Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ipsec ikev2 to iOS 9+ and Windows – but no certificates

    IPsec
    1
    1
    388
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rrauenza last edited by

      I'd like to use v2 but without certificates – I think my iPhone denies the .mobileconfig because I already have an "MBM profile" from my company on the phone.

      I've found lots of howto's and tutorials, but a lot of them assume v2 w/ certs or v1.  Or they give instructions based on an older pfsense.  I also have a dynamic ip on the server.

      I think what I want to use is xauth -- an account and password, with a shared secret.

      If its any help, this is my xml config so far...

      
       <ipsec><client><enable></enable>
      		<user_source>Local Database</user_source>
      		<group_source>system</group_source>
      		<pool_address>10.11.11.0</pool_address>
      		<pool_netbits>24</pool_netbits>
      		<dns_domain>vpn.mydomain.org</dns_domain>
      		<dns_server1>10.1.1.1</dns_server1></client> 
      	 <phase1><ikeid>1</ikeid>
      		<iketype>ikev2</iketype>
      		<interface>wan</interface>
      
      		<protocol>inet</protocol>
      		<myid_type>dyn_dns</myid_type>
      		<myid_data>home.mydomain.org</myid_data>
      		<peerid_type>fqdn</peerid_type>
      		<peerid_data>home.mydomain.org</peerid_data>
      		 <encryption-algorithm><name>aes</name>
      			<keylen>256</keylen></encryption-algorithm> 
      		<hash-algorithm>sha256</hash-algorithm>
      		<dhgroup>20</dhgroup>
      		<lifetime>28800</lifetime>
      		<pre-shared-key>1234</pre-shared-key>
      		<private-key></private-key>
      
      		<caref></caref>
      		<authentication_method>xauth_psk_server</authentication_method>
      
      		<nat_traversal>on</nat_traversal>
      		<mobike>on</mobike>
      		<dpd_delay>10</dpd_delay>
      		<dpd_maxfail>5</dpd_maxfail></phase1> 
      	 <phase2><ikeid>1</ikeid>
      		<uniqid>59a779389ed16</uniqid>
      		<mode>tunnel</mode>
      		<reqid>1</reqid>
      		 <localid><type>lan</type></localid> 
      
      		<protocol>esp</protocol>
      		 <encryption-algorithm-option><name>aes</name>
      			<keylen>256</keylen></encryption-algorithm-option> 
      		<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
      		<pfsgroup>20</pfsgroup>
      		<lifetime>3600</lifetime></phase2></ipsec> 
      

      Log file … Seems like the issue is in the bypass lan phase.

      
      Aug 30 20:36:44	charon		05[NET] <bypasslan|11>sending packet: from 71.198.4.235[4500] to 10.1.1.110[4500] (80 bytes)
      Aug 30 20:36:44	charon		05[ENC] <bypasslan|11>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Aug 30 20:36:44	charon		05[IKE] <bypasslan|11>peer supports MOBIKE
      Aug 30 20:36:44	charon		05[IKE] <bypasslan|11>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Aug 30 20:36:44	charon		05[CFG] <bypasslan|11>no alternative config found
      Aug 30 20:36:44	charon		05[CFG] <bypasslan|11>selected peer config 'bypasslan' inacceptable: constraint checking failed
      Aug 30 20:36:44	charon		05[CFG] <bypasslan|11>constraint requires public key authentication, but pre-shared key was used
      Aug 30 20:36:44	charon		05[CFG] <con1|11>switching to peer config 'bypasslan'
      Aug 30 20:36:44	charon		05[CFG] <con1|11>selected peer config 'con1' inacceptable: insufficient authentication rounds
      Aug 30 20:36:44	charon		05[IKE] <con1|11>authentication of '10.1.1.110' with pre-shared key successful
      Aug 30 20:36:44	charon		05[CFG] <con1|11>selected peer config 'con1'
      Aug 30 20:36:44	charon		05[CFG] <11> looking for peer configs matching 71.198.4.235[mydomain.org]...10.1.1.110[10.1.1.110]
      Aug 30 20:36:44	charon		05[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
      Aug 30 20:36:44	charon		05[ENC] <11> unknown attribute type (25)
      Aug 30 20:36:44	charon		05[NET] <11> received packet: from 10.1.1.110[4500] to 71.198.4.235[4500] (400 bytes)
      Aug 30 20:36:44	charon		15[NET] <11> sending packet: from 71.198.4.235[500] to 10.1.1.110[500] (288 bytes)
      Aug 30 20:36:44	charon		15[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
      Aug 30 20:36:44	charon		15[IKE] <11> 10.1.1.110 is initiating an IKE_SA
      Aug 30 20:36:44	charon		15[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
      Aug 30 20:36:44	charon		15[NET] <11> received packet: from 10.1.1.110[500] to 71.198.4.235[500] (272 bytes)</con1|11></con1|11></con1|11></con1|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11> 
      
      1 Reply Last reply Reply Quote 0
      • First post
        Last post