[Solved] IPSec IKEv2 in pfSense only allow one mobile client to connect.
-
Ok a fix has been pushed.
Thank you for analysis. -
sorry for hijacking the thread, but I'm having troubles in connecting from my mobile clients since the upgrade to 2.2.
From your post I see it's working for you, so would you mind sharing your config with us? Or at least tell what's the difference between the wiki doc, or the changes you applied after the upgrade…thanks
-
sorry for hijacking the thread, but I'm having troubles in connecting from my mobile clients since the upgrade to 2.2.
From your post I see it's working for you, so would you mind sharing your config with us? Or at least tell what's the difference between the wiki doc, or the changes you applied after the upgrade…thanks
+1
-
A similar change has been applied to make the config work.
https://github.com/pfsense/pfsense/commit/034a23f0ab3eb765eba53f44ec256272b3e80b17 -
sorry for hijacking the thread, but I'm having troubles in connecting from my mobile clients since the upgrade to 2.2.
From your post I see it's working for you, so would you mind sharing your config with us? Or at least tell what's the difference between the wiki doc, or the changes you applied after the upgrade…thanks
You have to understand the fundamental changes between IKEv2 and V1. V2 does not require peers to agree on what method to use to authenticate. Instead, Phase 1 is always (in a laymans term) encrypted with X.509 certificate, then authenticated based on the SAN in the certificate (IP, DNS, etc). It is then peers (most likely right) authenticate using EAP or IKEv2 identity via MSCHAPv2 (this is one way of doing it). Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well.
-
@ermal:
A similar change has been applied to make the config work.
https://github.com/pfsense/pfsense/commit/034a23f0ab3eb765eba53f44ec256272b3e80b17tried but with no change…
-
You have to understand the fundamental changes between IKEv2 and V1. V2 does not require peers to agree on what method to use to authenticate. Instead, Phase 1 is always (in a laymans term) encrypted with X.509 certificate, then authenticated based on the SAN in the certificate (IP, DNS, etc). It is then peers (most likely right) authenticate using EAP or IKEv2 identity via MSCHAPv2 (this is one way of doing it). Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well.
but I didn't switch to IKEv2, I'm still on v1. And other than that my Ubuntu client connect without problems, just androids fail :( I will gather some logs asap
-
Check the algorithms being used, mobiles are picky about those in general.
Usually you increase the log level on the IKE SA to see what the client proposes. -
You have to understand the fundamental changes between IKEv2 and V1. V2 does not require peers to agree on what method to use to authenticate. Instead, Phase 1 is always (in a laymans term) encrypted with X.509 certificate, then authenticated based on the SAN in the certificate (IP, DNS, etc). It is then peers (most likely right) authenticate using EAP or IKEv2 identity via MSCHAPv2 (this is one way of doing it). Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well.
but I didn't switch to IKEv2, I'm still on v1. And other than that my Ubuntu client connect without problems, just androids fail :( I will gather some logs asap
I am on V2 and, surprisingly, V1 is actually making things more difficult.
-
Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well.
So to use IPsec with IKEv2 you need to import a cert on the mobile client?
I managed to get IPSec back to work with IKEv1, but now my Ubuntu client won't connect anymore. I was wondering if moving to IKEv2 could solve both issues, but cannot manage it to authenticate.
i found here that android 4.4 should work with EAP-MSCHAPv2, which from what I understand is still a user/pass method, but it won't work here… -
Therefore, every mobile client needs to have the self signed CA installed. For strongSwan client, the X.509 server certificate needs to be installed as well.
So to use IPsec with IKEv2 you need to import a cert on the mobile client?
I managed to get IPSec back to work with IKEv1, but now my Ubuntu client won't connect anymore. I was wondering if moving to IKEv2 could solve both issues, but cannot manage it to authenticate.
i found here that android 4.4 should work with EAP-MSCHAPv2, which from what I understand is still a user/pass method, but it won't work here…Yes, you need to install/import the CA that issued the e IPSec certificate.