Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC IkeV2 Mobile client with EAP-MSCHAPv2 working!

    Scheduled Pinned Locked Moved IPsec
    11 Posts 10 Posters 12.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • w0wW
      w0w
      last edited by

      Here is an explanation why the Alt Name "DNS" should be present in key
      https://wiki.strongswan.org/issues/813

      1 Reply Last reply Reply Quote 0
      • K
        krankykoder
        last edited by

        Thanks! This post actually helped solve one of the issues I had setting this up for myself.

        The issue I have now, hopefully the last issue, I am able to get connected just fine, and have outbound internet access through my VPN.

        What I don't have, however is access to hosts within my network, and there appears to be no DNS name resolution.

        Through my VPN, I can browse to webconfigurator, by IP, but not by name. And I cannot reach any other host on my network by IP or by hostname.

        I have allow any rules set on my firewall which should be allowing the traffic between LAN, IPsec and the virtual network set in the mobile clients.

        Don't know if this is relevant or not, but doesn't look normal to me, so I'll include it

        When the VPN is established on the Windows device,

        DNS Suffice= <empty>IP address=192.168.33.2 (within the range I set on Mobile Clients)
        Subnet mask=255.255.255.255
        Default Gateway=0.0.0.0

        If anyone has any insight, I would be grateful.

        Thanks!

        EDIT: Turns out the reason I can't hit the windows machine on my network has to do with the firewall settings on said boxes. But still no DNS. can only hit them by IP.</empty>

        1 Reply Last reply Reply Quote 0
        • Y
          yarick123
          last edited by

          Thank you, jobsoft - IKEv2 works now also by me. The trick with MMC has worked!

          I have made also an investigation about server certificates with Alternative Names (SAN). The VPN works only if a SAN-containing certificate has no IP-address as the Common Name, IP-addresses can be listed as alternative names with type "DNS".

          Best regards
          yarick123

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            There were EKU issues with certificates generated on versions prior to 2.2.4. If you start from scratch with your certs on 2.2.4, following the updated details in the doc article linked originally, it'll work without disabling EKU.
            https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS

            1 Reply Last reply Reply Quote 0
            • A
              andymcfishka
              last edited by

              Hello!
              I want to share my expirience of setting up IKeV2 on Windows 8 and iOS 9 with connection by IP address.
              I hope it will be usefull for someone.

              Firstly, i used this guide https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 .
              Every settings were Ok, but my pc still could not connect to server (809 Error).
              The key was: setup .p12 server sertificate on Windows, and restart pfsense.

              Secondly, i tried to connect from my iPhone with iOS9.
              It was connecting for 1 sec, and then disconnecting.
              When i checked log, and compared it with PC connection log, there was a little difference:
              When pc connects pfsense selected connection profile "con1", and when phone connected pfsense selected connection profile "bypass".
              I checked ipsec configuration file "/var/etc/ipsec/ipsec.conf" and delete bypass rule, after that pfsense started to log that profile is not found.

              Dec 24 21:13:04 charon: 15[CFG] <66> looking for peer configs matching 88.24.127.106[88.24.127.106]…5.18.93.113[192.168.0.101]
              Dec 24 21:13:04 charon: 15[CFG] no matching peer config found

              But the laptop peer search looked like this:

              Dec 24 21:14:14 charon: 15[CFG] <67> looking for peer configs matching 88.24.127.106…5.18.93.113

              After testing Iphone settings i realized, that IP in left brackets was "Remote ID" from iphone VPN settings, and IP in right brackets was "Local ID" from iphone settings(if u leave "Local ID" blank, iphone inserts your phone IP].

              So i checked "/var/etc/ipsec/ipsec.conf again.
              And i found something interesting:
              leftid = fqdn:88.24.127.106
              I tried use this as Remote ID but got no result.
              Then i go to pfsense->VPN->IPsec->Phase1->My identifier and set it to "IP address" from "Distinguished Name"
              After that config string changed to:
              leftid = 88.24.127.106
              And my iphone connects with settings from guide.

              So, i think there need to be a mark about this in the guide.

              Thanks for reading and sorry for mistakes.

              1 Reply Last reply Reply Quote 0
              • J
                jsvg
                last edited by

                Any OSX El Captain clients working?

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  @j@svg:

                  Any OSX El Captain clients working?

                  Yes it works fine from El Capitan

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • M
                    meluvalli
                    last edited by

                    @andymcfishka:

                    Hello!
                    I want to share my expirience of setting up IKeV2 on Windows 8 and iOS 9 with connection by IP address.
                    I hope it will be usefull for someone.

