No XAuth secret found



  • Hello,

    I just started operating a PfSense. My first problem arrived when I was trying to configure an IPsec for my mobile device (iphone). I made the configuration according to https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To.

    When I am trying to connect, I geht the following error in the VPN log:

    
    Jan 14 17:13:38 	charon 		14[IKE] <con1|19>no XAuth secret found for '91.67.245.66' - 'vpn-user'
    Jan 14 17:13:38 	charon 		14[IKE] <con1|19>XAuth authentication of 'vpn-user' failed</con1|19></con1|19> 
    

    The User “vpn-user” is created under system -> user management and the User - VPN - IPsec xauth Dialin permission is configured as well (Also tried with admin user, without success.).

    Any idea what could be wrong?

    If further information is needed, I can provide..

    Thanks a lot for all kind of support!

    Complet Log:

    Jan 14 17:09:56 	charon 		05[IKE] <16> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Jan 14 17:09:56 	charon 		05[IKE] <16> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Jan 14 17:09:56 	charon 		05[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jan 14 17:09:56 	charon 		05[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 14 17:09:56 	charon 		05[IKE] <16> received XAuth vendor ID
    Jan 14 17:09:56 	charon 		05[IKE] <16> received Cisco Unity vendor ID
    Jan 14 17:09:56 	charon 		05[IKE] <16> received DPD vendor ID
    Jan 14 17:09:56 	charon 		05[IKE] <16> 109.84.2.138 is initiating a Aggressive Mode IKE_SA
    Jan 14 17:09:56 	charon 		05[CFG] <16> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Jan 14 17:09:56 	charon 		05[CFG] <16> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jan 14 17:09:56 	charon 		05[IKE] <16> no proposal found
    Jan 14 17:09:56 	charon 		05[ENC] <16> generating INFORMATIONAL_V1 request 2206095100 [ N(NO_PROP) ]
    Jan 14 17:09:56 	charon 		05[NET] <16> sending packet: from 91.67.245.66[500] to 109.84.2.138[63453] (56 bytes)
    Jan 14 17:09:57 	charon 		14[NET] <17> received packet: from 109.84.2.138[63453] to 91.67.245.66[500] (766 bytes)
    Jan 14 17:09:57 	charon 		14[ENC] <17> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Jan 14 17:09:57 	charon 		14[IKE] <17> received FRAGMENTATION vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received NAT-T (RFC 3947) vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received XAuth vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received Cisco Unity vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> received DPD vendor ID
    Jan 14 17:09:57 	charon 		14[IKE] <17> 109.84.2.138 is initiating a Aggressive Mode IKE_SA
    Jan 14 17:09:57 	charon 		14[CFG] <17> looking for XAuthInitPSK peer configs matching 91.67.245.66...109.84.2.138[meinrouter]
    Jan 14 17:09:57 	charon 		14[CFG] <17> selected peer config "con1"
    Jan 14 17:09:57 	charon 		14[ENC] <con1|17>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
    Jan 14 17:09:57 	charon 		14[NET] <con1|17>sending packet: from 91.67.245.66[500] to 109.84.2.138[63453] (412 bytes)
    Jan 14 17:09:57 	charon 		14[NET] <con1|17>received packet: from 109.84.2.138[36152] to 91.67.245.66[4500] (100 bytes)
    Jan 14 17:09:57 	charon 		14[ENC] <con1|17>parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
    Jan 14 17:09:57 	charon 		14[IKE] <con1|17>remote host is behind NAT
    Jan 14 17:09:57 	charon 		14[ENC] <con1|17>generating TRANSACTION request 3962088702 [ HASH CPRQ(X_USER X_PWD) ]
    Jan 14 17:09:57 	charon 		14[NET] <con1|17>sending packet: from 91.67.245.66[4500] to 109.84.2.138[36152] (76 bytes)
    Jan 14 17:09:57 	charon 		14[NET] <con1|17>received packet: from 109.84.2.138[36152] to 91.67.245.66[4500] (92 bytes)
    Jan 14 17:09:57 	charon 		14[ENC] <con1|17>parsed INFORMATIONAL_V1 request 1607647259 [ HASH N(INITIAL_CONTACT) ]
    Jan 14 17:09:57 	charon 		14[NET] <con1|17>received packet: from 109.84.2.138[36152] to 91.67.245.66[4500] (92 bytes)
    Jan 14 17:09:57 	charon 		14[ENC] <con1|17>parsed TRANSACTION response 3962088702 [ HASH CPRP(X_USER X_PWD) ]
    Jan 14 17:09:57 	charon 		14[IKE] <con1|17>no XAuth secret found for '91.67.245.66' - 'vpn-user'
    Jan 14 17:09:57 	charon 		14[IKE] <con1|17>XAuth authentication of 'vpn-user' failed
    Jan 14 17:09:57 	charon 		14[ENC] <con1|17>generating TRANSACTION request 4063032678 [ HASH CPS(X_STATUS) ]
    Jan 14 17:09:57 	charon 		14[NET] <con1|17>sending packet: from 91.67.245.66[4500] to 109.84.2.138[36152] (76 bytes)
    Jan 14 17:09:57 	charon 		14[NET] <con1|17>received packet: from 109.84.2.138[36152] to 91.67.245.66[4500] (76 bytes)
    Jan 14 17:09:57 	charon 		14[ENC] <con1|17>parsed TRANSACTION response 4063032678 [ HASH CPA(X_STATUS) ]
    Jan 14 17:09:57 	charon 		14[IKE] <con1|17>destroying IKE_SA after failed XAuth authentication</con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17> 
    


  • Every idea is welcome. Checked the configuration multi times, reconfigured everything and rebooted the system several times – no success…



  • Hello

    I installed a clean testsystem and got the same errors. Did you find a solution? Or can anybody else help?

    Regrards

    Found it: For some reason the Mobile Clients settings were gone. Reenabled IPsec Mobile Clients Support and filled in all nessessary stuff and it worked.



  • Thanks butme,
    it took me months to find that solution. Disabling and Reenabling the mobile client support did the job.



  • I just tried this, not working lol :(