Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Able to connect to IKEv2 IPSec from Windows but not from Android - Going insane, what am I doing wrong?

    IPsec
    2
    2
    446
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      matt4542
      last edited by matt4542

      PFSense IPSec log: https://pastebin.com/kFSY4tas
      strongSwan log on Android: https://pastebin.com/jwUxHhYS

      I'm not sure whats wrong with my config and I why I am unable to connect, but I'm about 6 hours deep into this today alone and I'm going absolutely nuts. Instant fail, auth related error. Please assist.

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @matt4542
        last edited by Konstanti

        @matt4542 Hey
        https://www.netgate.com/docs/pfsense/book/ipsec/mobile-ipsec.html
        https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient
        Show Phase 1 IPSEC PFSense settings
        And Strongswan Android settings
        Pay attention to the selected text
        You don't have that in your logs.

        Dec 25 09:06:44 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        Dec 25 09:06:44 00[DMN] Starting IKE service (strongSwan 5.7.1, Android 8.0.0 - ANE-LX1 8.0.0.162(C432)/2018-10-01, ANE-LX1 - HUAWEI/ANE-LX1/HUAWEI, Linux 4.4.23+, aarch64)
        Dec 25 09:06:44 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
        Dec 25 09:06:44 00[JOB] spawning 16 worker threads
        Dec 25 09:06:44 04[CFG] loaded user certificate 'C=ES, O=XXX, CN=sony_xperia.XXXXX' and private key
        Dec 25 09:06:45 04[IKE] initiating IKE_SA android[1] to 94.177.XXX.XXX
        Dec 25 09:06:45 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
        Dec 25 09:06:45 04[NET] sending packet: from 192.168.1.42[42086] to XXXX.XXXX[500] (716 bytes)
        Dec 25 09:06:45 09[NET] received packet: from 94.177.XXX.XXX[500] to 192.168.1.42[42086] (38 bytes)
        Dec 25 09:06:45 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
        Dec 25 09:06:45 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
        Dec 25 09:06:45 09[IKE] initiating IKE_SA android[1] to 94.177.XXXX
        Dec 25 09:06:45 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
        Dec 25 09:06:45 09[NET] sending packet: from 192.168.1.42[42086] to 94.177.XXX[500] (908 bytes)
        Dec 25 09:06:45 10[NET] received packet: from 94.177.XXX[500] to 192.168.1.42[42086] (489 bytes)
        Dec 25 09:06:45 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
        Dec 25 09:06:45 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
        Dec 25 09:06:45 10[IKE] local host is behind NAT, sending keep alives
        Dec 25 09:06:45 10[IKE] received cert request for "C=ES, O=XXX, CN=XXX"
        Dec 25 09:06:45 10[IKE] sending cert request for "C=ES, O=XXX, CN=XXXX"
        Dec 25 09:06:45 10[IKE] establishing CHILD_SA android{1}

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.