Windows 10 - ipsec - works on 2.4beta, doesn't on 2.3.4



  • Hi Everyone,

    trying to get to grips with why i can get IPsec working with 2.4 beta, but not with 2.3.4,
    in the web UI, they've got identical settings for phase 1 and 2, both with mobile IKE, both using the same certificate,
    i'm using radius.

    it just seems that on 2.3.4, it won't accept phase 1, were as on 2.4 beta, phase 1 establishes fine and goes onto radius auth and connect phase 2

    i've attached the IPSec connection logs from both firewalls, both on diag output setting for config,

    i'm using the following powershell to setup the VPN on windows 10

    Remove-VpnConnection -name "Pfsense Test"
    
    add-vpnconnection -name "Pfsense Test" -serveraddress "******.*****.co.uk" -TunnelType "Ikev2" -EncryptionLevel "maximum" -AuthenticationMethod eap -EapConfigXmlStream $((New-EapConfiguration -UseWinlogonCredential).EapConfigXmlStream)
    Set-VpnConnectionIPsecConfiguration -ConnectionName "Pfsense Test" -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup ECP384 -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -PfsGroup ECP256
    
    Add-VpnConnectionRoute -ConnectionName "Pfsense Test" -DestinationPrefix 10.40.0.0/16 -Passthru
    Set-VpnConnection -Name "Pfsense Test" -SplitTunneling $true
    
    

    that gives me the following for phase 1 (reading 2.4 beta's log)
    Jul 27 10:01:57 charon 10[CFG] <23> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384

    then the following for phase 2
    Jul 27 10:01:57 charon 13[CFG] <con1|23>received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

    has there been a patch for IPsec in 2.4 that could have caused this to start working?
    or is there a bug that should be preventing it?

    i've been experimenting with IPsec recently so i'm not sure which one is correct behaviour

    Cheers
    Matt
    [IPSEC 2.3.4 failure log.txt](/public/imported_attachments/1/IPSEC 2.3.4 failure log.txt)
    [IPSEC 2.4 beta sucess log.txt](/public/imported_attachments/1/IPSEC 2.4 beta sucess log.txt)</con1|23>