IPsec on Windows Mobile
-
Can't connect with windows phone 8.1 (Lumia 820).
I see no one put config information i put mine:
Phase 1:
General- Key Exchange version: v2
- Internet protocol: ipv4
- Interface: WAN
Phase 1 proposal - Authentication method: Mutual PSK
- Negotiation mode: Main
- My identifier: Distinguished name: allusers (i tested with admin)
- Encryption algorithm: AES 128
- Hash algorithm: SHA256
- DH key group: 2(1024)
Advanced Options - NAT Traversal : enable (i tried disable )
Phase 2 (for WP8.1 ESP is needed i think)
- mode: Tunnel ipv4 (i use mobile settings, transport dose't work)
Phase 2 proposa - Protocol: ESP
- Encryption algorithms: AES auto (tried 128/256), 3DES
- Hash algorithms: SHA256, SHA384, SHA512
- PFS key group: 2 (1024bit)(tried off)
Mobile Clients:
- User Authentication: Local DB
- Group Authentication: System (tried none)
- Virtual Address Pool: 10.0.1.0/24
- Network List: check
-Phase2 PFS Group: off (tried 2 1024bit)
Restart servicelogs:
May 16 14:38:40 charon: 16[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls' May 16 14:38:40 charon: 16[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' May 16 14:38:40 charon: 16[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' May 16 14:38:40 charon: 16[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' May 16 14:38:40 charon: 16[CFG] loaded ca certificate "C=PT, ST=Tr?s-os-Montes, L=xxxxxxx, O=Ramos Lda, E=xxxxxxxx@outlook.com, CN=Vpn-ca" from '/var/etc/ipsec/ipsec.d/cacerts/dcef2970.0' May 16 14:38:40 charon: 16[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' May 16 14:38:40 charon: 16[CFG] loaded IKE secret for ripmaisum@gmail.com May 16 14:38:40 charon: 16[CFG] loaded IKE secret for csharemu.no-ip.org May 16 14:38:40 charon: 16[CFG] loaded IKE secret for allusers May 16 14:38:40 charon: 16[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Trying connection logs
May 16 17:40:02 charon: 10[NET] sending packet: from 2.80.xx.xx[4500] to 87.103.xxxx[4781] (72 bytes) May 16 17:40:02 charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] May 16 17:40:02 charon: 10[IKE] <con1-1|100> peer supports MOBIKE May 16 17:40:02 charon: 10[IKE] peer supports MOBIKE May 16 17:40:02 charon: 10[CFG] no alternative config found May 16 17:40:02 charon: 10[IKE] <con1-1|100> peer requested EAP, config inacceptable May 16 17:40:02 charon: 10[IKE] peer requested EAP, config inacceptable May 16 17:40:02 charon: 10[CFG] selected peer config 'con1-1' May 16 17:40:02 charon: 10[CFG] looking for peer configs matching 2.80.xx.xx[%any]...87.103.xx.xx[10.64.47.23] May 16 17:40:02 charon: 10[IKE] <100> received 35 cert requests for an unknown ca May 16 17:40:02 charon: 10[IKE] received 35 cert requests for an unknown ca May 16 17:40:02 charon: 10[IKE] <100> received cert request for "C=PT, ST=Tr?s-os-Montes, L=xxxxxx, O=Ramos Lda, E=xxxxxxxx@outlook.com, CN=Vpn-ca" May 16 17:40:02 charon: 10[IKE] received cert request for "C=PT, ST=Tr?s-os-Montes, L=Chaves, O=Ramos Lda, E=xxxxxxxxxx@outlook.com, CN=Vpn-ca" May 16 17:40:02 charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] May 16 17:40:02 charon: 10[NET] received packet: from 87.103.xx.xx[4781] to 2.80.xx.1xx[4500] (1048 bytes) May 16 17:40:02 charon: 10[NET] sending packet: from 2.80.xx.xx[500] to 87.103.xx.xx[4770] (333 bytes) May 16 17:40:02 charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] May 16 17:40:02 charon: 10[IKE] <100> sending cert request for "C=PT, ST=Tr?s-os-Montes, L=xxxxxx, O=Ramos Lda, E=xxxxxxxx@outlook.com, CN=Vpn-ca" May 16 17:40:02 charon: 10[IKE] sending cert request for "C=PT, ST=Tr?s-os-Montes, L=xxxxxxxxxx, O=Ramos Lda, E=xxxxxxxxx@outlook.com, CN=Vpn-ca" May 16 17:40:02 charon: 10[IKE] <100> remote host is behind NAT May 16 17:40:02 charon: 10[IKE] remote host is behind NAT May 16 17:40:02 charon: 10[IKE] <100> 87.103.xx.xx is initiating an IKE_SA May 16 17:40:02 charon: 10[IKE] 87.103.xx.xx is initiating an IKE_SA May 16 17:40:02 charon: 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:xx:18:xx:ab:9a:xx:5b:xx:51:00:00:00:02 May 16 17:40:02 charon: 10[ENC] received unknown vendor ID: 26:xx:4d:38:xx:db:xx:b3:17:xx:36xx:d0:xx:b8:xx May 16 17:40:02 charon: 10[ENC] received unknown vendor ID: fb:1d:xx:cd:xx:41:xx:ea:xx:b7:xx:bexx:55:xx:20 May 16 17:40:02 charon: 10[ENC] received unknown vendor ID: 1e:xx:51:xx:05:xx:1c:xx:7c:xx:fc:bf:xx:87:xx:61:00:00:00:xx May 16 17:40:02 charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]</con1-1|100></con1-1|100>
This is too early for Windows Phone 8.1 and is not a final version but was worth a try, i read that authentication with WP8.1 is not easy.
Thanks
-
Are those logs in reverse or forward order? It looks reverse.
From the logs it appears that the phone wants EAP which we don't have yet AFAIK.
-
In reverse order.
I see the EAP need, i don't know if is in the box.
The propose is provide information. I can test this scenario.
Thanks
-
Have you tryed pfsense 2.2 "Beta" with better IKEv2 support?
-
@M0nty > "Have you tryed pfsense 2.2 "Beta" with better IKEv2 support?"
I think this is the 2.2 snapshot and feedback forum :o
-
Oh. ::)
@mais_um: Does it work with the newest snapshot?