Can't establish Mobile IKEv2 with EAP-MSCHAPv2 VPN
-
Hi folks
I am trying to establish a VPN tunnel terminating at my pfSense 2.2.6 box.
I have followed the directions at https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 but I am unable to complete the authentication step. The clients have been Windows 7 SP1 machines (both 32 and 64 bit.) I have redacted the logs of one the connection attempts and pasted it below:
Dec 28 11:01:10 charon: 05[NET] <13> received packet: from <client public="" wan="" ip="">[203] to <pfsense public="" wan="" ip="">[500] (528 bytes) Dec 28 11:01:10 charon: 05[ENC] <13> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Dec 28 11:01:10 charon: 05[IKE] <13> <client public="" wan="" ip="">is initiating an IKE_SA Dec 28 11:01:10 charon: 05[IKE] <13> remote host is behind NAT Dec 28 11:01:10 charon: 05[IKE] <13> sending cert request for "C=US, ST=<state>, L=<city>, O=SINNCO, E=<user@email.com>, CN=Sinnco-pfSense-CA" Dec 28 11:01:10 charon: 05[ENC] <13> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Dec 28 11:01:10 charon: 05[NET] <13> sending packet: from <pfsense public="" wan="" ip="">[500] to <client public="" wan="" ip="">[203] (337 bytes) Dec 28 11:01:10 charon: 05[NET] <13> received packet: from <client public="" wan="" ip="">[36376] to <pfsense public="" wan="" ip="">[4500] (1200 bytes) Dec 28 11:01:10 charon: 05[ENC] <13> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Dec 28 11:01:10 charon: 05[IKE] <13> received cert request for "C=US, ST=<state>, L=<city>, O=SINNCO, E=<user@email.com>, CN=Sinnco-pfSense-CA" Dec 28 11:01:10 charon: 05[IKE] <13> received 42 cert requests for an unknown ca Dec 28 11:01:10 charon: 05[CFG] <13> looking for peer configs matching <pfsense public="" wan="" ip="">[%any]...<client public="" wan="" ip="">[<local client="" ip="">] Dec 28 11:01:10 charon: 05[CFG] <con1|13>selected peer config 'con1' Dec 28 11:01:10 charon: 05[IKE] <con1|13>initiating EAP_IDENTITY method (id 0x00) Dec 28 11:01:10 charon: 05[IKE] <con1|13>peer supports MOBIKE, but disabled in config Dec 28 11:01:10 charon: 05[IKE] <con1|13>authentication of '<dynamic dns="" hostname="">' (myself) with RSA signature successful Dec 28 11:01:10 charon: 05[IKE] <con1|13>sending end entity cert "C=US, ST=<state>, L=<city>, O=SINNCO, E=<user@email.com>, CN=<dynamic dns="" hostname="">" Dec 28 11:01:10 charon: 05[ENC] <con1|13>generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Dec 28 11:01:10 charon: 05[NET] <con1|13>sending packet: from <pfsense public="" wan="" ip="">[4500] to <client public="" wan="" ip="">[36376] (1680 bytes) Dec 28 11:01:12 charon: 05[NET] <con1|13>received packet: from <client public="" wan="" ip="">[36376] to <pfsense public="" wan="" ip="">[4500] (1200 bytes) Dec 28 11:01:12 charon: 05[ENC] <con1|13>parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Dec 28 11:01:12 charon: 05[IKE] <con1|13>received retransmit of request with ID 1, retransmitting response Dec 28 11:01:12 charon: 05[NET] <con1|13>sending packet: from <pfsense public="" wan="" ip="">[4500] to <client public="" wan="" ip="">[36376] (1680 bytes) Dec 28 11:01:15 charon: 05[NET] <con1|13>received packet: from <client public="" wan="" ip="">[36376] to <pfsense public="" wan="" ip="">[4500] (1200 bytes) Dec 28 11:01:15 charon: 05[ENC] <con1|13>parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Dec 28 11:01:15 charon: 05[IKE] <con1|13>received retransmit of request with ID 1, retransmitting response Dec 28 11:01:15 charon: 05[NET] <con1|13>sending packet: from <pfsense public="" wan="" ip="">[4500] to <client public="" wan="" ip="">[36376] (1680 bytes)</client></pfsense></con1|13></con1|13></con1|13></pfsense></client></con1|13></client></pfsense></con1|13></con1|13></con1|13></pfsense></client></con1|13></client></pfsense></con1|13></con1|13></dynamic></user@email.com></city></state></con1|13></dynamic></con1|13></con1|13></con1|13></con1|13></local></client></pfsense></user@email.com></city></state></pfsense></client></client></pfsense></user@email.com></city></state></client></pfsense></client>I believe the client has no problem with the cert but traffic apparently stops flowing while attempting to finish the authentication. Any ideas as to what I might have missed? Thanks.
Edit: Forgot to add that I am trying to use the built in Windows 7 IPSEC client.
Carlos
-
Looks like the client side is rejecting the connection. Are you certain you followed the certificate generation process exactly? And imported it into Win 7 exactly right?
-
Well there is only point where I might have fudged things a bit:
Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here.
Click "+" to add a new Alternative Name
Enter DNS in the Type field
Enter the hostname of the firewall as it exists in DNS again in the Value field โ Some clients require the value in SAN not just CN!I don't have a static IP address so I use a dynamic hostname service. It is this name which I used for the fields in the cert when it called for hostname. Should the cert be using that or should it be using the internal dns name within my network? Thanks for looking into this.
Carlos
Carlos
-
Not sure it's a viable option for dynamics. The clients need the IP address and hostname in the certificate to pass verification.
-
Gotcha. I was leaning towards IPsec due to the focus on performance that the pfSense team has poured into it. This is mostly for my own education and for remote access into my home network. Currently I am just port forwarding PPTP (I know, I know) to a Windows server.
Would OpenVPN be a better option to try? Thanks again.
Carlos
-
Sure, OpenVPN is great for all platforms and works fine with dynamic IP address servers, just requires a third-party client is all (some people really don't like loading clients)
-
OpenVPN worked like a charm. Bye bye PPTP.
Carlos
