Road Warrior Cofig broken?

Temido2222

I'm having trouble with my road warrior ipsec config. On my iphone, it throws a "negotiation with the VPN server failed" error. I checked the logs too.

Sep 19 21:08:27	charon		14[JOB] <con1|15> deleting half open IKE_SA after timeout
Sep 19 21:08:21	charon		14[NET] <con1|15> sending packet: from House IP[500] to Phone IP[13738] (412 bytes)
Sep 19 21:08:21	charon		14[IKE] <con1|15> sending retransmit 3 of response message ID 0, seq 1
Sep 19 21:08:08	charon		14[NET] <con1|15> sending packet: from House IP[500] to Phone IP[13738] (412 bytes)
Sep 19 21:08:08	charon		14[IKE] <con1|15> sending retransmit 2 of response message ID 0, seq 1
Sep 19 21:08:01	charon		14[NET] <con1|15> sending packet: from House IP[500] to Phone IP[13738] (412 bytes)
Sep 19 21:08:01	charon		14[IKE] <con1|15> sending retransmit 1 of response message ID 0, seq 1
Sep 19 21:07:57	charon		14[NET] <con1|15> sending packet: from House IP[500] to Phone IP[13738] (412 bytes)
Sep 19 21:07:57	charon		14[ENC] <con1|15> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Sep 19 21:07:57	charon		14[CFG] <15> selected peer config "con1"
Sep 19 21:07:57	charon		14[CFG] <15> looking for XAuthInitPSK peer configs matching House IP...Phone IP[Monkeys]
Sep 19 21:07:57	charon		14[IKE] <15> Phone IP is initiating a Aggressive Mode IKE_SA
Sep 19 21:07:57	charon		14[IKE] <15> received DPD vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received Cisco Unity vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received XAuth vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received draft-ietf-ipsec-nat-t-ike vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received NAT-T (RFC 3947) vendor ID
Sep 19 21:07:57	charon		14[IKE] <15> received FRAGMENTATION vendor ID
Sep 19 21:07:57	charon		14[ENC] <15> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Sep 19 21:07:57	charon		14[NET] <15> received packet: from Phone IP[13738] to House IP[500] (763 bytes)
Sep 19 21:07:53	charon		14[NET] <14> sending packet: from House IP[500] to Phone IP[13738] (56 bytes)
Sep 19 21:07:53	charon		14[ENC] <14> generating INFORMATIONAL_V1 request 2923321687 [ N(NO_PROP) ]
Sep 19 21:07:53	charon		14[IKE] <14> no proposal found
Sep 19 21:07:53	charon		14[CFG] <14> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 19 21:07:53	charon		14[CFG] <14> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Sep 19 21:07:53	charon		14[IKE] <14> Phone IP is initiating a Aggressive Mode IKE_SA
Sep 19 21:07:53	charon		14[IKE] <14> received DPD vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received Cisco Unity vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received XAuth vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received draft-ietf-ipsec-nat-t-ike vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received NAT-T (RFC 3947) vendor ID
Sep 19 21:07:53	charon		14[IKE] <14> received FRAGMENTATION vendor ID
Sep 19 21:07:53	charon		14[ENC] <14> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Sep 19 21:07:53	charon		14[NET] <14> received packet: from Phone IP[13738] to House IP[500] (763 bytes)</con1|15></con1|15></con1|15></con1|15></con1|15></con1|15></con1|15></con1|15></con1|15>

Phone Ip is the ipv4 of the phone
House Ip is the ipv4 of the pfsense box

This https://www.youtube.com/watch?v=kFCe5AdhFyU is the video I used to set it up, and I followed it to the letter. Any suggestions?

jimp

Sep 19 21:07:53	charon		14[CFG] <14> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 19 21:07:53	charon		14[CFG] <14> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048

Your phone wants AES-256, but pfSense is only set for AES-128.
It also wants DH group 14 and you're set for 2.

Temido2222

Every time I change the DH group to 1024 the phone changes to 2048

Temido2222

I can't fix this mismatch, any help?