IPSEC IkeV2 Mobile client with EAP-MSCHAPv2 working!

w0w

Here is an explanation why the Alt Name "DNS" should be present in key
https://wiki.strongswan.org/issues/813

krankykoder

Thanks! This post actually helped solve one of the issues I had setting this up for myself.

The issue I have now, hopefully the last issue, I am able to get connected just fine, and have outbound internet access through my VPN.

What I don't have, however is access to hosts within my network, and there appears to be no DNS name resolution.

Through my VPN, I can browse to webconfigurator, by IP, but not by name. And I cannot reach any other host on my network by IP or by hostname.

I have allow any rules set on my firewall which should be allowing the traffic between LAN, IPsec and the virtual network set in the mobile clients.

Don't know if this is relevant or not, but doesn't look normal to me, so I'll include it

When the VPN is established on the Windows device,

DNS Suffice= <empty>IP address=192.168.33.2 (within the range I set on Mobile Clients)
Subnet mask=255.255.255.255
Default Gateway=0.0.0.0

If anyone has any insight, I would be grateful.

Thanks!

EDIT: Turns out the reason I can't hit the windows machine on my network has to do with the firewall settings on said boxes. But still no DNS. can only hit them by IP.</empty>

yarick123

Thank you, jobsoft - IKEv2 works now also by me. The trick with MMC has worked!

I have made also an investigation about server certificates with Alternative Names (SAN). The VPN works only if a SAN-containing certificate has no IP-address as the Common Name, IP-addresses can be listed as alternative names with type "DNS".

Best regards
yarick123

cmb

There were EKU issues with certificates generated on versions prior to 2.2.4. If you start from scratch with your certs on 2.2.4, following the updated details in the doc article linked originally, it'll work without disabling EKU.
https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS

andymcfishka

Hello!
I want to share my expirience of setting up IKeV2 on Windows 8 and iOS 9 with connection by IP address.
I hope it will be usefull for someone.

Firstly, i used this guide https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 .
Every settings were Ok, but my pc still could not connect to server (809 Error).
The key was: setup .p12 server sertificate on Windows, and restart pfsense.

Secondly, i tried to connect from my iPhone with iOS9.
It was connecting for 1 sec, and then disconnecting.
When i checked log, and compared it with PC connection log, there was a little difference:
When pc connects pfsense selected connection profile "con1", and when phone connected pfsense selected connection profile "bypass".
I checked ipsec configuration file "/var/etc/ipsec/ipsec.conf" and delete bypass rule, after that pfsense started to log that profile is not found.

Dec 24 21:13:04 charon: 15[CFG] <66> looking for peer configs matching 88.24.127.106[88.24.127.106]…5.18.93.113[192.168.0.101]
Dec 24 21:13:04 charon: 15[CFG] no matching peer config found

But the laptop peer search looked like this:

Dec 24 21:14:14 charon: 15[CFG] <67> looking for peer configs matching 88.24.127.106…5.18.93.113

After testing Iphone settings i realized, that IP in left brackets was "Remote ID" from iphone VPN settings, and IP in right brackets was "Local ID" from iphone settings(if u leave "Local ID" blank, iphone inserts your phone IP].

So i checked "/var/etc/ipsec/ipsec.conf again.
And i found something interesting:
leftid = fqdn:88.24.127.106
I tried use this as Remote ID but got no result.
Then i go to pfsense->VPN->IPsec->Phase1->My identifier and set it to "IP address" from "Distinguished Name"
After that config string changed to:
leftid = 88.24.127.106
And my iphone connects with settings from guide.

So, i think there need to be a mark about this in the guide.

Thanks for reading and sorry for mistakes.

jsvg

Any OSX El Captain clients working?

jimp

@j@svg:

Any OSX El Captain clients working?

Yes it works fine from El Capitan

meluvalli

@andymcfishka:

Hello!
I want to share my expirience of setting up IKeV2 on Windows 8 and iOS 9 with connection by IP address.
I hope it will be usefull for someone.

Firstly, i used this guide https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 .
Every settings were Ok, but my pc still could not connect to server (809 Error).
The key was: setup .p12 server sertificate on Windows, and restart pfsense.

