IPSEC not working now with NPS radius Auth
-
When I go to diagnostics and try to authenticate a user it verifies them successfully. But when I try to connect using Windows 10 I get an 809 Error.
Moved to new 2016 DC (Able to authenticate to it as stated above.
Used same certificate from pfsense firewall
Used the same powershell command to create the VPN connection:
Add-VpnConnection -Name "VPN" -ServerAddress "pfSense.domain.com" -RememberCredential -TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling -AllUserConnection
Add-VpnConnectionRoute -ConnectionName "CasaVPN" -DestinationPrefix 10.20.60.0/24 –PassThruI get the following in the logs:
Windows says that the server is not responding.
pfSense says:
Jul 3 12:01:37 charon 12[JOB] <con1|668> deleting half open IKE_SA after timeout Jul 3 12:01:48 charon 12[NET] <669> received packet: from 73.93.xxx.xxx[31648] to 173.164.xxx.xxx[500] (616 bytes) Jul 3 12:01:48 charon 12[ENC] <669> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] Jul 3 12:01:48 charon 12[IKE] <669> received MS NT5 ISAKMPOAKLEY v9 vendor ID Jul 3 12:01:48 charon 12[IKE] <669> received MS-Negotiation Discovery Capable vendor ID Jul 3 12:01:48 charon 12[IKE] <669> received Vid-Initial-Contact vendor ID Jul 3 12:01:48 charon 12[ENC] <669> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Jul 3 12:01:48 charon 12[IKE] <669> 73.93.xxx.xxx is initiating an IKE_SA Jul 3 12:01:48 charon 12[IKE] <669> remote host is behind NAT Jul 3 12:01:48 charon 12[IKE] <669> sending cert request for "C=US, ST=California, L=San Rafael, O=Company, E=noreply@domain.com, CN=pfsense.domain.com" Jul 3 12:01:48 charon 12[ENC] <669> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Jul 3 12:01:48 charon 12[NET] <669> sending packet: from 173.164.xxx.xxx[500] to 73.93.xxx.xxx[31648] (333 bytes) Jul 3 12:01:48 charon 12[NET] <669> received packet: from 73.93.xxx.xxx[31650] to 173.164.xxx.xxx[4500] (964 bytes) Jul 3 12:01:48 charon 12[ENC] <669> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Jul 3 12:01:48 charon 12[IKE] <669> received cert request for "C=US, ST=California, L=San Rafael, O=Company, E=noreply@domain.com, CN=pfsense.domain.com" Jul 3 12:01:48 charon 12[IKE] <669> received 31 cert requests for an unknown ca Jul 3 12:01:48 charon 12[CFG] <669> looking for peer configs matching 173.164.xxx.xxx[%any]...73.93.xxx.xxx[10.240.246.110] Jul 3 12:01:48 charon 12[CFG] <con1|669> selected peer config 'con1' Jul 3 12:01:48 charon 12[IKE] <con1|669> initiating EAP_IDENTITY method (id 0x00) Jul 3 12:01:48 charon 12[IKE] <con1|669> peer supports MOBIKE, but disabled in config Jul 3 12:01:48 charon 12[IKE] <con1|669> authentication of 'pfsense.domain.com' (myself) with RSA signature successful Jul 3 12:01:48 charon 12[IKE] <con1|669> sending end entity cert "C=US, ST=California, L=San Rafael, O=Company, E=noreply@domain.com, CN=pfsense.domain.com" Jul 3 12:01:48 charon 12[ENC] <con1|669> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Jul 3 12:01:48 charon 12[NET] <con1|669> sending packet: from 173.164.xxx.xxx[4500] to 73.93.xxx.xxx[31650] (1716 bytes) Jul 3 12:01:49 charon 12[NET] <con1|669> received packet: from 73.93.xxx.xxx[31650] to 173.164.xxx.xxx[4500] (964 bytes) Jul 3 12:01:49 charon 12[ENC] <con1|669> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Jul 3 12:01:49 charon 12[IKE] <con1|669> received retransmit of request with ID 1, retransmitting response Jul 3 12:01:49 charon 12[NET] <con1|669> sending packet: from 173.164.xxx.xxx[4500] to 73.93.xxx.xxx[31650] (1716 bytes) Jul 3 12:01:50 charon 12[NET] <con1|669> received packet: from 73.93.xxx.xxx[31650] to 173.164.xxx.xxx[4500] (964 bytes) Jul 3 12:01:50 charon 12[ENC] <con1|669> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Jul 3 12:01:50 charon 12[IKE] <con1|669> received retransmit of request with ID 1, retransmitting response Jul 3 12:01:50 charon 12[NET] <con1|669> sending packet: from 173.164.xxx.xxx[4500] to 73.93.xxx.xxx[31650] (1716 bytes) Jul 3 12:02:18 charon 12[JOB] <con1|669> deleting half open IKE_SA after timeout</con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|669></con1|668>
-
Firewall reboot took care of the issue