Road Warrior Cofig broken?
-
I'm having trouble with my road warrior ipsec config. On my iphone, it throws a "negotiation with the VPN server failed" error. I checked the logs too.
Sep 19 21:08:27 charon 14[JOB] <con1|15> deleting half open IKE_SA after timeout Sep 19 21:08:21 charon 14[NET] <con1|15> sending packet: from House IP[500] to Phone IP[13738] (412 bytes) Sep 19 21:08:21 charon 14[IKE] <con1|15> sending retransmit 3 of response message ID 0, seq 1 Sep 19 21:08:08 charon 14[NET] <con1|15> sending packet: from House IP[500] to Phone IP[13738] (412 bytes) Sep 19 21:08:08 charon 14[IKE] <con1|15> sending retransmit 2 of response message ID 0, seq 1 Sep 19 21:08:01 charon 14[NET] <con1|15> sending packet: from House IP[500] to Phone IP[13738] (412 bytes) Sep 19 21:08:01 charon 14[IKE] <con1|15> sending retransmit 1 of response message ID 0, seq 1 Sep 19 21:07:57 charon 14[NET] <con1|15> sending packet: from House IP[500] to Phone IP[13738] (412 bytes) Sep 19 21:07:57 charon 14[ENC] <con1|15> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ] Sep 19 21:07:57 charon 14[CFG] <15> selected peer config "con1" Sep 19 21:07:57 charon 14[CFG] <15> looking for XAuthInitPSK peer configs matching House IP...Phone IP[Monkeys] Sep 19 21:07:57 charon 14[IKE] <15> Phone IP is initiating a Aggressive Mode IKE_SA Sep 19 21:07:57 charon 14[IKE] <15> received DPD vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received Cisco Unity vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received XAuth vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-05 vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-06 vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-07 vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received draft-ietf-ipsec-nat-t-ike-08 vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received draft-ietf-ipsec-nat-t-ike vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received NAT-T (RFC 3947) vendor ID Sep 19 21:07:57 charon 14[IKE] <15> received FRAGMENTATION vendor ID Sep 19 21:07:57 charon 14[ENC] <15> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ] Sep 19 21:07:57 charon 14[NET] <15> received packet: from Phone IP[13738] to House IP[500] (763 bytes) Sep 19 21:07:53 charon 14[NET] <14> sending packet: from House IP[500] to Phone IP[13738] (56 bytes) Sep 19 21:07:53 charon 14[ENC] <14> generating INFORMATIONAL_V1 request 2923321687 [ N(NO_PROP) ] Sep 19 21:07:53 charon 14[IKE] <14> no proposal found Sep 19 21:07:53 charon 14[CFG] <14> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Sep 19 21:07:53 charon 14[CFG] <14> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 Sep 19 21:07:53 charon 14[IKE] <14> Phone IP is initiating a Aggressive Mode IKE_SA Sep 19 21:07:53 charon 14[IKE] <14> received DPD vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received Cisco Unity vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received XAuth vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-05 vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-06 vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-07 vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received draft-ietf-ipsec-nat-t-ike-08 vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received draft-ietf-ipsec-nat-t-ike vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received NAT-T (RFC 3947) vendor ID Sep 19 21:07:53 charon 14[IKE] <14> received FRAGMENTATION vendor ID Sep 19 21:07:53 charon 14[ENC] <14> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ] Sep 19 21:07:53 charon 14[NET] <14> received packet: from Phone IP[13738] to House IP[500] (763 bytes)</con1|15></con1|15></con1|15></con1|15></con1|15></con1|15></con1|15></con1|15></con1|15>
Phone Ip is the ipv4 of the phone
House Ip is the ipv4 of the pfsense boxThis https://www.youtube.com/watch?v=kFCe5AdhFyU is the video I used to set it up, and I followed it to the letter. Any suggestions?
-
Sep 19 21:07:53 charon 14[CFG] <14> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Sep 19 21:07:53 charon 14[CFG] <14> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Your phone wants AES-256, but pfSense is only set for AES-128.
It also wants DH group 14 and you're set for 2. -
Every time I change the DH group to 1024 the phone changes to 2048
-
I can't fix this mismatch, any help?