IKeV2 issues on Windows 10 fully patched

[rubydragon]

Hey guys,

First time posting so a huge hi to start with!

Now the reason of my post... I'm a network IT managing many different customers and one of them started to have issues this morning. The background of what happened is I updated the router to the latest version (21.1.5) and now users are unable to connect to their VPN using the built in Windows 10 IKEv2. It worked fine before the update. As far as config goes, everything is as it should be and was before the update.

Now for the tests phase... and the results:

The error: The IKE authentication informations are unacceptable

- Tried from my laptop: failing
- Tried from my iphone: working
- Tried from another laptop I have home: failing
- Tried from my laptop using my iphone as a hotspot (thinking maybe ISP): failing
- Tried from a computer at another of my customer (another ISP as well): failing
- Tried from a colleague working from home with Windows 10 fully patched: working
- Uninstalled and reinstalled Let's Encrypt plugin: no changes
- Restarted services, rebooted router
- Looked at possible expired or old local certificates on my laptop: nothing found that matched the cert used for VPN

The configs:
- IKEv2 using Radius authentication from Windows server & LDAP users
- Let's Encrypt certificate (verified and everything is checked as OK. Also tried to renew it)

Logs:
- Last few lines from the router
****
2021-05-13T16:45:15   charon[92611]   12[JOB] <con1|56> deleting half open IKE_SA with x.x.x.x after timeout   
2021-05-13T16:44:45   charon[92611]   07[NET] <con1|56> sending packet: from x.x.x.x[4500] to x.x.x.x[20110] (1152 bytes)   
2021-05-13T16:44:45   charon[92611]   07[NET] <con1|56> sending packet: from x.x.x.x[4500] to x.x.x.x[20110] (1248 bytes)   
2021-05-13T16:44:45   charon[92611]   07[NET] <con1|56> sending packet: from x.x.x.x[4500] to x.x.x.x[20110] (1248 bytes)   
2021-05-13T16:44:45   charon[92611]   07[ENC] <con1|56> generating IKE_AUTH response 1 [ EF(3/3) ]   
2021-05-13T16:44:45   charon[92611]   07[ENC] <con1|56> generating IKE_AUTH response 1 [ EF(2/3) ]   
2021-05-13T16:44:45   charon[92611]   07[ENC] <con1|56> generating IKE_AUTH response 1 [ EF(1/3) ]
****
- No requests received in the Windows logs which is used as NPS


I'm clueless as to what else to look at here...

[mimugmail]

What was the last known working version? Which guide did you follow for configuration?

[Cerberus]

We use OPNsense with Windows 10 Clients and IKEv2, Windows Radius Server with Cert Authentication.

No issues with 21.1.4 > 21.1.5
No issues with Windows 10 Clients (20H2,21H1) with or without May patch.

Is your OPNsense behind another Firewall? the "some clients work, some not" reminds me to MTU issues.

[rubydragon]

Hi,

I didn't pay attention to the exact version before I started rolling updates but I think it wad in the 19.x. I know it applied one or two major updates.

As for the MTU route, I don't think that's the issue here. I know having the wrong MTU will make multiple websites not load which is usually where you start noticing something is wrong. I also did the ping tests to determine the proper MTU and the largest packet size from pings is 1472 which you need to add 28 to that ending with the default 1500.

As for the VPN configuration, I didn't follow any specific guides as this is not the first one i'm doing. The router is configured like many others we have installed in the past.


I'll try configuring a new router and will see what happen. I'm convinced it's something with the certificate being corrupted or duplicated and not showing...

[mimugmail]

There are too few logs and screenshots missing to diagnose this further (as there are too many update versions involved)