Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Windows 10 - ipsec - works on 2.4beta, doesn't on 2.3.4

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 466 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      warmadmax
      last edited by

      Hi Everyone,

      trying to get to grips with why i can get IPsec working with 2.4 beta, but not with 2.3.4,
      in the web UI, they've got identical settings for phase 1 and 2, both with mobile IKE, both using the same certificate,
      i'm using radius.

      it just seems that on 2.3.4, it won't accept phase 1, were as on 2.4 beta, phase 1 establishes fine and goes onto radius auth and connect phase 2

      i've attached the IPSec connection logs from both firewalls, both on diag output setting for config,

      i'm using the following powershell to setup the VPN on windows 10

      Remove-VpnConnection -name "Pfsense Test"
      
      add-vpnconnection -name "Pfsense Test" -serveraddress "******.*****.co.uk" -TunnelType "Ikev2" -EncryptionLevel "maximum" -AuthenticationMethod eap -EapConfigXmlStream $((New-EapConfiguration -UseWinlogonCredential).EapConfigXmlStream)
      Set-VpnConnectionIPsecConfiguration -ConnectionName "Pfsense Test" -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup ECP384 -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -PfsGroup ECP256
      
      Add-VpnConnectionRoute -ConnectionName "Pfsense Test" -DestinationPrefix 10.40.0.0/16 -Passthru
      Set-VpnConnection -Name "Pfsense Test" -SplitTunneling $true
      
      

      that gives me the following for phase 1 (reading 2.4 beta's log)
      Jul 27 10:01:57 charon 10[CFG] <23> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384

      then the following for phase 2
      Jul 27 10:01:57 charon 13[CFG] <con1|23>received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

      has there been a patch for IPsec in 2.4 that could have caused this to start working?
      or is there a bug that should be preventing it?

      i've been experimenting with IPsec recently so i'm not sure which one is correct behaviour

      Cheers
      Matt
      [IPSEC 2.3.4 failure log.txt](/public/imported_attachments/1/IPSEC 2.3.4 failure log.txt)
      [IPSEC 2.4 beta sucess log.txt](/public/imported_attachments/1/IPSEC 2.4 beta sucess log.txt)</con1|23>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.