Ipsec ikev2 to iOS 9+ and Windows – but no certificates



  • I'd like to use v2 but without certificates – I think my iPhone denies the .mobileconfig because I already have an "MBM profile" from my company on the phone.

    I've found lots of howto's and tutorials, but a lot of them assume v2 w/ certs or v1.  Or they give instructions based on an older pfsense.  I also have a dynamic ip on the server.

    I think what I want to use is xauth -- an account and password, with a shared secret.

    If its any help, this is my xml config so far...

    
     <ipsec><client><enable></enable>
    		<user_source>Local Database</user_source>
    		<group_source>system</group_source>
    		<pool_address>10.11.11.0</pool_address>
    		<pool_netbits>24</pool_netbits>
    		<dns_domain>vpn.mydomain.org</dns_domain>
    		<dns_server1>10.1.1.1</dns_server1></client> 
    	 <phase1><ikeid>1</ikeid>
    		<iketype>ikev2</iketype>
    		<interface>wan</interface>
    
    		<protocol>inet</protocol>
    		<myid_type>dyn_dns</myid_type>
    		<myid_data>home.mydomain.org</myid_data>
    		<peerid_type>fqdn</peerid_type>
    		<peerid_data>home.mydomain.org</peerid_data>
    		 <encryption-algorithm><name>aes</name>
    			<keylen>256</keylen></encryption-algorithm> 
    		<hash-algorithm>sha256</hash-algorithm>
    		<dhgroup>20</dhgroup>
    		<lifetime>28800</lifetime>
    		<pre-shared-key>1234</pre-shared-key>
    		<private-key></private-key>
    
    		<caref></caref>
    		<authentication_method>xauth_psk_server</authentication_method>
    
    		<nat_traversal>on</nat_traversal>
    		<mobike>on</mobike>
    		<dpd_delay>10</dpd_delay>
    		<dpd_maxfail>5</dpd_maxfail></phase1> 
    	 <phase2><ikeid>1</ikeid>
    		<uniqid>59a779389ed16</uniqid>
    		<mode>tunnel</mode>
    		<reqid>1</reqid>
    		 <localid><type>lan</type></localid> 
    
    		<protocol>esp</protocol>
    		 <encryption-algorithm-option><name>aes</name>
    			<keylen>256</keylen></encryption-algorithm-option> 
    		<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
    		<pfsgroup>20</pfsgroup>
    		<lifetime>3600</lifetime></phase2></ipsec> 
    

    Log file … Seems like the issue is in the bypass lan phase.

    
    Aug 30 20:36:44	charon		05[NET] <bypasslan|11>sending packet: from 71.198.4.235[4500] to 10.1.1.110[4500] (80 bytes)
    Aug 30 20:36:44	charon		05[ENC] <bypasslan|11>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Aug 30 20:36:44	charon		05[IKE] <bypasslan|11>peer supports MOBIKE
    Aug 30 20:36:44	charon		05[IKE] <bypasslan|11>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Aug 30 20:36:44	charon		05[CFG] <bypasslan|11>no alternative config found
    Aug 30 20:36:44	charon		05[CFG] <bypasslan|11>selected peer config 'bypasslan' inacceptable: constraint checking failed
    Aug 30 20:36:44	charon		05[CFG] <bypasslan|11>constraint requires public key authentication, but pre-shared key was used
    Aug 30 20:36:44	charon		05[CFG] <con1|11>switching to peer config 'bypasslan'
    Aug 30 20:36:44	charon		05[CFG] <con1|11>selected peer config 'con1' inacceptable: insufficient authentication rounds
    Aug 30 20:36:44	charon		05[IKE] <con1|11>authentication of '10.1.1.110' with pre-shared key successful
    Aug 30 20:36:44	charon		05[CFG] <con1|11>selected peer config 'con1'
    Aug 30 20:36:44	charon		05[CFG] <11> looking for peer configs matching 71.198.4.235[mydomain.org]...10.1.1.110[10.1.1.110]
    Aug 30 20:36:44	charon		05[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Aug 30 20:36:44	charon		05[ENC] <11> unknown attribute type (25)
    Aug 30 20:36:44	charon		05[NET] <11> received packet: from 10.1.1.110[4500] to 71.198.4.235[4500] (400 bytes)
    Aug 30 20:36:44	charon		15[NET] <11> sending packet: from 71.198.4.235[500] to 10.1.1.110[500] (288 bytes)
    Aug 30 20:36:44	charon		15[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
    Aug 30 20:36:44	charon		15[IKE] <11> 10.1.1.110 is initiating an IKE_SA
    Aug 30 20:36:44	charon		15[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Aug 30 20:36:44	charon		15[NET] <11> received packet: from 10.1.1.110[500] to 71.198.4.235[500] (272 bytes)</con1|11></con1|11></con1|11></con1|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11> 
    

Log in to reply