Ikev2 on Windows Phone 8.1 Help

JoelLinn

This is how I made it connect. I'm however suffering other ipsec problems so I disabled it again.

Here is my log:


Jan 29 14:58:02 	charon: 06[IKE] peer supports MOBIKE
Jan 29 14:58:02 	charon: 06[IKE] <con2|8>authentication of 'C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com' (myself) with RSA signature successful
Jan 29 14:58:02 	charon: 06[IKE] authentication of 'C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com' (myself) with RSA signature successful
Jan 29 14:58:02 	charon: 06[IKE] <con2|8>sending end entity cert "C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com"
Jan 29 14:58:02 	charon: 06[IKE] sending end entity cert "C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com"
Jan 29 14:58:02 	charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jan 29 14:58:02 	charon: 06[NET] sending packet: from 84.119.xxx.xxx[4500] to 80.187.xxx.xxx[26972] (1692 bytes)
Jan 29 14:58:02 	charon: 06[NET] received packet: from 80.187.xxx.xxx[26972] to 84.119.xxx.xxx[4500] (92 bytes)
Jan 29 14:58:02 	charon: 06[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jan 29 14:58:02 	charon: 06[IKE] <con2|8>received EAP identity 'Joel@Joel'
Jan 29 14:58:02 	charon: 06[IKE] received EAP identity 'Joel@Joel'
Jan 29 14:58:02 	charon: 06[IKE] <con2|8>initiating EAP_MSCHAPV2 method (id 0xA7)
Jan 29 14:58:02 	charon: 06[IKE] initiating EAP_MSCHAPV2 method (id 0xA7)
Jan 29 14:58:02 	charon: 06[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jan 29 14:58:02 	charon: 06[NET] sending packet: from 84.119.xxx.xxx[4500] to 80.187.xxx.xxx[26972] (108 bytes)
Jan 29 14:58:02 	charon: 06[NET] received packet: from 80.187.xxx.xxx[26972] to 84.119.xxx.xxx[4500] (140 bytes)
Jan 29 14:58:02 	charon: 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jan 29 14:58:02 	charon: 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jan 29 14:58:02 	charon: 06[NET] sending packet: from 84.119.xxx.xxx[4500] to 80.187.xxx.xxx[26972] (140 bytes)
Jan 29 14:58:02 	charon: 13[NET] received packet: from 80.187.xxx.xxx[26972] to 84.119.xxx.xxx[4500] (76 bytes)
Jan 29 14:58:02 	charon: 13[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jan 29 14:58:02 	charon: 13[IKE] <con2|8>EAP method EAP_MSCHAPV2 succeeded, MSK established
Jan 29 14:58:02 	charon: 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jan 29 14:58:02 	charon: 13[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Jan 29 14:58:02 	charon: 13[NET] sending packet: from 84.119.xxx.xxx[4500] to 80.187.xxx.xxx[26972] (76 bytes)
Jan 29 14:58:02 	charon: 13[NET] received packet: from 80.187.xxx.xxx[26972] to 84.119.xxx.xxx[4500] (92 bytes)
Jan 29 14:58:02 	charon: 13[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Jan 29 14:58:02 	charon: 13[IKE] <con2|8>authentication of '10.44.235.13' with EAP successful
Jan 29 14:58:02 	charon: 13[IKE] authentication of '10.44.235.13' with EAP successful
Jan 29 14:58:02 	charon: 13[IKE] <con2|8>authentication of 'C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com' (myself) with EAP
Jan 29 14:58:02 	charon: 13[IKE] authentication of 'C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com' (myself) with EAP
Jan 29 14:58:02 	charon: 13[IKE] <con2|8>IKE_SA con2[8] established between 84.119.xxx.xxx[C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com]...80.187.xxx.xxx[10.44.235.13]
Jan 29 14:58:02 	charon: 13[IKE] IKE_SA con2[8] established between 84.119.xxx.xxx[C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com]...80.187.xxx.xxx[10.44.235.13]
Jan 29 14:58:02 	charon: 13[IKE] <con2|8>scheduling reauthentication in 27974s
Jan 29 14:58:02 	charon: 13[IKE] scheduling reauthentication in 27974s
Jan 29 14:58:02 	charon: 13[IKE] <con2|8>maximum IKE_SA lifetime 28514s
Jan 29 14:58:02 	charon: 13[IKE] maximum IKE_SA lifetime 28514s
Jan 29 14:58:02 	charon: 13[IKE] <con2|8>peer requested virtual IP %any
Jan 29 14:58:02 	charon: 13[IKE] peer requested virtual IP %any
Jan 29 14:58:02 	charon: 13[CFG] assigning new lease to 'Joel@Joel'
Jan 29 14:58:02 	charon: 13[IKE] <con2|8>assigning virtual IP 172.19.20.1 to peer 'Joel@Joel'
Jan 29 14:58:02 	charon: 13[IKE] assigning virtual IP 172.19.20.1 to peer 'Joel@Joel'
Jan 29 14:58:02 	charon: 13[IKE] <con2|8>peer requested virtual IP %any6
Jan 29 14:58:02 	charon: 13[IKE] peer requested virtual IP %any6
Jan 29 14:58:02 	charon: 13[IKE] <con2|8>no virtual IP found for %any6 requested by 'Joel@Joel'
Jan 29 14:58:02 	charon: 13[IKE] no virtual IP found for %any6 requested by 'Joel@Joel'
Jan 29 14:58:02 	charon: 13[IKE] <con2|8>CHILD_SA con2{2} established with SPIs c6229f08_i 187bb69e_o and TS 10.50.0.0/16|/0 === 172.19.20.0/24|/0
Jan 29 14:58:02 	charon: 13[IKE] CHILD_SA con2{2} established with SPIs c6229f08_i 187bb69e_o and TS 10.50.0.0/16|/0 === 172.19.20.0/24|/0
Jan 29 14:58:02 	charon: 13[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR SUBNET DNS U_SPLITINC U_DEFDOM U_SPLITDNS U_BANNER) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Jan 29 14:58:02 	charon: 13[NET] sending packet: from 84.119.xxx.xxx[4500] to 80.187.xxx.xxx[26972] (332 bytes)</con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8>

