VPN not working any more after reboot

Options
StefanZ
StefanZ Posts: 190  Master Member
First Anniversary 10 Comments Friend Collector First Answer
edited February 29 in Security

I don't know what it is, but my Flex200 seems haunted!

It was up for 3 months and today I reboot it and suddenly two VPNs are not working any more. That's especially "great" since it's the last day of the month any everyone needs to enter their hours for billing…

The two failing VPNs are IKEv2 with certs.

I have a 3rd, working one that is exactly like the failing ones, except a different cert.

The log only shows ONE difference:
The failing connections phase-1 has one more [NOTIFY] than the successful one.
At least sometimes.

[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY][NOTIFY]

I also updated from V5.37(ABUI.1) to V5.37(ABUI.2).
No change.

There are also 4 static tunnels from my F50 to the F200 – disabling those does nothing.

The two failing connections even go to different IPs on different WANs – both worked up until the reboot.

«1

All Replies

  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Maybe test with Pre-Shared Key on both ends

  • StefanZ
    StefanZ Posts: 190  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    This is what Graylog receives in Debug Mode.
    (Yes, ending in "negotiation failed:" and then not following up with anything sure is cool)

  • StefanZ
    StefanZ Posts: 190  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    That won't help the VPN users, since they are not admins and get an OSX .mobileconfig file installed.

  • StefanZ
    StefanZ Posts: 190  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I just compared the two config files:

    #1 is before reboot and update
    #2 is from after reboot and update

    They are the same file, no differences that are notable except the date and one setting I changed.

  • StefanZ
    StefanZ Posts: 190  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Making new VPN gateways / connections fails with the same result.
    - I got a new DDNS for a free WAN IP
    - Made a new cert for the DDNS
    - New IKEv2 cert VPN gateway and connection

    Neither AES128 | SH256 with DH2, DH14, DH21 (OSX pre-Sonoma)
    nor AESA256 | SHA256 with DH19 (OSX Sonoma)
    manage to do anything beyond giving the same error.

    Message: Crypto operation failed (65539)

  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 29
    Options

    I take it the cert is valid in date?

    maybe a update on the client side OS has caused this? can you test by windows or StrongSwan

  • StefanZ
    StefanZ Posts: 190  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Yes they are.

    But I just realized:
    It's February 29th!

    What are the odds, that might be the problem?

  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 29
    Options

    Well I tested here locally with a DDNS cert IKEv2 on FLEX200 as server role connects OK by windows

  • StefanZ
    StefanZ Posts: 190  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Thanks for testing!

    I am not imagining this… 3 Months of nonstop working well (except having to add a new gateway for OSX Sonoma) and then on restart it all goes to crap…

    This is gonna be a "fun" weekend…

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Coffee for @StefanZ

Security Highlight