[SOLVED]Could not authenticate with XAuth secrets



  • For those who are interested.
    My problem has been solved by creating a new group with IPSec rights and users belonging to it. The previous group and users where probably bugged.
    The next problem was the packet routing inside the tunnel.

    Hello,

    I have updated to 2.2.6, things seems to go better.

    Now I have an Authentification failed message, but I'm sure I have enter the right login and password. Any other suggestions ?

    Find below the log and the overview of IPSec Status.

    Aug 22 10:59:57	charon: 06[IKE] <con1|6> destroying IKE_SA after failed XAuth authentication
    Aug 22 10:59:57	charon: 06[ENC] <con1|6> parsed TRANSACTION response 1114253522 [ HASH CPA(X_STATUS) ]
    Aug 22 10:59:57	charon: 06[NET] <con1|6> received packet: from 80.12.63.157[64916] to 192.168.X.X[4500] (76 bytes)
    Aug 22 10:59:57	charon: 06[NET] <con1|6> sending packet: from 192.168.X.X[4500] to 80.12.63.157[64916] (76 bytes)
    Aug 22 10:59:57	charon: 06[ENC] <con1|6> generating TRANSACTION request 1114253522 [ HASH CPS(X_STATUS) ]
    Aug 22 10:59:57	charon: 06[IKE] <con1|6> XAuth authentication of 'vpnbob' failed
    Aug 22 10:59:57	charon: 06[IKE] <con1|6> Could not authenticate with XAuth secrets for '192.168.X.X' - 'vpnbob'
    Aug 22 10:59:57	charon: 06[IKE] <con1|6> XAuth-SCRIPT failed for user 'vpntb' with return status: -1.
    Aug 22 10:59:57	charon: user 'vpntb' could not authenticate.
    Aug 22 10:59:56	charon: 06[ENC] <con1|6> parsed TRANSACTION response 311174579 [ HASH CPRP(X_USER X_PWD) ]
    Aug 22 10:59:56	charon: 06[NET] <con1|6> received packet: from 80.12.63.157[64916] to 192.168.X.X[4500] (92 bytes)
    Aug 22 10:59:56	charon: 06[NET] <con1|6> sending packet: from 192.168.X.X[4500] to 80.12.63.157[64916] (76 bytes)
    Aug 22 10:59:56	charon: 06[ENC] <con1|6> generating TRANSACTION request 311174579 [ HASH CPRQ(X_USER X_PWD) ]
    Aug 22 10:59:56	charon: 06[IKE] <con1|6> remote host is behind NAT
    Aug 22 10:59:56	charon: 06[IKE] <con1|6> local host is behind NAT, sending keep alives
    Aug 22 10:59:56	charon: 06[ENC] <con1|6> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D N(INITIAL_CONTACT) ]
    Aug 22 10:59:56	charon: 06[NET] <con1|6> received packet: from 80.12.63.157[64916] to 192.168.X.X[4500] (140 bytes)
    Aug 22 10:59:56	charon: 06[NET] <con1|6> sending packet: from 192.168.X.X[500] to 80.12.63.157[1011] (432 bytes)
    Aug 22 10:59:56	charon: 06[ENC] <con1|6> generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
    Aug 22 10:59:56	charon: 06[CFG] <6> selected peer config "con1"
    Aug 22 10:59:56	charon: 06[CFG] <6> looking for XAuthInitPSK peer configs matching 192.168.X.X...80.12.63.157[vpnusers]
    Aug 22 10:59:56	charon: 06[IKE] <6> 80.12.63.157 is initiating a Aggressive Mode IKE_SA
    Aug 22 10:59:56	charon: 06[IKE] <6> received DPD vendor ID
    Aug 22 10:59:56	charon: 06[IKE] <6> received Cisco Unity vendor ID
    Aug 22 10:59:56	charon: 06[IKE] <6> received XAuth vendor ID
    Aug 22 10:59:56	charon: 06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6>
    
    Description	        Local ID	         Local IP	        Remote ID	                Remote IP	Role	Reauth	Algo	Status	
    Phase1 IPSec bob	192.168.X.X	       192.168.X.X	      bob@mysite.com  	            Unknown				          Awaiting connections
    

    Thanks in advance



  • I'm now able to create a tunnel between my PFSense, Macs and Iphone with IOS 10.

    Thanks to https://blog.andregasser.net/en/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

    I'm still not able to access the nework behind the firewall. If I cannot find any answer with the search engin, I'm going to create a new subject.