P1.png_thumb

P2.png_thumb

eap.png_thumb

daxpfacc

JoelLinn

Got the same config working on lumia 930 (Denin update, this could make some difference).

Only difference selected I 256 in Phase 2 proposal SA/Key Ex… you have auto.

About certificates I only need to load and run server certificate downloaded in .p12 version.

The CA.crt is on the phone but never loaded.

For Windows 7 the following video helped me a lot:

https://www.youtube.com/watch?v=UCgKB_FbVOw

Please advise me if somebody thinks I've done something that compromise security

wta

martin879

Based on error 13801 and your logs (freezing at sending IKE_AUTH packet), I'm quite confident that the problem is in certificates. I had exactly the same issue when I had wrong kind of server certificate (the one selected in Phase 1). Are you sure that its type is Server Certificate? Also, are you sure that you have pfSense's DNS name and/or IP address (which ever you are using to connect) in certificate's Common Name or Alternative Name?

AKFI

Hey Guys,

i tried everything, but it won't work.

I use Nokia Lumia 930 installed all Certs. What is wrong?

Can anybody help?


Feb 9 10:07:59	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
Feb 9 10:07:59	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Feb 9 10:07:59	charon: 08[IKE] <380> 80.187.108.XXX is initiating an IKE_SA
Feb 9 10:07:59	charon: 08[IKE] 80.187.108.XXX is initiating an IKE_SA
Feb 9 10:07:59	charon: 08[IKE] <380> remote host is behind NAT
Feb 9 10:07:59	charon: 08[IKE] remote host is behind NAT
Feb 9 10:07:59	charon: 08[IKE] <380> sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca-Else"
Feb 9 10:07:59	charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca-Else"
Feb 9 10:07:59	charon: 08[IKE] <380> sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca"
Feb 9 10:07:59	charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca"
Feb 9 10:07:59	charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 9 10:07:59	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
Feb 9 10:08:00	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
Feb 9 10:08:00	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 9 10:08:00	charon: 08[IKE] <380> received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:00	charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:00	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
Feb 9 10:08:01	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
Feb 9 10:08:01	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 9 10:08:01	charon: 08[IKE] <380> received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:01	charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:01	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)

krankykoder

I am, admittedly an amateur when it comes to this stuff, and am having several problems of my own, and this is one of them.

The cert and CA I am using was generated by the cert manager, on the cert I provided a common name and added the public IP as an alternative name.

What I am finding is, various clients, windows and windows phone are rejecting the cert because the SAN doesn't match. almost as if the SAN is being ignored.

On other windows devices, if I make a hosts files entry for a host name to match the public IP, and create a cert using that hostname, the windows devices will connect, but not windows phone devices (there is no hosts file)

(hope I made some sense here)

@AKFI:

Hey Guys,

i tried everything, but it won't work.

I use Nokia Lumia 930 installed all Certs. What is wrong?

Can anybody help?


