Ikev2 on Windows Phone 8.1 Help

daxpfacc

JoelLinn

Got the same config working on lumia 930 (Denin update, this could make some difference).

Only difference selected I 256 in Phase 2 proposal SA/Key  Ex… you have auto.

About certificates I only need to load and run server certificate downloaded in .p12 version.

The CA.crt is on the phone but never loaded.

For Windows 7 the following video helped me a lot:

https://www.youtube.com/watch?v=UCgKB_FbVOw

Please advise me if somebody thinks I've done something that compromise security

wta

martin879

Based on error 13801 and your logs (freezing at sending IKE_AUTH packet), I'm quite confident that the problem is in certificates. I had exactly the same issue when I had wrong kind of server certificate (the one selected in Phase 1). Are you sure that its type is Server Certificate? Also, are you sure that you have pfSense's DNS name and/or IP address (which ever you are using to connect) in certificate's Common Name or Alternative Name?

AKFI

Hey Guys,

i tried everything, but it won't work.

I use Nokia Lumia 930 installed all Certs. What is wrong?

Can anybody help?

Feb 9 10:07:59	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
Feb 9 10:07:59	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Feb 9 10:07:59	charon: 08[IKE] <380> 80.187.108.XXX is initiating an IKE_SA
Feb 9 10:07:59	charon: 08[IKE] 80.187.108.XXX is initiating an IKE_SA
Feb 9 10:07:59	charon: 08[IKE] <380> remote host is behind NAT
Feb 9 10:07:59	charon: 08[IKE] remote host is behind NAT
Feb 9 10:07:59	charon: 08[IKE] <380> sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca-Else"
Feb 9 10:07:59	charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca-Else"
Feb 9 10:07:59	charon: 08[IKE] <380> sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca"
Feb 9 10:07:59	charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca"
Feb 9 10:07:59	charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 9 10:07:59	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
Feb 9 10:08:00	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
Feb 9 10:08:00	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 9 10:08:00	charon: 08[IKE] <380> received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:00	charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:00	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
Feb 9 10:08:01	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
Feb 9 10:08:01	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 9 10:08:01	charon: 08[IKE] <380> received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:01	charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:01	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)

krankykoder

I am, admittedly an amateur when it comes to this stuff, and am having several problems of my own, and this is one of them.

The cert and CA I am using was generated by the cert manager, on the cert I provided a common name and added the public IP as an alternative name.

What I am finding is, various clients, windows and windows phone are rejecting the cert because the SAN doesn't match. almost as if the SAN is being ignored.

On other windows devices, if I make a hosts files entry for a host name to match the public IP, and create a cert using that hostname, the windows devices will connect, but not windows phone devices (there is no hosts file)

(hope I made some sense here)

@AKFI:

Hey Guys,

i tried everything, but it won't work.

I use Nokia Lumia 930 installed all Certs. What is wrong?

Can anybody help?

Feb 9 10:07:59	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
Feb 9 10:07:59	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Feb 9 10:07:59	charon: 08[IKE] <380> 80.187.108.XXX is initiating an IKE_SA
Feb 9 10:07:59	charon: 08[IKE] 80.187.108.XXX is initiating an IKE_SA
Feb 9 10:07:59	charon: 08[IKE] <380> remote host is behind NAT
Feb 9 10:07:59	charon: 08[IKE] remote host is behind NAT
Feb 9 10:07:59	charon: 08[IKE] <380> sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca-Else"
Feb 9 10:07:59	charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca-Else"
Feb 9 10:07:59	charon: 08[IKE] <380> sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca"
Feb 9 10:07:59	charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca"
Feb 9 10:07:59	charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 9 10:07:59	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
Feb 9 10:08:00	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
Feb 9 10:08:00	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 9 10:08:00	charon: 08[IKE] <380> received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:00	charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:00	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
Feb 9 10:08:01	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
Feb 9 10:08:01	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 9 10:08:01	charon: 08[IKE] <380> received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:01	charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
Feb 9 10:08:01	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)

JoelLinn

I activated the config again today.
Interestingly it does not work anymore over mobile connection (home wifi[LAN interface] works), last thing in the logs is that it has sent a package.
The phone says server not responding / timeout. There have been updates to my phone, which may be the cause.
Works fine on my windows 8 tablet when I share my mobile connection over wifi.

JoelLinn

This is weird.
I added a allow all rule to my WAN, then my phone can connect. I tried to allow UDP on 500 and 4500 only, which didn't work. I logged the allow all rule (last in list) and it still got packages where it says UDP 500,or 4500. It also displays a UDP package without any port info.
Packet capture just shows some isakmp traffic, seems to be alright (with allow all rule)

bearbill

try


MrKoen

I got it to work on a Windows 10 laptop by following the exact steps in https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2. On my Windows 10 Phone device, I had to export just the CA certificate from pfSense (System -> Cert Manager -> Certificates (important!) -> Click on the blue box next to your IKEv2 Server certificate to export it as P12. Mail the P12 to your phone and open it.

On my Windows 10 laptop, all works fine. On my Windows 10 Phone, it connects just fine, but no data seems to flow through the VPN connection. All still goes over the WiFi connection. Not sure why.

daxpfacc

Same here.

Check following link:

http://forums.windowscentral.com/windows-10/413072-serious-vpn-configuration-settings-bug-can-i-get-some-help.html

Not pfSense  but Microsoft.

Cheers

MrKoen

Thanks for sharing. That would figure as I do have VPN working on my Lumia 930 and that's configured using MDM and going through a Windows Server as the VPN server. Configuring it manually for pfSense lets it connect, but no data flows through. I'll provide feedback on this issue through the insider hub as the product group does read that stuff.

-edit-

Giving it another thought though, how can it be that if the UI was broken, it does connect? I don't see the connection between a broken UI and it connecting, but not sending data through. Sounds more like pfSense and Windows 10 Phone not cooperating well in sharing network config. Nevertheless will share in Windows Feedback App.