One IPSec client failing to get `received packet` at certificate stage
-
I have a 'road warrior' IPSec setup that's been working fine for years. I now have a new Windows 10 user that's trying to set up his connection. We've followed the same steps that have worked for other Windows 10 users. But it's not working for him.
I've compared
/var/log/ipsec.log
for a successful connection vs his attempts.For a successful connection by me:
sending cert request for "CN=MyCo IPSec CA, C=CA, ST=Quebec, L=Montreal, O=MyCo Inc." generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] sending packet: from w.x.y.z[500] to a.b.c.d[500] (481 bytes) received packet: from a.b.c.d[4500] to w.x.y.z[4500] (512 bytes) parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] <stuff> authentication of 'vpn.example.com' (myself) with RSA signature successful sending end entity cert "CN=vpn.example.com, C=CA, ST=Quebec, L=Montreal, O=MyCo Inc."
For failure by him:
sending cert request for "CN=MyCo IPSec CA, C=CA, ST=Quebec, L=Montreal, O=MyCo Inc." generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] sending packet: from w.x.y.z[500] to e.f.g.h[500] (481 bytes) deleting half open IKE_SA with e.f.g.h after timeout IKE_SA (unnamed)[8901] state change: CONNECTING => DESTROYING
There's no
received packet
after thatsending packet
, which seems unexpected. What would cause that?I've looked at https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec.html (which is great!) but I don't see my scenario listed there.
Thanks!
-
I think I've maybe found the issue. I think his home ISP is blocking something. If he creates a wifi hotspot on his smartphone, his Window PC can then connect to our VPN!