Feb 9 10:07:59	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
Feb 9 10:07:59	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Feb 9 10:07:59	charon: 08[IKE] <380> 80.187.108.XXX is initiating an IKE_SA
Feb 9 10:07:59	charon: 08[IKE] 80.187.108.XXX is initiating an IKE_SA
Feb 9 10:07:59	charon: 08[IKE] <380> remote host is behind NAT
Feb 9 10:07:59	charon: 08[IKE] remote host is behind NAT
Feb 9 10:07:59	charon: 08[IKE] <380> sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca-Else"
Feb 9 10:07:59	charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca-Else"
Feb 9 10:07:59	charon: 08[IKE] <380> sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca"
Feb 9 10:07:59	charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca"
Feb 9 10:07:59	charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 9 10:07:59	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
Feb 9 10:08:00	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
Feb 9 10:08:00	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 9 10:08:00	charon: 08[IKE] <380> received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:00	charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:00	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
Feb 9 10:08:01	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
Feb 9 10:08:01	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 9 10:08:01	charon: 08[IKE] <380> received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:01	charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:01	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)

JoelLinn

I activated the config again today.
Interestingly it does not work anymore over mobile connection (home wifi[LAN interface] works), last thing in the logs is that it has sent a package.
The phone says server not responding / timeout. There have been updates to my phone, which may be the cause.
Works fine on my windows 8 tablet when I share my mobile connection over wifi.

JoelLinn

This is weird.
I added a allow all rule to my WAN, then my phone can connect. I tried to allow UDP on 500 and 4500 only, which didn't work. I logged the allow all rule (last in list) and it still got packages where it says UDP 500,or 4500. It also displays a UDP package without any port info.
Packet capture just shows some isakmp traffic, seems to be alright (with allow all rule)

bearbill

try

![2015-03-18 19_04_31-bear.home.com - VPN_ IPsec_ Mobile.jpg](/public/imported_attachments/1/2015-03-18 19_04_31-bear.home.com - VPN_ IPsec_ Mobile.jpg)
![2015-03-18 19_04_31-bear.home.com - VPN_ IPsec_ Mobile.jpg_thumb](/public/imported_attachments/1/2015-03-18 19_04_31-bear.home.com - VPN_ IPsec_ Mobile.jpg_thumb)
![2015-03-18 18_59_45-bear.home.com - VPN_ IPsec.jpg](/public/imported_attachments/1/2015-03-18 18_59_45-bear.home.com - VPN_ IPsec.jpg)
![2015-03-18 18_59_45-bear.home.com - VPN_ IPsec.jpg_thumb](/public/imported_attachments/1/2015-03-18 18_59_45-bear.home.com - VPN_ IPsec.jpg_thumb)
![2015-03-18 18_58_58-bear.home.com - VPN_ IPsec_ Edit Phase 2_ Mobile Client.jpg](/public/imported_attachments/1/2015-03-18 18_58_58-bear.home.com - VPN_ IPsec_ Edit Phase 2_ Mobile Client.jpg)
![2015-03-18 18_58_58-bear.home.com - VPN_ IPsec_ Edit Phase 2_ Mobile Client.jpg_thumb](/public/imported_attachments/1/2015-03-18 18_58_58-bear.home.com - VPN_ IPsec_ Edit Phase 2_ Mobile Client.jpg_thumb)

MrKoen

I got it to work on a Windows 10 laptop by following the exact steps in https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2. On my Windows 10 Phone device, I had to export just the CA certificate from pfSense (System -> Cert Manager -> Certificates (important!) -> Click on the blue box next to your IKEv2 Server certificate to export it as P12. Mail the P12 to your phone and open it.

On my Windows 10 laptop, all works fine. On my Windows 10 Phone, it connects just fine, but no data seems to flow through the VPN connection. All still goes over the WiFi connection. Not sure why.

daxpfacc

Same here.

Check following link:

http://forums.windowscentral.com/windows-10/413072-serious-vpn-configuration-settings-bug-can-i-get-some-help.html

Not pfSense but Microsoft.

Cheers

MrKoen

Thanks for sharing. That would figure as I do have VPN working on my Lumia 930 and that's configured using MDM and going through a Windows Server as the VPN server. Configuring it manually for pfSense lets it connect, but no data flows through. I'll provide feedback on this issue through the insider hub as the product group does read that stuff.

-edit-

Giving it another thought though, how can it be that if the UI was broken, it does connect? I don't see the connection between a broken UI and it connecting, but not sending data through. Sounds more like pfSense and Windows 10 Phone not cooperating well in sharing network config. Nevertheless will share in Windows Feedback App.