Key directly (android 4.4.2). I don't have
an option Identity Type: User FQDN. I don't have the option  Internal
Subnet IP. But all used devices has run without this 3 options at all,
so I would wonder is this is the problem.

I've annexed a log of a connection test. I've tried a connection with a
Samsung tabled 4.4.2 (with private ip 10.x.x.x) to the WAN IP of the
pfSense Computer. The visible IP address is translated NAT-IP of the
mobile device.

summarising: I can not find an error. I've checked the HowTo and the
Upgrade Guide. Any suggestion which IP Sec debug-level I could increase
to search for the problem?

Thanks,
Claudio

Feb 9 11:17:57	charon: 12[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]
Feb 9 11:17:57	charon: 12[IKE] 23 received FRAGMENTATION vendor ID
Feb 9 11:17:57	charon: 12[IKE] received FRAGMENTATION vendor ID
Feb 9 11:17:57	charon: 12[IKE] 23 received NAT-T (RFC 3947) vendor ID
Feb 9 11:17:57	charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
Feb 9 11:17:57	charon: 12[IKE] 23 received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 9 11:17:57	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 9 11:17:57	charon: 12[IKE] 23 received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 9 11:17:57	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 9 11:17:57	charon: 12[IKE] 23 received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Feb 9 11:17:57	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Feb 9 11:17:57	charon: 12[IKE] 23 received XAuth vendor ID
Feb 9 11:17:57	charon: 12[IKE] received XAuth vendor ID
Feb 9 11:17:57	charon: 12[IKE] 23 received Cisco Unity vendor ID
Feb 9 11:17:57	charon: 12[IKE] received Cisco Unity vendor ID
Feb 9 11:17:57	charon: 12[IKE] 23 received DPD vendor ID
Feb 9 11:17:57	charon: 12[IKE] received DPD vendor ID
Feb 9 11:17:57	charon: 12[IKE] 23 80.187.100.247 is initiating a Aggressive Mode IKE_SA
Feb 9 11:17:57	charon: 12[IKE] 80.187.100.247 is initiating a Aggressive Mode IKE_SA
Feb 9 11:17:57	charon: 12[CFG] looking for XAuthInitPSK peer configs matching A.B.C.D...80.187.100.247[vpnus...@example.net]
Feb 9 11:17:57	charon: 12[CFG] selected peer config con1
Feb 9 11:17:57	charon: 12[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
Feb 9