2.3.2, ipsec, windows 10, no EAP key found error

garywaynesmith

I have followed the guide at https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 to configure ipsec on the pfsense box and on windows 10.

Everything looks like it should work but then I hit "no EAP key found for hosts 'vpn.example.com' - 'USERNAME'"

There is a valid user with "User - VPN: IPsec xauth Dialin Indicates whether the user is allowed to dial in via IPsec xauth (Note: Does not allow shell access, but may allow the user to create SSH tunnels)" and a pre-shared key.

When I log in from Windows 10, I get prompted for the username/password then I get the invalid credentials as logged below.  I know I must have missed something simple, I just don't know what it is.  Client side is configured exactly as per the document as well.

Nov 9 11:18:27 charon 11[NET] <con2|12>sending packet: from 1.2.3.4[4500] to 5.6.7.8[4500] (80 bytes)
Nov 9 11:18:27 charon 11[ENC] <con2|12>generating INFORMATIONAL response 6 [ N(AUTH_FAILED) ]
Nov 9 11:18:27 charon 11[ENC] <con2|12>parsed INFORMATIONAL request 6 [ N(MS_STATUS(13849)) ]
Nov 9 11:18:27 charon 11[NET] <con2|12>received packet: from 5.6.7.8[4500] to 1.2.3.4[4500] (80 bytes)
Nov 9 11:18:27 charon 11[IKE] <con2|12>INFORMATIONAL request with message ID 5 processing failed
Nov 9 11:18:27 charon 11[NET] <con2|12>sending packet: from 1.2.3.4[4500] to 5.6.7.8[4500] (80 bytes)
Nov 9 11:18:27 charon 11[ENC] <con2|12>generating INFORMATIONAL response 5 [ N(INVAL_SYN) ]
Nov 9 11:18:27 charon 11[IKE] <con2|12>message verification failed
Nov 9 11:18:27 charon 11[ENC] <con2|12>could not decrypt payloads
Nov 9 11:18:27 charon 11[ENC] <con2|12>DELETE verification failed
Nov 9 11:18:27 charon 11[NET] <con2|12>received packet: from 5.6.7.8[4500] to 1.2.3.4[4500] (80 bytes)
Nov 9 11:18:25 charon 11[NET] <con2|12>sending packet: from 1.2.3.4[4500] to 5.6.7.8[4500] (128 bytes)
Nov 9 11:18:25 charon 11[ENC] <con2|12>generating IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
Nov 9 11:18:24 charon 12[MGR] ignoring request with ID 4, already processing
Nov 9 11:18:23 charon 12[MGR] ignoring request with ID 4, already processing
Nov 9 11:18:22 charon 11[IKE] <con2|12>EAP-MS-CHAPv2 verification failed, retry (2)
Nov 9 11:18:22 charon 11[IKE] <con2|12>no EAP key found for hosts 'vpn.example.com' - 'USERNAME'
Nov 9 11:18:22 charon 11[ENC] <con2|12>parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Nov 9 11:18:22 charon 11[NET] <con2|12>received packet: from 5.6.7.8[4500] to 1.2.3.4[4500] (144 bytes)
Nov 9 11:18:20 charon 11[NET] <con2|12>sending packet: from 1.2.3.4[4500] to 5.6.7.8[4500] (128 bytes)
Nov 9 11:18:20 charon 11[ENC] <con2|12>generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Nov 9 11:18:20 charon 12[MGR] ignoring request with ID 3, already processing
Nov 9 11:18:19 charon 12[MGR] ignoring request with ID 3, already processing
Nov 9 11:18:18 charon 11[IKE] <con2|12>EAP-MS-CHAPv2 verification failed, retry (1)
Nov 9 11:18:18 charon 11[IKE] <con2|12>no EAP key found for hosts 'vpn.example.com' - 'USERNAME'
Nov 9 11:18:18 charon 11[ENC] <con2|12>parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Nov 9 11:18:18 charon 11[NET] <con2|12>received packet: from 5.6.7.8[4500] to 1.2.3.4[4500] (144 bytes)
Nov 9 11:18:18 charon 11[NET] <con2|12>sending packet: from 1.2.3.4[4500] to 5.6.7.8[4500] (112 bytes)
Nov 9 11:18:18 charon 11[ENC] <con2|12>generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Nov 9 11:18:18 charon 11[IKE] <con2|12>initiating EAP_MSCHAPV2 method (id 0xC6)
Nov 9 11:18:18 charon 11[IKE] <con2|12>received EAP identity 'USERNAME'
Nov 9 11:18:18 charon 11[ENC] <con2|12>parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Nov 9 11:18:18 charon 11[NET] <con2|12>received packet: from 5.6.7.8[4500] to 1.2.3.4[4500] (96 bytes)
Nov 9 11:18:18 charon 11[NET] <con2|12>sending packet: from 1.2.3.4[4500] to 5.6.7.8[4500] (1696 bytes)
Nov 9 11:18:18 charon 11[ENC] <con2|12>generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]</con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12></con2|12>

SoulChild

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Import_the_CA_to_the_Client_PC

When importing the CA, make sure to use the local machine and NOT the current user.

https://www.digicert.com/images/DigiCertUtil/code-signing-authenticode-import-1.png

Does that solve it?

garywaynesmith

Two things solved the problem

1. as you mentioned there were some issues importing the key.  I imported into local machine into the proper container but that didn't work, I had to import it into personal as well, then I was able to get to the next problem

2. next problem was authentication, I was PSK and EAP, not sure how I missed that.

Not the tunnel works, but having other issues with the 10.0.0.0/8 subnetting.  If you can assist on that, that'd be great.

Network A (the pfsense box) has the following subnets
10.40.0.0/16
10.142.0.0/24
10.20.0.0/24

Network B (my client side) has the following subnets
172.16.0.0/16
10.205.0.0/16

When I set the mobile clients to 10.40.196.0/24 for a subnet the client side route the 10.0.0.0/8 via the tunnel which kills one of my local subnets on the network here from my workstation (since I have a 172.16.x.x address).

So logically I tried changing the mobile client to 192.168.168.0/24 and I can route on my side just fine but I have to manually add the routes to network A each time I connect as they aren't auto mapped.

Phase 2 on network A pfsense box does indeed had 3 entries with the proper subnets.

Anyway to auto map the route to the proper subnet?