IKEv2 - Cannot Connect Android, iOS & macOS
-
Hi All,
I have setup IKEv2 on my pfSense machine (2.4.4) to authenticate with windows RAS.
Windows machines can successfully authenticate and connect to pfsense no problem but Android, iOS and macOS cannot connect.
My pfsense machine has a wild card certificate installed which i assume is working fine (from what I can tell)
Below are the logs from pfsense after trying to connect from iOS and android
iOS
15[CFG] <11> found matching ike config: XX.XX.106.220...%any with prio 1052 15[IKE] <11> xx.xx.21.60 is initiating an IKE_SA 15[IKE] <11> IKE_SA (unnamed)[11] state change: CREATED => CONNECTING 15[CFG] <11> selecting proposal: 15[CFG] <11> proposal matches 15[CFG] <11> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 15[CFG] <11> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_256 15[CFG] <11> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 15[IKE] <11> remote host is behind NAT 15[IKE] <11> sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL RSA CA 2018" 15[IKE] <11> sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA" 15[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] 15[NET] <11> sending packet: from XX.XX.106.220[500] to xx.xx.21.60[500] (493 bytes) 15[NET] <11> received packet: from xx.xx.21.60[4500] to XX.XX.106.220[4500] (512 bytes) 15[ENC] <11> unknown attribute type (25) 15[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] 15[CFG] <11> looking for peer configs matching XX.XX.106.220[test.domain.net]...xx.xx.21.60[192.168.2.109] 15[CFG] <11> no matching peer config found 15[IKE] <11> processing INTERNAL_IP4_ADDRESS attribute 15[IKE] <11> processing INTERNAL_IP4_DHCP attribute 15[IKE] <11> processing INTERNAL_IP4_DNS attribute 15[IKE] <11> processing INTERNAL_IP4_NETMASK attribute 15[IKE] <11> processing INTERNAL_IP6_ADDRESS attribute 15[IKE] <11> processing INTERNAL_IP6_DHCP attribute 15[IKE] <11> processing INTERNAL_IP6_DNS attribute 15[IKE] <11> processing (25) attribute 15[IKE] <11> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 15[IKE] <11> peer supports MOBIKE 15[ENC] <11> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 15[NET] <11> sending packet: from XX.XX.106.220[4500] to xx.xx.21.60[4500] (80 bytes) 15[IKE] <11> IKE_SA (unnamed)[11] state change: CONNECTING => DESTROYINGAndroid
Oct 14 02:59:37 charon 15[IKE] <8> received 151 cert requests for an unknown ca Oct 14 02:59:37 charon 15[CFG] <8> looking for peer configs matching XX.XX.106.220[test.domain.net]...xx.xx.21.60[test] Oct 14 02:59:37 charon 15[CFG] <8> no matching peer config found Oct 14 02:59:37 charon 15[IKE] <8> processing INTERNAL_IP4_ADDRESS attribute Oct 14 02:59:37 charon 15[IKE] <8> processing INTERNAL_IP6_ADDRESS attribute Oct 14 02:59:37 charon 15[IKE] <8> processing INTERNAL_IP4_DNS attribute Oct 14 02:59:37 charon 15[IKE] <8> processing INTERNAL_IP6_DNS attribute Oct 14 02:59:37 charon 15[IKE] <8> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Oct 14 02:59:37 charon 15[IKE] <8> peer supports MOBIKE Oct 14 02:59:37 charon 15[ENC] <8> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Oct 14 02:59:37 charon 15[NET] <8> sending packet: from XX.XX.106.220[4500] to xx.xx.21.60[60554] (80 bytes) Oct 14 02:59:37 charon 15[IKE] <8> IKE_SA (unnamed)[8] state change: CONNECTING => DESTROYINGSettings Attached
Mobile Clients
Phase 1
Phase2
