IKEv2 MS-CHAPv2 vpn Android Client problem

jooseluisperez

Hi,

I have a problem trying to connect to my ikev2 mschapv2 vpn from an Android device using the stronswan app and following the steps named in this guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
Does anybody know what could cause this issue?

Sep 30 16:24:48 07[NET] received packet: from xx.xxx.xxx.xx[4500] to xx.xxx.xxx.xx[47135] (544 bytes)
Sep 30 16:24:48 07[ENC] parsed IKE_AUTH response 1 [ EF(3/5) ]
Sep 30 16:24:48 07[IKE] received message ID 1, expected 2\. Ignored
Sep 30 16:24:48 13[NET] received packet: from xx.xxx.xxx.xx[4500] to xx.xxx.xxx.xx[47135] (100 bytes)
Sep 30 16:24:48 13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Sep 30 16:24:48 13[IKE] server requested EAP_MSCHAPV2 authentication (id 0x3B)
Sep 30 16:24:48 13[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Sep 30 16:24:48 13[NET] sending packet: from xx.xxx.xxx.xx[47135] to xx.xxx.xxx.xx[4500] (140 bytes)
Sep 30 16:24:48 16[NET] received packet: from xx.xxx.xxx.xx[4500] to xx.xxx.xxx.xx[47135] (132 bytes)
Sep 30 16:24:48 16[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Sep 30 16:24:48 16[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Sep 30 16:24:48 16[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Sep 30 16:24:48 16[NET] sending packet: from xx.xxx.xxx.xx[47135] to xx.xxx.xxx.xx[4500] (68 bytes)
Sep 30 16:24:48 03[NET] received packet: from xx.xxx.xxx.xx[4500] to xx.xxx.xxx.xx[47135] (68 bytes)
Sep 30 16:24:48 03[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
Sep 30 16:24:48 03[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Sep 30 16:24:48 03[IKE] authentication of '"ommited data (mail adress)"' (myself) with EAP
Sep 30 16:24:48 03[ENC] generating IKE_AUTH request 5 [ AUTH ]
Sep 30 16:24:48 03[NET] sending packet: from xx.xxx.xxx.xx[47135] to xx.xxx.xxx.xx[4500] (84 bytes)
Sep 30 16:24:48 05[NET] received packet: from xx.xxx.xxx.xx[4500] to xx.xxx.xxx.xx[47135] (148 bytes)
Sep 30 16:24:48 05[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR SUBNET U_BANNER) N(AUTH_LFT) N(NO_PROP) ]
Sep 30 16:24:48 05[IKE] authentication of 'xx.xxx.xxx.xx' with EAP successful
Sep 30 16:24:48 05[IKE] IKE_SA android[8] established between xx.xxx.xxx.xx["ommited data (mail adress)"]...xx.xxx.xxx.xx[xx.xxx.xxx.xx]
Sep 30 16:24:48 05[IKE] scheduling rekeying in 35462s
Sep 30 16:24:48 05[IKE] maximum IKE_SA lifetime 36062s
Sep 30 16:24:48 05[CFG] handling INTERNAL_IP4_SUBNET attribute failed
Sep 30 16:24:48 05[CFG] handling UNITY_BANNER attribute failed
Sep 30 16:24:48 05[IKE] installing new virtual IP 10.1.1.1
Sep 30 16:24:48 05[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Sep 30 16:24:48 05[IKE] closing IKE_SA due CHILD_SA setup failure
Sep 30 16:24:48 05[IKE] received AUTH_LIFETIME of 27998s, scheduling reauthentication in 27398s
Sep 30 16:24:48 06[IKE] deleting IKE_SA android[8] between xx.xxx.xxx.xx["ommited data (mail adress)"]...xx.xxx.xxx.xx[xx.xxx.xxx.xx]
Sep 30 16:24:48 06[IKE] sending DELETE for IKE_SA android[8]
Sep 30 16:24:48 06[ENC] generating INFORMATIONAL request 6 [ D ]
Sep 30 16:24:48 06[NET] sending packet: from xx.xxx.xxx.xx[47135] to xx.xxx.xxx.xx[4500] (68 bytes)
Sep 30 16:24:48 09[NET] received packet: from xx.xxx.xxx.xx[4500] to xx.xxx.xxx.xx[47135] (60 bytes)
Sep 30 16:24:48 09[ENC] parsed INFORMATIONAL response 6 [ ]
Sep 30 16:24:48 09[IKE] IKE_SA deleted

Thank you,

Jose Luis.

Derelict

That client is not liking the transforms you have configured:

Sep 30 16:24:48 05[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built

If you set VPN > IPsec, Advanced settings logs to IKE SA, IKE Child SA, and Configuration backend to Diag leaving all others at Control you will get more logging about that exchange. It should show you what the Android device will accept.