IKEv2 VPN Suddenly Stops Working with Authentication Error

Updated to be compatible with the newer pfSense release (2.7)

With a previously working IKEv2 configuration on pfSense, you may suddenly start receiving these messages:

iOS: User Authentication Failed
Windows 10: IKE authentication credentials are unacceptable

The reason in this case was related to the certificate.  The first step is to log in to pFsense webConfigurator, then verify the certificate is still valid using the Certificate Manager and the Valid Until date.

If the certificate is valid and recently renewed, it could be that the IPsec service still has the previous certificate in memory. This can be verified by running a shell command. In the webConfigurator, choose Diagnostics then Command Prompt. Execute the following command and look for the validity dates of your certificate:

ipsec listcerts

If it has the expired certificate, a quick fix is simply stopping and starting the IPsec service. Go to VPN->IPsec->Disable then Enable the tunnel, applying changes each time.  You can also simply reboot the firewall.

If you want to automate the restart of IPsec you can use cron:

In PfSense Package Manager, install cron.  Then go to Services -> cron -> and Add a new job. For example, a job that restarts the service on the first day of every month:

0 0 1 * * root /usr/local/sbin/strongswanrc restart | logger 2>&1

Notes:

Attempting to use this command (/usr/local…logger 2>&1) in a console session will result in one of the errors below depending on your pfSense version,  and the certificate will not get updated. However, it will work as intended if you configure it as a cron job per the above.
charon is already running (/var/run/charon.pid exists) — skipping daemon start
strongswan already running?

If you have Service Watchdog enabled and watching the ipsec service, you’ll see the following 2 lines in the System Log shortly after the service is stopped.
servicewatchdog_cron.php: Service Watchdog detected service ipsec stopped. Restarting ipsec (IPsec VPN)
servicewatchdog_cron.php: Forcefully reloading IPsec

In pfSense versions 2.5 and earlier, this cron job used to work, but in version 2.7 and higher it now returns the error: Ambiguous output redirect.

0 0 1 * * root /usr/local/sbin/strongswanrc restart 2>&1 | logger &

 

 

This entry was posted in Uncategorized. Bookmark the permalink.