Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec with EAP-MSCHAPv2 fails for iOS clients

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 869 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SpaceBass
      last edited by

      Hey friends,
      I've been banging my head against the wall working on a EAP-MSCHAPv2 auth solution for iOS clients.
      I think I'm close, but something major keeps failing.

      I've got the encryption for P1 working. The problem is with EAP. Whatever I put in for the username becomes part of this error:
      no EAP key found for hosts 'myserver.myhost.cc' - 'MYUSER'

      So far, I haven't seen any requests actually hit my RADIUS server (which is what's selected in the mobile conf tab in pfSense as my identity server).

      If I remove user/pass and just use a PSK, it connects (doesn't pass traffic…but at least my P1 works).

      Anyone seen that error and have any tips for troubleshooting?

      in the logs below, I've changed my external DNS name to myserver.myhost.cc and I've changed my user's short name to MYUSER

      May 15 23:40:13	charon		12[ENC] <con5|27> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
      May 15 23:40:11	charon		12[IKE] <con5|27> EAP-MS-CHAPv2 verification failed, retry (1)
      May 15 23:40:11	charon		12[IKE] <con5|27> no EAP key found for hosts 'myserver.myhost.cc' - 'MYUSER'
      May 15 23:40:11	charon		12[ENC] <con5|27> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
      May 15 23:40:11	charon		12[NET] <con5|27> received packet: from 166.170.37.181[30218] to 157.131.xxx.yyy[4500] (144 bytes)
      May 15 23:40:11	charon		12[NET] <con5|27> sending packet: from 157.131.xxx.yyy[4500] to 166.170.37.181[30218] (112 bytes)
      May 15 23:40:11	charon		12[ENC] <con5|27> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
      May 15 23:40:11	charon		12[IKE] <con5|27> initiating EAP_MSCHAPV2 method (id 0x9A)
      May 15 23:40:11	charon		12[IKE] <con5|27> received EAP identity 'MYUSER'
      May 15 23:40:11	charon		12[ENC] <con5|27> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
      May 15 23:40:11	charon		12[NET] <con5|27> received packet: from 166.170.37.181[30218] to 157.131.xxx.yyy[4500] (96 bytes)
      May 15 23:40:11	charon		12[NET] <con5|27> sending packet: from 157.131.xxx.yyy[4500] to 166.170.37.181[30218] (452 bytes)
      May 15 23:40:11	charon		12[NET] <con5|27> sending packet: from 157.131.xxx.yyy[4500] to 166.170.37.181[30218] (1236 bytes)
      May 15 23:40:11	charon		12[ENC] <con5|27> generating IKE_AUTH response 1 [ EF(2/2) ]
      May 15 23:40:11	charon		12[ENC] <con5|27> generating IKE_AUTH response 1 [ EF(1/2) ]
      May 15 23:40:11	charon		12[ENC] <con5|27> splitting IKE message with length of 1616 bytes into 2 fragments
      May 15 23:40:11	charon		12[ENC] <con5|27> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
      May 15 23:40:11	charon		12[IKE] <con5|27> sending end entity cert "C=US, ST=DC, L=Wshington, O=NSnet, E=nd@xxxxxx.zzz, CN=myserver.myhost.cc"
      May 15 23:40:11	charon		12[IKE] <con5|27> authentication of 'myserver.myhost.cc' (myself) with RSA signature successful
      May 15 23:40:11	charon		12[IKE] <con5|27> peer supports MOBIKE
      May 15 23:40:11	charon		12[IKE] <con5|27> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      May 15 23:40:11	charon		12[IKE] <con5|27> initiating EAP_IDENTITY method (id 0x00)
      May 15 23:40:11	charon		12[CFG] <con5|27> selected peer config 'con5'
      May 15 23:40:11	charon		12[CFG] <27> looking for peer configs matching 157.131.xxx.yyy[myserver.myhost.cc]...166.170.37.181[10.203.105.41]
      May 15 23:40:11	charon		12[ENC] <27> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]</con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27>
      
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.