IKEv2 VPN Suddenly Stops Working with Authentication Error

With a previously working IKEv2 configuration on pfSense, you may suddenly start receiving these messages:

iOS: User Authentication Failed
Windows 10: IKE authentication credentials are unacceptable

The reason in this case was related to the certificate.  The first step is to log in to pFsense webConfigurator, then verify the certificate is still valid using the Certificate Manager and the Valid Until date.

If the certificate is valid and recently renewed, it could be that the IPsec service still has the previous certificate in memory. This can be verified by running a shell command. In the webConfigurator, choose Diagnostics then Command Prompt. Execute the following command and look for the validity dates of your certificate:

ipsec listcerts

If it has the expired certificate, a quick fix is simply stopping and starting the IPsec service. Go to VPN->IPsec->Disable then Enable the tunnel, applying changes each time.  You can also simply reboot the firewall.

If you want to automate the restart of IPsec you can use cron:

In PfSense Package Manager, install cron.  Then go to Services -> cron -> and Add a new new job. For example a job that restarts the service on the first day of every month:

0 0 1 * * root /usr/local/sbin/strongswanrc restart 2>&1 | logger &

Notes:

Attempting to manually restart the ipsec service from the console will result in the error below.  This is due to strongSwan still running and the certificate will not get updated.
charon is already running (/var/run/charon.pid exists) — skipping daemon start

If you have Service Watchdog enabled and watching the ipsec service, you’ll see the following 2 lines in the System Log shortly after the service is stopped.
servicewatchdog_cron.php: Service Watchdog detected service ipsec stopped. Restarting ipsec (IPsec VPN)
servicewatchdog_cron.php: Forcefully reloading IPsec

This entry was posted in Uncategorized. Bookmark the permalink.