4. Ipsec ikev2 to iOS 9+ and Windows – but no certificates

Ipsec ikev2 to iOS 9+ and Windows – but no certificates

  • R

    I'd like to use v2 but without certificates – I think my iPhone denies the .mobileconfig because I already have an "MBM profile" from my company on the phone.

    I've found lots of howto's and tutorials, but a lot of them assume v2 w/ certs or v1.  Or they give instructions based on an older pfsense.  I also have a dynamic ip on the server.

    I think what I want to use is xauth -- an account and password, with a shared secret.

    If its any help, this is my xml config so far...

    
 <ipsec><client><enable></enable>
		<user_source>Local Database</user_source>
		<group_source>system</group_source>
		<pool_address>10.11.11.0</pool_address>
		<pool_netbits>24</pool_netbits>
		<dns_domain>vpn.mydomain.org</dns_domain>
		<dns_server1>10.1.1.1</dns_server1></client> 
	 <phase1><ikeid>1</ikeid>
		<iketype>ikev2</iketype>
		<interface>wan</interface>

		<protocol>inet</protocol>
		<myid_type>dyn_dns</myid_type>
		<myid_data>home.mydomain.org</myid_data>
		<peerid_type>fqdn</peerid_type>
		<peerid_data>home.mydomain.org</peerid_data>
		 <encryption-algorithm><name>aes</name>
			<keylen>256</keylen></encryption-algorithm> 
		<hash-algorithm>sha256</hash-algorithm>
		<dhgroup>20</dhgroup>
		<lifetime>28800</lifetime>
		<pre-shared-key>1234</pre-shared-key>
		<private-key></private-key>

		<caref></caref>
		<authentication_method>xauth_psk_server</authentication_method>

		<nat_traversal>on</nat_traversal>
		<mobike>on</mobike>
		<dpd_delay>10</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail></phase1> 
	 <phase2><ikeid>1</ikeid>
		<uniqid>59a779389ed16</uniqid>
		<mode>tunnel</mode>
		<reqid>1</reqid>
		 <localid><type>lan</type></localid> 

		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>aes</name>
			<keylen>256</keylen></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
		<pfsgroup>20</pfsgroup>
		<lifetime>3600</lifetime></phase2></ipsec>

    Log file … Seems like the issue is in the bypass lan phase.

    
Aug 30 20:36:44	charon		05[NET] <bypasslan|11>sending packet: from 71.198.4.235[4500] to 10.1.1.110[4500] (80 bytes)
Aug 30 20:36:44	charon		05[ENC] <bypasslan|11>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 30 20:36:44	charon		05[IKE] <bypasslan|11>peer supports MOBIKE
Aug 30 20:36:44	charon		05[IKE] <bypasslan|11>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 30 20:36:44	charon		05[CFG] <bypasslan|11>no alternative config found
Aug 30 20:36:44	charon		05[CFG] <bypasslan|11>selected peer config 'bypasslan' inacceptable: constraint checking failed
Aug 30 20:36:44	charon		05[CFG] <bypasslan|11>constraint requires public key authentication, but pre-shared key was used
Aug 30 20:36:44	charon		05[CFG] <con1|11>switching to peer config 'bypasslan'
Aug 30 20:36:44	charon		05[CFG] <con1|11>selected peer config 'con1' inacceptable: insufficient authentication rounds
Aug 30 20:36:44	charon		05[IKE] <con1|11>authentication of '10.1.1.110' with pre-shared key successful
Aug 30 20:36:44	charon		05[CFG] <con1|11>selected peer config 'con1'
Aug 30 20:36:44	charon		05[CFG] <11> looking for peer configs matching 71.198.4.235[mydomain.org]...10.1.1.110[10.1.1.110]
Aug 30 20:36:44	charon		05[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Aug 30 20:36:44	charon		05[ENC] <11> unknown attribute type (25)
Aug 30 20:36:44	charon		05[NET] <11> received packet: from 10.1.1.110[4500] to 71.198.4.235[4500] (400 bytes)
Aug 30 20:36:44	charon		15[NET] <11> sending packet: from 71.198.4.235[500] to 10.1.1.110[500] (288 bytes)
Aug 30 20:36:44	charon		15[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Aug 30 20:36:44	charon		15[IKE] <11> 10.1.1.110 is initiating an IKE_SA
Aug 30 20:36:44	charon		15[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 30 20:36:44	charon		15[NET] <11> received packet: from 10.1.1.110[500] to 71.198.4.235[500] (272 bytes)</con1|11></con1|11></con1|11></con1|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11>
    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy