Added an alternative solution using ACME.
Updated to be compatible with the newer pfSense release (2.7).
With a previously working IKEv2 configuration on pfSense, you may suddenly start receiving these messages:
iOS: User Authentication Failed
Windows 10: IKE authentication credentials are unacceptable
The reason in this case was related to the certificate. The first step is to log in to pFsense webConfigurator, then verify the certificate is still valid using the Certificate Manager and the Valid Until date.
If the certificate is valid and recently renewed, it could be that the IPsec service still has the previous certificate in memory. This can be verified by running a shell command. In the webConfigurator, choose Diagnostics then Command Prompt. Execute the following command and look for the validity dates of your certificate:
ipsec listcerts
If it has the expired certificate, a quick fix is simply stopping and starting the IPsec service. Go to VPN->IPsec->Disable then Enable the tunnel, applying changes each time. You can also simply reboot the firewall.
If you are using ACME manage the certificate for your IPsec VPN, you can have that package automatically restart the service:
- In PfSense, go to Services -> Acme Certificates -> then choose Edit for the certificate that is used by the VPN.
- Scroll down to Actions list
- Add a Shell command
- Populate the Command box with the following:
/usr/local/sbin/strongswanrc restart
Alternative, you can automate the restart of the IPsec VPN by using cron:
In PfSense Package Manager, install cron. Then go to Services -> cron -> and Add a new job. For example, a job that restarts the service on the first day of every month:
0 0 1 * * root /usr/local/sbin/strongswanrc restart | logger 2>&1
Notes:
Attempting to use this command (/usr/local…logger 2>&1) in a console session will result in one of the errors below depending on your pfSense version, and the certificate will not get updated. However, it will work as intended if you configure it as a cron job per the above.
charon is already running (/var/run/charon.pid exists) — skipping daemon start
strongswan already running?
If you have Service Watchdog enabled and watching the ipsec service, you’ll see the following 2 lines in the System Log shortly after the service is stopped.
servicewatchdog_cron.php: Service Watchdog detected service ipsec stopped. Restarting ipsec (IPsec VPN)
servicewatchdog_cron.php: Forcefully reloading IPsec
In pfSense versions 2.5 and earlier, this cron job used to work, but in version 2.7 and higher it now returns the error: Ambiguous output redirect.
0 0 1 * * root /usr/local/sbin/strongswanrc restart 2>&1 | logger &