Ipsec ikev2 to iOS 9+ and Windows – but no certificates
-
I'd like to use v2 but without certificates – I think my iPhone denies the .mobileconfig because I already have an "MBM profile" from my company on the phone.
I've found lots of howto's and tutorials, but a lot of them assume v2 w/ certs or v1. Or they give instructions based on an older pfsense. I also have a dynamic ip on the server.
I think what I want to use is xauth -- an account and password, with a shared secret.
If its any help, this is my xml config so far...
<ipsec><client><enable></enable> <user_source>Local Database</user_source> <group_source>system</group_source> <pool_address>10.11.11.0</pool_address> <pool_netbits>24</pool_netbits> <dns_domain>vpn.mydomain.org</dns_domain> <dns_server1>10.1.1.1</dns_server1></client> <phase1><ikeid>1</ikeid> <iketype>ikev2</iketype> <interface>wan</interface> <protocol>inet</protocol> <myid_type>dyn_dns</myid_type> <myid_data>home.mydomain.org</myid_data> <peerid_type>fqdn</peerid_type> <peerid_data>home.mydomain.org</peerid_data> <encryption-algorithm><name>aes</name> <keylen>256</keylen></encryption-algorithm> <hash-algorithm>sha256</hash-algorithm> <dhgroup>20</dhgroup> <lifetime>28800</lifetime> <pre-shared-key>1234</pre-shared-key> <private-key></private-key> <caref></caref> <authentication_method>xauth_psk_server</authentication_method> <nat_traversal>on</nat_traversal> <mobike>on</mobike> <dpd_delay>10</dpd_delay> <dpd_maxfail>5</dpd_maxfail></phase1> <phase2><ikeid>1</ikeid> <uniqid>59a779389ed16</uniqid> <mode>tunnel</mode> <reqid>1</reqid> <localid><type>lan</type></localid> <protocol>esp</protocol> <encryption-algorithm-option><name>aes</name> <keylen>256</keylen></encryption-algorithm-option> <hash-algorithm-option>hmac_sha256</hash-algorithm-option> <pfsgroup>20</pfsgroup> <lifetime>3600</lifetime></phase2></ipsec>
Log file … Seems like the issue is in the bypass lan phase.
Aug 30 20:36:44 charon 05[NET] <bypasslan|11>sending packet: from 71.198.4.235[4500] to 10.1.1.110[4500] (80 bytes) Aug 30 20:36:44 charon 05[ENC] <bypasslan|11>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Aug 30 20:36:44 charon 05[IKE] <bypasslan|11>peer supports MOBIKE Aug 30 20:36:44 charon 05[IKE] <bypasslan|11>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Aug 30 20:36:44 charon 05[CFG] <bypasslan|11>no alternative config found Aug 30 20:36:44 charon 05[CFG] <bypasslan|11>selected peer config 'bypasslan' inacceptable: constraint checking failed Aug 30 20:36:44 charon 05[CFG] <bypasslan|11>constraint requires public key authentication, but pre-shared key was used Aug 30 20:36:44 charon 05[CFG] <con1|11>switching to peer config 'bypasslan' Aug 30 20:36:44 charon 05[CFG] <con1|11>selected peer config 'con1' inacceptable: insufficient authentication rounds Aug 30 20:36:44 charon 05[IKE] <con1|11>authentication of '10.1.1.110' with pre-shared key successful Aug 30 20:36:44 charon 05[CFG] <con1|11>selected peer config 'con1' Aug 30 20:36:44 charon 05[CFG] <11> looking for peer configs matching 71.198.4.235[mydomain.org]...10.1.1.110[10.1.1.110] Aug 30 20:36:44 charon 05[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Aug 30 20:36:44 charon 05[ENC] <11> unknown attribute type (25) Aug 30 20:36:44 charon 05[NET] <11> received packet: from 10.1.1.110[4500] to 71.198.4.235[4500] (400 bytes) Aug 30 20:36:44 charon 15[NET] <11> sending packet: from 71.198.4.235[500] to 10.1.1.110[500] (288 bytes) Aug 30 20:36:44 charon 15[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] Aug 30 20:36:44 charon 15[IKE] <11> 10.1.1.110 is initiating an IKE_SA Aug 30 20:36:44 charon 15[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Aug 30 20:36:44 charon 15[NET] <11> received packet: from 10.1.1.110[500] to 71.198.4.235[500] (272 bytes)</con1|11></con1|11></con1|11></con1|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11>