IPSEC not working now with NPS radius Auth



  • When I go to diagnostics and try to authenticate a user it verifies them successfully.  But when I try to connect using Windows 10 I get an 809 Error.

    Moved to new 2016 DC (Able to authenticate to it as stated above.

    Used same certificate from pfsense firewall

    Used the same powershell command to create the VPN connection:

    Add-VpnConnection -Name "VPN" -ServerAddress "pfSense.domain.com" -RememberCredential -TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling -AllUserConnection
    Add-VpnConnectionRoute -ConnectionName "CasaVPN" -DestinationPrefix 10.20.60.0/24 –PassThru

    I get the following in the logs:

    Windows says that the server is not responding.

    pfSense says:

    Jul 3 12:01:37	charon		12[JOB] <con1|668> deleting half open IKE_SA after timeout
    Jul 3 12:01:48	charon		12[NET] <669> received packet: from 73.93.xxx.xxx[31648] to 173.164.xxx.xxx[500] (616 bytes)
    Jul 3 12:01:48	charon		12[ENC] <669> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Jul 3 12:01:48	charon		12[IKE] <669> received MS NT5 ISAKMPOAKLEY v9 vendor ID
    Jul 3 12:01:48	charon		12[IKE] <669> received MS-Negotiation Discovery Capable vendor ID
    Jul 3 12:01:48	charon		12[IKE] <669> received Vid-Initial-Contact vendor ID
    Jul 3 12:01:48	charon		12[ENC] <669> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Jul 3 12:01:48	charon		12[IKE] <669> 73.93.xxx.xxx is initiating an IKE_SA
    Jul 3 12:01:48	charon		12[IKE] <669> remote host is behind NAT
    Jul 3 12:01:48	charon		12[IKE] <669> sending cert request for "C=US, ST=California, L=San Rafael, O=Company, E=noreply@domain.com, CN=pfsense.domain.com"
    Jul 3 12:01:48	charon		12[ENC] <669> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Jul 3 12:01:48	charon		12[NET] <669> sending packet: from 173.164.xxx.xxx[500] to 73.93.xxx.xxx[31648] (333 bytes)
    Jul 3 12:01:48	charon		12[NET] <669> received packet: from 73.93.xxx.xxx[31650] to 173.164.xxx.xxx[4500] (964 bytes)
    Jul 3 12:01:48	charon		12[ENC] <669> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Jul 3 12:01:48	charon		12[IKE] <669> received cert request for "C=US, ST=California, L=San Rafael, O=Company, E=noreply@domain.com, CN=pfsense.domain.com"
    Jul 3 12:01:48	charon		12[IKE] <669> received 31 cert requests for an unknown ca
    Jul 3 12:01:48	charon		12[CFG] <669> looking for peer configs matching 173.164.xxx.xxx[%any]...73.93.xxx.xxx[10.240.246.110]
    Jul 3 12:01:48	charon		12[CFG] <con1|669> selected peer config 'con1'
    Jul 3 12:01:48	charon		12[IKE] <con1|669> initiating EAP_IDENTITY method (id 0x00)
    Jul 3 12:01:48	charon		12[IKE] <con1|669> peer supports MOBIKE, but disabled in config
    Jul 3 12:01:48	charon		12[IKE] <con1|669> authentication of 'pfsense.domain.com' (myself) with RSA signature successful
    Jul 3 12:01:48	charon		12[IKE] <con1|669> sending end entity cert "C=US, ST=California, L=San Rafael, O=Company, E=noreply@domain.com, CN=pfsense.domain.com"
    Jul 3 12:01:48	charon		12[ENC] <con1|669> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    Jul 3 12:01:48	charon		12[NET] <con1|669> sending packet: from 173.164.xxx.xxx[4500] to 73.93.xxx.xxx[31650] (1716 bytes)
    Jul 3 12:01:49	charon		12[NET] <con1|669> received packet: from 73.93.xxx.xxx[31650] to 173.164.xxx.xxx[4500] (964 bytes)
    Jul 3 12:01:49	charon		12[ENC] <con1|669> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Jul 3 12:01:49	charon		12[IKE] <con1|669> received retransmit of request with ID 1, retransmitting response
    Jul 3 12:01:49	charon		12[NET] <con1|669> sending packet: from 173.164.xxx.xxx[4500] to 73.93.xxx.xxx[31650] (1716 bytes)
    Jul 3 12:01:50	charon		12[NET] <con1|669> received packet: from 73.93.xxx.xxx[31650] to 173.164.xxx.xxx[4500] (964 bytes)
    Jul 3 12:01:50	charon		12[ENC] <con1|669> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Jul 3 12:01:50	charon		12[IKE] <con1|669> received retransmit of request with ID 1, retransmitting response
    Jul 3 12:01:50	charon		12[NET] <con1|669> sending packet: from 173.164.xxx.xxx[4500] to 73.93.xxx.xxx[31650] (1716 bytes)
    Jul 3 12:02:18	charon		12[JOB] <con1|669> deleting half open IKE_SA after timeout</con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|668>
    


  • Firewall reboot took care of the issue