Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec (IKEv2) iPhone VPN fails to connect

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 273 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FoolishlyWise
      last edited by

      I have no idea if I'm just being stupid or if I've configured something wrong, but for the life of me I cannot get IPSEC working. I need always-on VPN while at work so OVPN isn't suitable.

      Logs are below - I'm trying to connect my iPhone (which is connected to cellular) via a PSK. Firewall hostname has been replaced with 'fqdn'.

      Can anyone spot what's up here?

      Apr 28 15:42:58	charon		06[NET] <2> received packet: from 213.205.240.55[41316] to 192.168.1.1[500] (604 bytes)
Apr 28 15:42:58	charon		06[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 28 15:42:58	charon		06[CFG] <2> looking for an IKEv2 config for 192.168.1.1...213.205.240.55
Apr 28 15:42:58	charon		06[CFG] <2> candidate: %any...%any, prio 24
Apr 28 15:42:58	charon		06[CFG] <2> found matching ike config: %any...%any with prio 24
Apr 28 15:42:58	charon		06[IKE] <2> 213.205.240.55 is initiating an IKE_SA
Apr 28 15:42:58	charon		06[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Apr 28 15:42:58	charon		06[CFG] <2> selecting proposal:
Apr 28 15:42:58	charon		06[CFG] <2> proposal matches
Apr 28 15:42:58	charon		06[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 28 15:42:58	charon		06[CFG] <2> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Apr 28 15:42:58	charon		06[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Apr 28 15:42:58	charon		06[IKE] <2> local host is behind NAT, sending keep alives
Apr 28 15:42:58	charon		06[IKE] <2> remote host is behind NAT
Apr 28 15:42:58	charon		06[IKE] <2> sending cert request for "CN=pfSense-MainCA, C=GB, ST=Central London, L=Greater London, O=SSL, OU=SSL Provisioning"
Apr 28 15:42:58	charon		06[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Apr 28 15:42:58	charon		06[NET] <2> sending packet: from 192.168.1.1[500] to 213.205.240.55[41316] (473 bytes)
Apr 28 15:42:58	charon		06[NET] <2> received packet: from 213.205.240.55[43268] to 192.168.1.1[4500] (528 bytes)
Apr 28 15:42:58	charon		06[ENC] <2> unknown attribute type (25)
Apr 28 15:42:58	charon		06[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 28 15:42:58	charon		06[CFG] <2> looking for peer configs matching 192.168.1.1[fqdn]...213.205.240.55[2a01:4c8:1019:c8ea:a1dd:a73c:462e:3d48]
Apr 28 15:42:58	charon		06[CFG] <2> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Apr 28 15:42:58	charon		06[CFG] <bypasslan|2> selected peer config 'bypasslan'
Apr 28 15:42:58	charon		06[IKE] <bypasslan|2> peer requested EAP, config unacceptable
Apr 28 15:42:58	charon		06[CFG] <bypasslan|2> no alternative config found
Apr 28 15:42:58	charon		06[IKE] <bypasslan|2> processing INTERNAL_IP4_ADDRESS attribute
Apr 28 15:42:58	charon		06[IKE] <bypasslan|2> processing INTERNAL_IP4_DHCP attribute
Apr 28 15:42:58	charon		06[IKE] <bypasslan|2> processing INTERNAL_IP4_DNS attribute
Apr 28 15:42:58	charon		06[IKE] <bypasslan|2> processing INTERNAL_IP4_NETMASK attribute
Apr 28 15:42:58	charon		06[IKE] <bypasslan|2> processing INTERNAL_IP6_ADDRESS attribute
Apr 28 15:42:58	charon		06[IKE] <bypasslan|2> processing INTERNAL_IP6_DHCP attribute
Apr 28 15:42:58	charon		06[IKE] <bypasslan|2> processing INTERNAL_IP6_DNS attribute
Apr 28 15:42:58	charon		06[IKE] <bypasslan|2> processing (25) attribute
Apr 28 15:42:58	charon		06[IKE] <bypasslan|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 28 15:42:58	charon		06[IKE] <bypasslan|2> peer supports MOBIKE
Apr 28 15:42:58	charon		06[ENC] <bypasslan|2> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 28 15:42:58	charon		06[NET] <bypasslan|2> sending packet: from 192.168.1.1[4500] to 213.205.240.55[43268] (80 bytes)
Apr 28 15:42:58	charon		06[IKE] <bypasslan|2> IKE_SA bypasslan[2] state change: CONNECTING => DESTROYING
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.