Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec ikev2 to iOS 9+ and Windows – but no certificates

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 487 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rrauenza
      last edited by

      I'd like to use v2 but without certificates – I think my iPhone denies the .mobileconfig because I already have an "MBM profile" from my company on the phone.

      I've found lots of howto's and tutorials, but a lot of them assume v2 w/ certs or v1.  Or they give instructions based on an older pfsense.  I also have a dynamic ip on the server.

      I think what I want to use is xauth -- an account and password, with a shared secret.

      If its any help, this is my xml config so far...

      
 <ipsec><client><enable></enable>
		<user_source>Local Database</user_source>
		<group_source>system</group_source>
		<pool_address>10.11.11.0</pool_address>
		<pool_netbits>24</pool_netbits>
		<dns_domain>vpn.mydomain.org</dns_domain>
		<dns_server1>10.1.1.1</dns_server1></client> 
	 <phase1><ikeid>1</ikeid>
		<iketype>ikev2</iketype>
		<interface>wan</interface>

		<protocol>inet</protocol>
		<myid_type>dyn_dns</myid_type>
		<myid_data>home.mydomain.org</myid_data>
		<peerid_type>fqdn</peerid_type>
		<peerid_data>home.mydomain.org</peerid_data>
		 <encryption-algorithm><name>aes</name>
			<keylen>256</keylen></encryption-algorithm> 
		<hash-algorithm>sha256</hash-algorithm>
		<dhgroup>20</dhgroup>
		<lifetime>28800</lifetime>
		<pre-shared-key>1234</pre-shared-key>
		<private-key></private-key>

		<caref></caref>
		<authentication_method>xauth_psk_server</authentication_method>

		<nat_traversal>on</nat_traversal>
		<mobike>on</mobike>
		<dpd_delay>10</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail></phase1> 
	 <phase2><ikeid>1</ikeid>
		<uniqid>59a779389ed16</uniqid>
		<mode>tunnel</mode>
		<reqid>1</reqid>
		 <localid><type>lan</type></localid> 

		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>aes</name>
			<keylen>256</keylen></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
		<pfsgroup>20</pfsgroup>
		<lifetime>3600</lifetime></phase2></ipsec>

      Log file … Seems like the issue is in the bypass lan phase.

      
Aug 30 20:36:44	charon		05[NET] <bypasslan|11>sending packet: from 71.198.4.235[4500] to 10.1.1.110[4500] (80 bytes)
Aug 30 20:36:44	charon		05[ENC] <bypasslan|11>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 30 20:36:44	charon		05[IKE] <bypasslan|11>peer supports MOBIKE
Aug 30 20:36:44	charon		05[IKE] <bypasslan|11>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 30 20:36:44	charon		05[CFG] <bypasslan|11>no alternative config found
Aug 30 20:36:44	charon		05[CFG] <bypasslan|11>selected peer config 'bypasslan' inacceptable: constraint checking failed
Aug 30 20:36:44	charon		05[CFG] <bypasslan|11>constraint requires public key authentication, but pre-shared key was used
Aug 30 20:36:44	charon		05[CFG] <con1|11>switching to peer config 'bypasslan'
Aug 30 20:36:44	charon		05[CFG] <con1|11>selected peer config 'con1' inacceptable: insufficient authentication rounds
Aug 30 20:36:44	charon		05[IKE] <con1|11>authentication of '10.1.1.110' with pre-shared key successful
Aug 30 20:36:44	charon		05[CFG] <con1|11>selected peer config 'con1'
Aug 30 20:36:44	charon		05[CFG] <11> looking for peer configs matching 71.198.4.235[mydomain.org]...10.1.1.110[10.1.1.110]
Aug 30 20:36:44	charon		05[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Aug 30 20:36:44	charon		05[ENC] <11> unknown attribute type (25)
Aug 30 20:36:44	charon		05[NET] <11> received packet: from 10.1.1.110[4500] to 71.198.4.235[4500] (400 bytes)
Aug 30 20:36:44	charon		15[NET] <11> sending packet: from 71.198.4.235[500] to 10.1.1.110[500] (288 bytes)
Aug 30 20:36:44	charon		15[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Aug 30 20:36:44	charon		15[IKE] <11> 10.1.1.110 is initiating an IKE_SA
Aug 30 20:36:44	charon		15[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 30 20:36:44	charon		15[NET] <11> received packet: from 10.1.1.110[500] to 71.198.4.235[500] (272 bytes)</con1|11></con1|11></con1|11></con1|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11>
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.