Secondly, i tried to connect from my iPhone with iOS9.
It was connecting for 1 sec, and then disconnecting.
When i checked log, and compared it with PC connection log, there was a little difference:
When pc connects pfsense selected connection profile "con1", and when phone connected pfsense selected connection profile "bypass".
I checked ipsec configuration file "/var/etc/ipsec/ipsec.conf" and delete bypass rule, after that pfsense started to log that profile is not found.

Dec 24 21:13:04 charon: 15[CFG] <66> looking for peer configs matching 88.24.127.106[88.24.127.106]…5.18.93.113[192.168.0.101]
Dec 24 21:13:04 charon: 15[CFG] no matching peer config found

But the laptop peer search looked like this:

Dec 24 21:14:14 charon: 15[CFG] <67> looking for peer configs matching 88.24.127.106…5.18.93.113

After testing Iphone settings i realized, that IP in left brackets was "Remote ID" from iphone VPN settings, and IP in right brackets was "Local ID" from iphone settings(if u leave "Local ID" blank, iphone inserts your phone IP].

So i checked "/var/etc/ipsec/ipsec.conf again.
And i found something interesting:
leftid = fqdn:88.24.127.106
I tried use this as Remote ID but got no result.
Then i go to pfsense->VPN->IPsec->Phase1->My identifier and set it to "IP address" from "Distinguished Name"
After that config string changed to:
leftid = 88.24.127.106
And my iphone connects with settings from guide.

So, i think there need to be a mark about this in the guide.

Thanks for reading and sorry for mistakes.

Really wish I knew how you got this to work with IOS 9 on an iPhone….

Everything I have tried results in:

charon: 07[ENC] <bypasslan|67>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</bypasslan|67> 

Update: Ok.  I finally got somewhere by following the directions from: https://forum.pfsense.org/index.php?topic=85367.0.  Thank you harbord for the directions!  I am not sure how to add more than one user using this method, but I at least got one of my phones connected!

andymcfishka

@meluvalli glad to see that i helped someone

NeighborOfTheBeast

Dear all,

with the help of
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html
I managed to configure a IKEv2 SA and child SA for the ESP IPsec tunnel for my iPhone iOS v13.5.1
to pfSense 2.4.5.

I created a new PKI and converted the client certificate .p12 with a OpenSSL lib workaround I found here.
And after trying a while it works now for me. IPsec connection establishes fast and reliable.

But what I still do not understand with the above method is:
Why do I need to define PSK keys for the EAP authentication part after IKE handshake although
I already have a client certificate in place on the mobile that actually could also do this job (or even better).
iPhone allows to configure IKE connections to use the certificate as user authentication method.
But with this method set (instead of the user / pw pattern) I cannot manage to authenticate successfully.
EAP authentication of the client (iPhone) always gets aborted:

Last 1000 IPsec Log Entries. (Maximum 1000)
09[IKE] <con-mobile|2> IKE_SA con-mobile[2] state change: CONNECTING => DESTROYING
09[NET] <con-mobile|2> sending packet: from <ServerIP> [4500] to <iPhoneIP>[19330] (80 bytes)
09[ENC] <con-mobile|2> generating IKE_AUTH response 3 [ EAP/FAIL ]
09[IKE] <con-mobile|2> received EAP_NAK, sending EAP_FAILURE
09[ENC] <con-mobile|2> parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
09[NET] <con-mobile|2> received packet: from <iPhoneIP>[19330] to <ServerIP>[4500] (80 bytes)
09[NET] <con-mobile|2> sending packet: from <ServerIP>[4500] to <iPhoneIP> [19330] (112 bytes)
09[ENC] <con-mobile|2> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
09[IKE] <con-mobile|2> initiating EAP_MSCHAPV2 method (id 0xDC)
09[IKE] <con-mobile|2> received EAP identity 'Markus'
09[ASN] <con-mobile|2> file content is not binary ASN.1
09[ENC] <con-mobile|2> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
...

Do you have an idea?

kind regards
Markus