[2.2] Mobile clients not connecting anymore
-
Hi,
I don't think it is only that tbh.
First, I enabled "main" on my IPsec phase 1 entry, then removed from my Android the IPSec Identifier. I was able to connect successfully on Android.
I then disconnected my Android, enabled "aggressive" on my IPsec phase 1 entry, kept the IPSec Identifier missing on Android. I was unable to connect successfully.
Switching back to "main" allowed my Android to reconnect again.
Then:
Keeping "main" on my IPsec phase 1 entry, but this time filling in the IPSec identifier in Android to match the user distinguished name for my peer identifier doesn't result in a successful connection.
Changing to "aggressive", keeping the IPsec identifier in Android doesn't result in a successful connection.
Therefore, it appears to me (at least) that the only way I can get Android to connect is to enable "main" on pfSense and remove the IPsec identifier from Android's configuration.
Hope this helps!
-=david=-
-
Without logs no since i do not have an andorid device!
-
I finally gave on Ipsec after iOS and PC clients could not connect after 2.2. I spent a few hours trying to get it working…got connections, but never figured out how to fix LAN routing.
I gave OpenVPN a try and was pleasantly surprised after 15 minutes of reading/wizards to get both iOS and PC clients connected and routing perfectly. Maybe the easiest VPN configuration ever. Thanks to the pfsense crew for making it so easy :-)
-
@ermal:
Do you see on the logs anything related to identity?
This seems like android is not sending the proper identity as configured hence it works when left blank because it sends its ip.
This is the full log taken during my tests.
Given this, isn't it better to work in main mode? Or does removing the identifier creates a security problem? thanks
[tough this is not yet an acceptable solution to me, I cannot connect using Ubuntu's network manager strongswan] -
This is quite clear here
Feb 10 13:55:51 pfSense charon: 15[IKE] <con1|113>no EAP key found for hosts 'C=US, ST=State, L=Locality, O=pfSense webConfigurator Self-Signed Certificate, E=admin@pfSense.localdomain, CN=pfSense-54d4d54a8beac' - 'admin' Feb 10 13:55:51 pfSense charon: 15[IKE] no EAP key found for hosts 'C=US, ST=State, L=Locality, O=pfSense webConfigurator Self-Signed Certificate, E=admin@pfSense.localdomain, CN=pfSense-54d4d54a8beac' - 'admin' Feb 10 13:55:51 pfSense charon: 15[IKE] <con1|113>EAP-MS-CHAPv2 verification failed, retry (1)</con1|113></con1|113>Your ids are not matching with the ones you entered under EAP on pre-shared secrets.
-
@ermal:
This is quite clear here
Feb 10 13:55:51 pfSense charon: 15[IKE] <con1|113>no EAP key found for hosts 'C=US, ST=State, L=Locality, O=pfSense webConfigurator Self-Signed Certificate, E=admin@pfSense.localdomain, CN=pfSense-54d4d54a8beac' - 'admin' Feb 10 13:55:51 pfSense charon: 15[IKE] no EAP key found for hosts 'C=US, ST=State, L=Locality, O=pfSense webConfigurator Self-Signed Certificate, E=admin@pfSense.localdomain, CN=pfSense-54d4d54a8beac' - 'admin' Feb 10 13:55:51 pfSense charon: 15[IKE] <con1|113>EAP-MS-CHAPv2 verification failed, retry (1)</con1|113></con1|113>Your ids are not matching with the ones you entered under EAP on pre-shared secrets.
sorry for mixing things up, this must be the test I made from Ubuntu (strongswan client doesn't allow to enter a PSK)
-
@ermal:
Do you see on the logs anything related to identity?
This seems like android is not sending the proper identity as configured hence it works when left blank because it sends its ip.
This is the full log taken during my tests.
Given this, isn't it better to work in main mode? Or does removing the identifier creates a security problem? thanks
[tough this is not yet an acceptable solution to me, I cannot connect using Ubuntu's network manager strongswan]Hi,
Unfortunately, it seems that if you run main mode, then iOS clients fail to connect. It has to be aggressive for them!
-=david=-
-
It means this will be fixed when support for multiple mobile sections is merged in.
-
rocking and rolling!!!! :-)
mucho gracious! :-)
-=david=-
-
Hi Again,
would you happen to have the ticket/issue number for the new code to be merged in? I would like to add myself as a watcher :-)
-=david=-
-
@ermal:
It means this will be fixed when support for multiple mobile sections is merged in.
what?
-
I have the same problem after upgrade to 2.2 versione. Android client going in time-out, Shrew client work (but I'd must change local network in 0.0.0.0/0 in phase 2).
The solution for me was change to main mode, so in pfSense I changed the negotiantion mode in phase 1, in the Shrew I changed the configuration to main mode, in Android clients I can't specify this mode, but if I leave blank the IPsec identifier, the client change authenticaion in main mode.
I don't know if this is a bug or what, I'll test better next time before upgrade ;-) (I've another problem with php version in another installation).
Thank you
-
I had to do two changes:
-
on the server set IPSec mobile to main mode
-
on the Android client remove the IPSec identifier field (leave blank)
To confirm, I had the same problem with my Android clients, and these two steps fixed it. I am now able to connect to my VPN from both of my Android 5.0 devices.
-
-
For the android clients there is strongswan app in market and it works, but quite differently, for me it does not route all traffic to VPN, only LAN subnet traffic.
Anyway I did not have any luck with empty ID field on 4.1.2 android. -
Empty ID field didn't work for us either, sadly.
-
I deleted my 'Mobile Client' under Tunnels, then went to 'Mobile Clients' tab and saw that "Create Phase 1" option was available.
I re-created Phase and Phase 2 and the vpn worked again.Cheers
VPN: IPsec: Edit Phase 1: Mobile Client
Key Exchange version V1
Internet Protocol Ipv4
Interface WAN
Description Mobile ClientAuthentication method Mutual PSK
Negotiation mode Aggressive
My identifier My IP AddressEncryption algorithm AES 256
Hash algorithm SHA1
DH key group 2
Lifetime 28800NAT Traversal Force
Dead Peer Detection Enable / 10 / 5VPN: IPsec: Edit Phase 2: Mobile Client
Local Network DMZ (mine is DMZ but yours might be LAN)
Protocol ESPEncryption algorithms AES 256 (only)
Hash algorithms SHA1
PFS key group 2
Lifetime 3600
