No XAuth secret found

Networker

Hello,

I just started operating a PfSense. My first problem arrived when I was trying to configure an IPsec for my mobile device (iphone). I made the configuration according to https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To.

When I am trying to connect, I geht the following error in the VPN log:

Jan 14 17:13:38 	charon 		14[IKE] <con1|19>no XAuth secret found for '91.67.245.66' - 'vpn-user'
Jan 14 17:13:38 	charon 		14[IKE] <con1|19>XAuth authentication of 'vpn-user' failed</con1|19></con1|19> 

The User “vpn-user” is created under system -> user management and the User - VPN - IPsec xauth Dialin permission is configured as well (Also tried with admin user, without success.).

Any idea what could be wrong?

If further information is needed, I can provide..

Thanks a lot for all kind of support!

Complet Log:

Jan 14 17:09:56 	charon 		05[IKE] <16> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jan 14 17:09:56 	charon 		05[IKE] <16> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jan 14 17:09:56 	charon 		05[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 14 17:09:56 	charon 		05[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 14 17:09:56 	charon 		05[IKE] <16> received XAuth vendor ID
Jan 14 17:09:56 	charon 		05[IKE] <16> received Cisco Unity vendor ID
Jan 14 17:09:56 	charon 		05[IKE] <16> received DPD vendor ID
Jan 14 17:09:56 	charon 		05[IKE] <16> 109.84.2.138 is initiating a Aggressive Mode IKE_SA
Jan 14 17:09:56 	charon 		05[CFG] <16> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Jan 14 17:09:56 	charon 		05[CFG] <16> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 14 17:09:56 	charon 		05[IKE] <16> no proposal found
Jan 14 17:09:56 	charon 		05[ENC] <16> generating INFORMATIONAL_V1 request 2206095100 [ N(NO_PROP) ]
Jan 14 17:09:56 	charon 		05[NET] <16> sending packet: from 91.67.245.66[500] to 109.84.2.138[63453] (56 bytes)
Jan 14 17:09:57 	charon 		14[NET] <17> received packet: from 109.84.2.138[63453] to 91.67.245.66[500] (766 bytes)
Jan 14 17:09:57 	charon 		14[ENC] <17> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Jan 14 17:09:57 	charon 		14[IKE] <17> received FRAGMENTATION vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received NAT-T (RFC 3947) vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received XAuth vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received Cisco Unity vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> received DPD vendor ID
Jan 14 17:09:57 	charon 		14[IKE] <17> 109.84.2.138 is initiating a Aggressive Mode IKE_SA
Jan 14 17:09:57 	charon 		14[CFG] <17> looking for XAuthInitPSK peer configs matching 91.67.245.66...109.84.2.138[meinrouter]
Jan 14 17:09:57 	charon 		14[CFG] <17> selected peer config "con1"
Jan 14 17:09:57 	charon 		14[ENC] <con1|17>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Jan 14 17:09:57 	charon 		14[NET] <con1|17>sending packet: from 91.67.245.66[500] to 109.84.2.138[63453] (412 bytes)
Jan 14 17:09:57 	charon 		14[NET] <con1|17>received packet: from 109.84.2.138[36152] to 91.67.245.66[4500] (100 bytes)
Jan 14 17:09:57 	charon 		14[ENC] <con1|17>parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Jan 14 17:09:57 	charon 		14[IKE] <con1|17>remote host is behind NAT
Jan 14 17:09:57 	charon 		14[ENC] <con1|17>generating TRANSACTION request 3962088702 [ HASH CPRQ(X_USER X_PWD) ]
Jan 14 17:09:57 	charon 		14[NET] <con1|17>sending packet: from 91.67.245.66[4500] to 109.84.2.138[36152] (76 bytes)
Jan 14 17:09:57 	charon 		14[NET] <con1|17>received packet: from 109.84.2.138[36152] to 91.67.245.66[4500] (92 bytes)
Jan 14 17:09:57 	charon 		14[ENC] <con1|17>parsed INFORMATIONAL_V1 request 1607647259 [ HASH N(INITIAL_CONTACT) ]
Jan 14 17:09:57 	charon 		14[NET] <con1|17>received packet: from 109.84.2.138[36152] to 91.67.245.66[4500] (92 bytes)
Jan 14 17:09:57 	charon 		14[ENC] <con1|17>parsed TRANSACTION response 3962088702 [ HASH CPRP(X_USER X_PWD) ]
Jan 14 17:09:57 	charon 		14[IKE] <con1|17>no XAuth secret found for '91.67.245.66' - 'vpn-user'
Jan 14 17:09:57 	charon 		14[IKE] <con1|17>XAuth authentication of 'vpn-user' failed
Jan 14 17:09:57 	charon 		14[ENC] <con1|17>generating TRANSACTION request 4063032678 [ HASH CPS(X_STATUS) ]
Jan 14 17:09:57 	charon 		14[NET] <con1|17>sending packet: from 91.67.245.66[4500] to 109.84.2.138[36152] (76 bytes)
Jan 14 17:09:57 	charon 		14[NET] <con1|17>received packet: from 109.84.2.138[36152] to 91.67.245.66[4500] (76 bytes)
Jan 14 17:09:57 	charon 		14[ENC] <con1|17>parsed TRANSACTION response 4063032678 [ HASH CPA(X_STATUS) ]
Jan 14 17:09:57 	charon 		14[IKE] <con1|17>destroying IKE_SA after failed XAuth authentication</con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17> 

Networker

Every idea is welcome. Checked the configuration multi times, reconfigured everything and rebooted the system several times – no success…

butme

Hello

I installed a clean testsystem and got the same errors. Did you find a solution? Or can anybody else help?

Regrards

Found it: For some reason the Mobile Clients settings were gone. Reenabled IPsec Mobile Clients Support and filled in all nessessary stuff and it worked.

methyphobia

Thanks butme,
it took me months to find that solution. Disabling and Reenabling the mobile client support did the job.

emeianoite

I just tried this, not working lol :(