PFSense 2.3 & Greenbow IPSec Client
-
Hello together after my site to site problem is solved I got a new one. I need some mobile access.
IKE Extensions: Enabled
User Authentication: Local Database
Virtual Address Pool: Enabled
Network List: EnabledPhase1 Auth
Key Exchange version: V2
Internet Protocol: IPv4
Interface: WAN
My identifier: My IP Address
Peer identifier: Peer IP address
Pre-Shared Key: xxxPhase1 Alg.
encryption Algorithm: AES 256
Hash: SHA256
DH group: 14
Lifetime: 28800Phase 2
Mode: Tunnel
Local Network: LAN subnet
Protocol: ESP
Enrcyption: AES256
Hash: SHA256
PFS group: 14
Lifetime 3600if I try to connect with my greenbow client I got an auth. error. At the pfsense I got
Aug 24 11:14:08 charon 09[NET] <9> received packet: from 213.188.234.181[500] to 212.147.xxx.xxx[500] (432 bytes)
Aug 24 11:14:08 charon 09[ENC] <9> parsed IKE_SA_INIT request 0 [ SA No N(NATD_S_IP) N(NATD_D_IP) KE ]
Aug 24 11:14:08 charon 09[IKE] <9> 213.188.234.181 is initiating an IKE_SA
Aug 24 11:14:08 charon 09[IKE] <9> remote host is behind NAT
Aug 24 11:14:08 charon 09[ENC] <9> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Aug 24 11:14:08 charon 09[NET] <9> sending packet: from 212.147.xxx.xxx[500] to 213.188.234.181[500] (440 bytes)
Aug 24 11:14:08 charon 09[NET] <9> received packet: from 213.188.234.181[52799] to 212.147.xxx.xxx[4500] (256 bytes)
Aug 24 11:14:08 charon 09[ENC] <9> parsed IKE_AUTH request 1 [ IDi AUTH CPRQ(ADDR) SA TSi TSr N(INIT_CONTACT) N(ESP_TFC_PAD_N) ]
Aug 24 11:14:08 charon 09[CFG] <9> looking for peer configs matching 212.147.xxx.xxx[%any]…213.188.234.181[192.168.1.127]
Aug 24 11:14:08 charon 09[CFG] <con1|9>selected peer config 'con1'
Aug 24 11:14:08 charon 09[IKE] <con1|9>no shared key found for '%any' - '192.168.1.127'
Aug 24 11:14:08 charon 09[IKE] <con1|9>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 24 11:14:08 charon 09[ENC] <con1|9>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 24 11:14:08 charon 09[NET] <con1|9>sending packet: from 212.147.xxx.xxx[4500] to 213.188.234.181[52799] (80 bytes)sorry for the stupid questions but monowall was easier for me :)</con1|9></con1|9></con1|9></con1|9></con1|9>
-
Why greenbow? Why not native IKEv2?
What clients are you trying to support? (OS/version?)
-
Could be another client. Windows 7 / 10
-
I would start here:
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2