OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 15.1 Legacy Series »
  • IPSec Mobile client (MacOS and iOS)
« previous next »
  • Print
Pages: [1]

Author Topic: IPSec Mobile client (MacOS and iOS)  (Read 20711 times)

eustachy

  • Newbie
  • *
  • Posts: 6
  • Karma: 2
    • View Profile
IPSec Mobile client (MacOS and iOS)
« on: June 30, 2015, 12:49:20 pm »
Welcome

I have some isues from about 2 weeks when connecting from Yosemite (OSX) and iPhone (iOS 9).
I've configured connection about 2 months ago, and all works fine.
After upgrade, I can't connect from any of this devices. Windows Shrew client works ok.
I looked in logs, but nothing special (no errors).
I have this situation about 1,5 month ago, but I upgrade to next release, and all works fine.

Do You have any ideas , where to start digging?

Thanks
Rafal
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: IPSec Mobile client (MacOS and iOS)
« Reply #1 on: June 30, 2015, 01:39:47 pm »
Hi Rafal,

this most likely happened with 15.1.11.4 when StrongSwan got bumped from 5.3.0 to 5.3.2. I saw related commits in pfSense, e.g.

https://github.com/pfsense/pfsense/commit/29c9e14002b4a1566fa6afc6c4933b384b8e2242

I don't know the full scope of the problem yet, but I can, however, suggest a workaround based on reverting back to StrongSwan 5.3.0 in a little bit. Stay tuned.


Cheers,
Franco
Logged

eustachy

  • Newbie
  • *
  • Posts: 6
  • Karma: 2
    • View Profile
Re: IPSec Mobile client (MacOS and iOS)
« Reply #2 on: June 30, 2015, 01:52:57 pm »
Thanks franco for a quick reply.

I was thinking that the problem is in strongswan package.
Do You know, how can I revert back to this package?

Thanks
Rafal
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: IPSec Mobile client (MacOS and iOS)
« Reply #3 on: June 30, 2015, 02:48:53 pm »
From the root shell, do the following:

Please pick the right architecture and SSL flavour from the following links...

# fetch https://pkg.opnsense.org/snapshots/amd64/LibreSSL/strongswan-5.3.0_2.txz
# fetch https://pkg.opnsense.org/snapshots/amd64/OpenSSL/strongswan-5.3.0_2.txz
# fetch https://pkg.opnsense.org/snapshots/i386/LibreSSL/strongswan-5.3.0_2.txz
# fetch https://pkg.opnsense.org/snapshots/i386/OpenSSL/strongswan-5.3.0_2.txz

Afterwards:

# pkg add -f strongswan-5.3.0_2.txz
# pkg lock -y strongswan

This will prevent future firmware updates to the StrongSwan package. To unlock and go back to the latest version do this:

# pkg unlock -y strongswan
# pkg upgrade -y strongswan

Please let me know if that helps your case. :)

PS: You'll need to manually restart StrongSwan (or reboot) for the daemon to run the correct version (e.g. via the GUI)
Logged

eustachy

  • Newbie
  • *
  • Posts: 6
  • Karma: 2
    • View Profile
Re: IPSec Mobile client (MacOS and iOS)
« Reply #4 on: June 30, 2015, 03:19:17 pm »
Ok I try tommorow, I don't want to take overtime in work today. :)

Thanks Rafal
Logged

eustachy

  • Newbie
  • *
  • Posts: 6
  • Karma: 2
    • View Profile
Re: IPSec Mobile client (MacOS and iOS)
« Reply #5 on: July 01, 2015, 08:30:40 am »
I do it, as You wrote, rebooted service from gui via Status>Service>IPSec, but I still can't connect.
Where can I check currently used package version (of strongswan).

Thanks
Rafal
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: IPSec Mobile client (MacOS and iOS)
« Reply #6 on: July 01, 2015, 08:35:27 am »
The GUI for firmware is a work in progress. From the command line, you can do:

# pkg info strongswan

This gives you a bunch of strongswan-related information, including the installed version.

It may also be related to the recent OpenSSL/LibreSSL updates. There are still images available for 15.1.11.1, which could help pin down the problem:

https://pkg.opnsense.org/releases/15.1.11.1/

This is the only problem report we've heard of so far. Are you sure there have been no changes in your network regarding routing or firewall rules?

« Last Edit: July 01, 2015, 08:42:23 am by franco »
Logged

eustachy

  • Newbie
  • *
  • Posts: 6
  • Karma: 2
    • View Profile
Re: IPSec Mobile client (MacOS and iOS)
« Reply #7 on: July 01, 2015, 08:44:27 am »
Ok, so it is correct version:
root@srv-gate01:~ # pkg info strongswan
strongswan-5.3.0_2
Name           : strongswan
Version        : 5.3.0_2
Installed on   : Wed Jul  1 08:21:29 CEST 2015

I know this is a stupid question, but I will check:
On my home page:
OPNsense 15.1.12-amd64   
FreeBSD 10.1-RELEASE-p12   
OpenSSL 1.0.2c 12 Jun 2015

This sugesting that I'm using OpenSSL not LibreSSL?

Thanks
Rafal
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: IPSec Mobile client (MacOS and iOS)
« Reply #8 on: July 01, 2015, 08:46:01 am »
Yes, you are running OpenSSL. There have been API bumps for both SSL flavours just before 15.1.12 came out that might be related to what you are seeing.
Logged

eustachy

  • Newbie
  • *
  • Posts: 6
  • Karma: 2
    • View Profile
Re: IPSec Mobile client (MacOS and iOS)
« Reply #9 on: July 01, 2015, 09:09:29 am »
Ok, so last thing, I can do it, it is to downgrade OPNSense. I will try it in non production enviroment first..

Thanks
Rafal
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: IPSec Mobile client (MacOS and iOS)
« Reply #10 on: July 01, 2015, 09:32:25 am »
Thank you for your efforts! :)
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 15.1 Legacy Series »
  • IPSec Mobile client (MacOS and iOS)
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2