No XAuth secret found
-
Hello,
I just started operating a PfSense. My first problem arrived when I was trying to configure an IPsec for my mobile device (iphone). I made the configuration according to https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To.
When I am trying to connect, I geht the following error in the VPN log:
Jan 14 17:13:38 charon 14[IKE] <con1|19>no XAuth secret found for '91.67.245.66' - 'vpn-user' Jan 14 17:13:38 charon 14[IKE] <con1|19>XAuth authentication of 'vpn-user' failed</con1|19></con1|19>The User “vpn-user” is created under system -> user management and the User - VPN - IPsec xauth Dialin permission is configured as well (Also tried with admin user, without success.).
Any idea what could be wrong?
If further information is needed, I can provide..
Thanks a lot for all kind of support!
Complet Log:
Jan 14 17:09:56 charon 05[IKE] <16> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Jan 14 17:09:56 charon 05[IKE] <16> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Jan 14 17:09:56 charon 05[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Jan 14 17:09:56 charon 05[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jan 14 17:09:56 charon 05[IKE] <16> received XAuth vendor ID Jan 14 17:09:56 charon 05[IKE] <16> received Cisco Unity vendor ID Jan 14 17:09:56 charon 05[IKE] <16> received DPD vendor ID Jan 14 17:09:56 charon 05[IKE] <16> 109.84.2.138 is initiating a Aggressive Mode IKE_SA Jan 14 17:09:56 charon 05[CFG] <16> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 Jan 14 17:09:56 charon 05[CFG] <16> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jan 14 17:09:56 charon 05[IKE] <16> no proposal found Jan 14 17:09:56 charon 05[ENC] <16> generating INFORMATIONAL_V1 request 2206095100 [ N(NO_PROP) ] Jan 14 17:09:56 charon 05[NET] <16> sending packet: from 91.67.245.66[500] to 109.84.2.138[63453] (56 bytes) Jan 14 17:09:57 charon 14[NET] <17> received packet: from 109.84.2.138[63453] to 91.67.245.66[500] (766 bytes) Jan 14 17:09:57 charon 14[ENC] <17> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ] Jan 14 17:09:57 charon 14[IKE] <17> received FRAGMENTATION vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received NAT-T (RFC 3947) vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-08 vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-07 vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-06 vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-05 vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received XAuth vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received Cisco Unity vendor ID Jan 14 17:09:57 charon 14[IKE] <17> received DPD vendor ID Jan 14 17:09:57 charon 14[IKE] <17> 109.84.2.138 is initiating a Aggressive Mode IKE_SA Jan 14 17:09:57 charon 14[CFG] <17> looking for XAuthInitPSK peer configs matching 91.67.245.66...109.84.2.138[meinrouter] Jan 14 17:09:57 charon 14[CFG] <17> selected peer config "con1" Jan 14 17:09:57 charon 14[ENC] <con1|17>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ] Jan 14 17:09:57 charon 14[NET] <con1|17>sending packet: from 91.67.245.66[500] to 109.84.2.138[63453] (412 bytes) Jan 14 17:09:57 charon 14[NET] <con1|17>received packet: from 109.84.2.138[36152] to 91.67.245.66[4500] (100 bytes) Jan 14 17:09:57 charon 14[ENC] <con1|17>parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ] Jan 14 17:09:57 charon 14[IKE] <con1|17>remote host is behind NAT Jan 14 17:09:57 charon 14[ENC] <con1|17>generating TRANSACTION request 3962088702 [ HASH CPRQ(X_USER X_PWD) ] Jan 14 17:09:57 charon 14[NET] <con1|17>sending packet: from 91.67.245.66[4500] to 109.84.2.138[36152] (76 bytes) Jan 14 17:09:57 charon 14[NET] <con1|17>received packet: from 109.84.2.138[36152] to 91.67.245.66[4500] (92 bytes) Jan 14 17:09:57 charon 14[ENC] <con1|17>parsed INFORMATIONAL_V1 request 1607647259 [ HASH N(INITIAL_CONTACT) ] Jan 14 17:09:57 charon 14[NET] <con1|17>received packet: from 109.84.2.138[36152] to 91.67.245.66[4500] (92 bytes) Jan 14 17:09:57 charon 14[ENC] <con1|17>parsed TRANSACTION response 3962088702 [ HASH CPRP(X_USER X_PWD) ] Jan 14 17:09:57 charon 14[IKE] <con1|17>no XAuth secret found for '91.67.245.66' - 'vpn-user' Jan 14 17:09:57 charon 14[IKE] <con1|17>XAuth authentication of 'vpn-user' failed Jan 14 17:09:57 charon 14[ENC] <con1|17>generating TRANSACTION request 4063032678 [ HASH CPS(X_STATUS) ] Jan 14 17:09:57 charon 14[NET] <con1|17>sending packet: from 91.67.245.66[4500] to 109.84.2.138[36152] (76 bytes) Jan 14 17:09:57 charon 14[NET] <con1|17>received packet: from 109.84.2.138[36152] to 91.67.245.66[4500] (76 bytes) Jan 14 17:09:57 charon 14[ENC] <con1|17>parsed TRANSACTION response 4063032678 [ HASH CPA(X_STATUS) ] Jan 14 17:09:57 charon 14[IKE] <con1|17>destroying IKE_SA after failed XAuth authentication</con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17> -
Every idea is welcome. Checked the configuration multi times, reconfigured everything and rebooted the system several times – no success…
-
Hello
I installed a clean testsystem and got the same errors. Did you find a solution? Or can anybody else help?
Regrards
Found it: For some reason the Mobile Clients settings were gone. Reenabled IPsec Mobile Clients Support and filled in all nessessary stuff and it worked.
-
Thanks butme,
it took me months to find that solution. Disabling and Reenabling the mobile client support did the job. -
I just tried this, not working lol :(