[SOLVED]Could not authenticate with XAuth secrets

riete

For those who are interested.
My problem has been solved by creating a new group with IPSec rights and users belonging to it. The previous group and users where probably bugged.
The next problem was the packet routing inside the tunnel.

Hello,

I have updated to 2.2.6, things seems to go better.

Now I have an Authentification failed message, but I'm sure I have enter the right login and password. Any other suggestions ?

Find below the log and the overview of IPSec Status.

Aug 22 10:59:57	charon: 06[IKE] <con1|6> destroying IKE_SA after failed XAuth authentication
Aug 22 10:59:57	charon: 06[ENC] <con1|6> parsed TRANSACTION response 1114253522 [ HASH CPA(X_STATUS) ]
Aug 22 10:59:57	charon: 06[NET] <con1|6> received packet: from 80.12.63.157[64916] to 192.168.X.X[4500] (76 bytes)
Aug 22 10:59:57	charon: 06[NET] <con1|6> sending packet: from 192.168.X.X[4500] to 80.12.63.157[64916] (76 bytes)
Aug 22 10:59:57	charon: 06[ENC] <con1|6> generating TRANSACTION request 1114253522 [ HASH CPS(X_STATUS) ]
Aug 22 10:59:57	charon: 06[IKE] <con1|6> XAuth authentication of 'vpnbob' failed
Aug 22 10:59:57	charon: 06[IKE] <con1|6> Could not authenticate with XAuth secrets for '192.168.X.X' - 'vpnbob'
Aug 22 10:59:57	charon: 06[IKE] <con1|6> XAuth-SCRIPT failed for user 'vpntb' with return status: -1.
Aug 22 10:59:57	charon: user 'vpntb' could not authenticate.
Aug 22 10:59:56	charon: 06[ENC] <con1|6> parsed TRANSACTION response 311174579 [ HASH CPRP(X_USER X_PWD) ]
Aug 22 10:59:56	charon: 06[NET] <con1|6> received packet: from 80.12.63.157[64916] to 192.168.X.X[4500] (92 bytes)
Aug 22 10:59:56	charon: 06[NET] <con1|6> sending packet: from 192.168.X.X[4500] to 80.12.63.157[64916] (76 bytes)
Aug 22 10:59:56	charon: 06[ENC] <con1|6> generating TRANSACTION request 311174579 [ HASH CPRQ(X_USER X_PWD) ]
Aug 22 10:59:56	charon: 06[IKE] <con1|6> remote host is behind NAT
Aug 22 10:59:56	charon: 06[IKE] <con1|6> local host is behind NAT, sending keep alives
Aug 22 10:59:56	charon: 06[ENC] <con1|6> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D N(INITIAL_CONTACT) ]
Aug 22 10:59:56	charon: 06[NET] <con1|6> received packet: from 80.12.63.157[64916] to 192.168.X.X[4500] (140 bytes)
Aug 22 10:59:56	charon: 06[NET] <con1|6> sending packet: from 192.168.X.X[500] to 80.12.63.157[1011] (432 bytes)
Aug 22 10:59:56	charon: 06[ENC] <con1|6> generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
Aug 22 10:59:56	charon: 06[CFG] <6> selected peer config "con1"
Aug 22 10:59:56	charon: 06[CFG] <6> looking for XAuthInitPSK peer configs matching 192.168.X.X...80.12.63.157[vpnusers]
Aug 22 10:59:56	charon: 06[IKE] <6> 80.12.63.157 is initiating a Aggressive Mode IKE_SA
Aug 22 10:59:56	charon: 06[IKE] <6> received DPD vendor ID
Aug 22 10:59:56	charon: 06[IKE] <6> received Cisco Unity vendor ID
Aug 22 10:59:56	charon: 06[IKE] <6> received XAuth vendor ID
Aug 22 10:59:56	charon: 06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6>

Description	        Local ID	         Local IP	        Remote ID	                Remote IP	Role	Reauth	Algo	Status	
Phase1 IPSec bob	192.168.X.X	       192.168.X.X	      bob@mysite.com  	            Unknown				          Awaiting connections

Thanks in advance

riete

I'm now able to create a tunnel between my PFSense, Macs and Iphone with IOS 10.

Thanks to https://blog.andregasser.net/en/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

I'm still not able to access the nework behind the firewall. If I cannot find any answer with the search engin, I'm going to create a new subject.