                    Firstly, i used this guide https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 .
                    Every settings were Ok, but my pc still could not connect to server (809 Error).
                    The key was: setup .p12 server sertificate on Windows, and restart pfsense.

                    Secondly, i tried to connect from my iPhone with iOS9.
                    It was connecting for 1 sec, and then disconnecting.
                    When i checked log, and compared it with PC connection log, there was a little difference:
                    When pc connects pfsense selected connection profile "con1", and when phone connected pfsense selected connection profile "bypass".
                    I checked ipsec configuration file "/var/etc/ipsec/ipsec.conf" and delete bypass rule, after that pfsense started to log that profile is not found.

                    Dec 24 21:13:04 charon: 15[CFG] <66> looking for peer configs matching 88.24.127.106[88.24.127.106]…5.18.93.113[192.168.0.101]
                    Dec 24 21:13:04 charon: 15[CFG] no matching peer config found

                    But the laptop peer search looked like this:

                    Dec 24 21:14:14 charon: 15[CFG] <67> looking for peer configs matching 88.24.127.106…5.18.93.113

                    After testing Iphone settings i realized, that IP in left brackets was "Remote ID" from iphone VPN settings, and IP in right brackets was "Local ID" from iphone settings(if u leave "Local ID" blank, iphone inserts your phone IP].

                    So i checked "/var/etc/ipsec/ipsec.conf again.
                    And i found something interesting:
                    leftid = fqdn:88.24.127.106
                    I tried use this as Remote ID but got no result.
                    Then i go to pfsense->VPN->IPsec->Phase1->My identifier and set it to "IP address" from "Distinguished Name"
                    After that config string changed to:
                    leftid = 88.24.127.106
                    And my iphone connects with settings from guide.

                    So, i think there need to be a mark about this in the guide.

                    Thanks for reading and sorry for mistakes.

                    Really wish I knew how you got this to work with IOS 9 on an iPhone….

                    Everything I have tried results in:

                    
                    charon: 07[ENC] <bypasslan|67>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</bypasslan|67> 
                    

                    Update: Ok.  I finally got somewhere by following the directions from: https://forum.pfsense.org/index.php?topic=85367.0.  Thank you harbord for the directions!  I am not sure how to add more than one user using this method, but I at least got one of my phones connected!

                    A 1 Reply Last reply Reply Quote 0
                    • A
                      andymcfishka @meluvalli
                      last edited by

                      @meluvalli glad to see that i helped someone

                      1 Reply Last reply Reply Quote 0
                      • N
                        NeighborOfTheBeast
                        last edited by

                        Dear all,

                        with the help of
                        https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html
                        I managed to configure a IKEv2 SA and child SA for the ESP IPsec tunnel for my iPhone iOS v13.5.1
                        to pfSense 2.4.5.

                        I created a new PKI and converted the client certificate .p12 with a OpenSSL lib workaround I found here.
                        And after trying a while it works now for me. IPsec connection establishes fast and reliable.

                        But what I still do not understand with the above method is:
                        Why do I need to define PSK keys for the EAP authentication part after IKE handshake although
                        I already have a client certificate in place on the mobile that actually could also do this job (or even better).
                        iPhone allows to configure IKE connections to use the certificate as user authentication method.
                        But with this method set (instead of the user / pw pattern) I cannot manage to authenticate successfully.
                        EAP authentication of the client (iPhone) always gets aborted:

                        Last 1000 IPsec Log Entries. (Maximum 1000)
                        09[IKE] <con-mobile|2> IKE_SA con-mobile[2] state change: CONNECTING => DESTROYING
                        09[NET] <con-mobile|2> sending packet: from <ServerIP> [4500] to <iPhoneIP>[19330] (80 bytes)
                        09[ENC] <con-mobile|2> generating IKE_AUTH response 3 [ EAP/FAIL ]
                        09[IKE] <con-mobile|2> received EAP_NAK, sending EAP_FAILURE
                        09[ENC] <con-mobile|2> parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
                        09[NET] <con-mobile|2> received packet: from <iPhoneIP>[19330] to <ServerIP>[4500] (80 bytes)
                        09[NET] <con-mobile|2> sending packet: from <ServerIP>[4500] to <iPhoneIP> [19330] (112 bytes)
                        09[ENC] <con-mobile|2> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
                        09[IKE] <con-mobile|2> initiating EAP_MSCHAPV2 method (id 0xDC)
                        09[IKE] <con-mobile|2> received EAP identity 'Markus'
                        09[ASN] <con-mobile|2> file content is not binary ASN.1
                        09[ENC] <con-mobile|2> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
                        ...

                        Do you have an idea?

                        kind regards
                        Markus

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.