Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED]Could not authenticate with XAuth secrets

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      riete
      last edited by

      For those who are interested.
      My problem has been solved by creating a new group with IPSec rights and users belonging to it. The previous group and users where probably bugged.
      The next problem was the packet routing inside the tunnel.

      Hello,

      I have updated to 2.2.6, things seems to go better.

      Now I have an Authentification failed message, but I'm sure I have enter the right login and password. Any other suggestions ?

      Find below the log and the overview of IPSec Status.

      Aug 22 10:59:57	charon: 06[IKE] <con1|6> destroying IKE_SA after failed XAuth authentication
      Aug 22 10:59:57	charon: 06[ENC] <con1|6> parsed TRANSACTION response 1114253522 [ HASH CPA(X_STATUS) ]
      Aug 22 10:59:57	charon: 06[NET] <con1|6> received packet: from 80.12.63.157[64916] to 192.168.X.X[4500] (76 bytes)
      Aug 22 10:59:57	charon: 06[NET] <con1|6> sending packet: from 192.168.X.X[4500] to 80.12.63.157[64916] (76 bytes)
      Aug 22 10:59:57	charon: 06[ENC] <con1|6> generating TRANSACTION request 1114253522 [ HASH CPS(X_STATUS) ]
      Aug 22 10:59:57	charon: 06[IKE] <con1|6> XAuth authentication of 'vpnbob' failed
      Aug 22 10:59:57	charon: 06[IKE] <con1|6> Could not authenticate with XAuth secrets for '192.168.X.X' - 'vpnbob'
      Aug 22 10:59:57	charon: 06[IKE] <con1|6> XAuth-SCRIPT failed for user 'vpntb' with return status: -1.
      Aug 22 10:59:57	charon: user 'vpntb' could not authenticate.
      Aug 22 10:59:56	charon: 06[ENC] <con1|6> parsed TRANSACTION response 311174579 [ HASH CPRP(X_USER X_PWD) ]
      Aug 22 10:59:56	charon: 06[NET] <con1|6> received packet: from 80.12.63.157[64916] to 192.168.X.X[4500] (92 bytes)
      Aug 22 10:59:56	charon: 06[NET] <con1|6> sending packet: from 192.168.X.X[4500] to 80.12.63.157[64916] (76 bytes)
      Aug 22 10:59:56	charon: 06[ENC] <con1|6> generating TRANSACTION request 311174579 [ HASH CPRQ(X_USER X_PWD) ]
      Aug 22 10:59:56	charon: 06[IKE] <con1|6> remote host is behind NAT
      Aug 22 10:59:56	charon: 06[IKE] <con1|6> local host is behind NAT, sending keep alives
      Aug 22 10:59:56	charon: 06[ENC] <con1|6> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D N(INITIAL_CONTACT) ]
      Aug 22 10:59:56	charon: 06[NET] <con1|6> received packet: from 80.12.63.157[64916] to 192.168.X.X[4500] (140 bytes)
      Aug 22 10:59:56	charon: 06[NET] <con1|6> sending packet: from 192.168.X.X[500] to 80.12.63.157[1011] (432 bytes)
      Aug 22 10:59:56	charon: 06[ENC] <con1|6> generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
      Aug 22 10:59:56	charon: 06[CFG] <6> selected peer config "con1"
      Aug 22 10:59:56	charon: 06[CFG] <6> looking for XAuthInitPSK peer configs matching 192.168.X.X...80.12.63.157[vpnusers]
      Aug 22 10:59:56	charon: 06[IKE] <6> 80.12.63.157 is initiating a Aggressive Mode IKE_SA
      Aug 22 10:59:56	charon: 06[IKE] <6> received DPD vendor ID
      Aug 22 10:59:56	charon: 06[IKE] <6> received Cisco Unity vendor ID
      Aug 22 10:59:56	charon: 06[IKE] <6> received XAuth vendor ID
      Aug 22 10:59:56	charon: 06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|6>
      
      Description	        Local ID	         Local IP	        Remote ID	                Remote IP	Role	Reauth	Algo	Status	
      Phase1 IPSec bob	192.168.X.X	       192.168.X.X	      bob@mysite.com  	            Unknown				          Awaiting connections
      

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • R
        riete
        last edited by

        I'm now able to create a tunnel between my PFSense, Macs and Iphone with IOS 10.

        Thanks to https://blog.andregasser.net/en/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

        I'm still not able to access the nework behind the firewall. If I cannot find any answer with the search engin, I'm going to create a new subject.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.