IPSec Mobile client (MacOS and iOS)

Started by eustachy, June 30, 2015, 12:49:20 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 30, 2015, 12:49:20 PM
Welcome

I have some isues from about 2 weeks when connecting from Yosemite (OSX) and iPhone (iOS 9).
I've configured connection about 2 months ago, and all works fine.
After upgrade, I can't connect from any of this devices. Windows Shrew client works ok.
I looked in logs, but nothing special (no errors).
I have this situation about 1,5 month ago, but I upgrade to next release, and all works fine.

Do You have any ideas , where to start digging?

Thanks
Rafal
June 30, 2015, 01:39:47 PM #1
Hi Rafal,

this most likely happened with 15.1.11.4 when StrongSwan got bumped from 5.3.0 to 5.3.2. I saw related commits in pfSense, e.g.

https://github.com/pfsense/pfsense/commit/29c9e14002b4a1566fa6afc6c4933b384b8e2242

I don't know the full scope of the problem yet, but I can, however, suggest a workaround based on reverting back to StrongSwan 5.3.0 in a little bit. Stay tuned.


Cheers,
Franco
June 30, 2015, 01:52:57 PM #2
Thanks franco for a quick reply.

I was thinking that the problem is in strongswan package.
Do You know, how can I revert back to this package?

Thanks
Rafal
June 30, 2015, 02:48:53 PM #3
From the root shell, do the following:

Please pick the right architecture and SSL flavour from the following links...

# fetch https://pkg.opnsense.org/snapshots/amd64/LibreSSL/strongswan-5.3.0_2.txz
# fetch https://pkg.opnsense.org/snapshots/amd64/OpenSSL/strongswan-5.3.0_2.txz
# fetch https://pkg.opnsense.org/snapshots/i386/LibreSSL/strongswan-5.3.0_2.txz
# fetch https://pkg.opnsense.org/snapshots/i386/OpenSSL/strongswan-5.3.0_2.txz

Afterwards:

# pkg add -f strongswan-5.3.0_2.txz
# pkg lock -y strongswan

This will prevent future firmware updates to the StrongSwan package. To unlock and go back to the latest version do this:

# pkg unlock -y strongswan
# pkg upgrade -y strongswan

Please let me know if that helps your case. :)

PS: You'll need to manually restart StrongSwan (or reboot) for the daemon to run the correct version (e.g. via the GUI)
June 30, 2015, 03:19:17 PM #4
Ok I try tommorow, I don't want to take overtime in work today. :)

Thanks Rafal
July 01, 2015, 08:30:40 AM #5
I do it, as You wrote, rebooted service from gui via Status>Service>IPSec, but I still can't connect.
Where can I check currently used package version (of strongswan).

Thanks
Rafal
July 01, 2015, 08:35:27 AM #6 Last Edit: July 01, 2015, 08:42:23 AM by franco
The GUI for firmware is a work in progress. From the command line, you can do:

# pkg info strongswan

This gives you a bunch of strongswan-related information, including the installed version.

It may also be related to the recent OpenSSL/LibreSSL updates. There are still images available for 15.1.11.1, which could help pin down the problem:

https://pkg.opnsense.org/releases/15.1.11.1/

This is the only problem report we've heard of so far. Are you sure there have been no changes in your network regarding routing or firewall rules?

July 01, 2015, 08:44:27 AM #7
Ok, so it is correct version:
root@srv-gate01:~ # pkg info strongswan
strongswan-5.3.0_2
Name           : strongswan
Version        : 5.3.0_2
Installed on   : Wed Jul  1 08:21:29 CEST 2015

I know this is a stupid question, but I will check:
On my home page:
OPNsense 15.1.12-amd64   
FreeBSD 10.1-RELEASE-p12   
OpenSSL 1.0.2c 12 Jun 2015

This sugesting that I'm using OpenSSL not LibreSSL?

Thanks
Rafal
July 01, 2015, 08:46:01 AM #8
Yes, you are running OpenSSL. There have been API bumps for both SSL flavours just before 15.1.12 came out that might be related to what you are seeing.
July 01, 2015, 09:09:29 AM #9
Ok, so last thing, I can do it, it is to downgrade OPNSense. I will try it in non production enviroment first..

Thanks
Rafal
July 01, 2015, 09:32:25 AM #10
Thank you for your efforts! :)
Print
Go Up Pages1
User actions