Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 - Cannot Connect Android, iOS & macOS

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 312 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zooky
      last edited by

      Hi All,

      I have setup IKEv2 on my pfSense machine (2.4.4) to authenticate with windows RAS.

      Windows machines can successfully authenticate and connect to pfsense no problem but Android, iOS and macOS cannot connect.

      My pfsense machine has a wild card certificate installed which i assume is working fine (from what I can tell)

      Below are the logs from pfsense after trying to connect from iOS and android

      iOS

      			15[CFG] <11> found matching ike config: XX.XX.106.220...%any with prio 1052
      			15[IKE] <11> xx.xx.21.60 is initiating an IKE_SA
      			15[IKE] <11> IKE_SA (unnamed)[11] state change: CREATED => CONNECTING
      			15[CFG] <11> selecting proposal:
      			15[CFG] <11> proposal matches
      			15[CFG] <11> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      			15[CFG] <11> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_256
      			15[CFG] <11> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      			15[IKE] <11> remote host is behind NAT
      			15[IKE] <11> sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL RSA CA 2018"
      			15[IKE] <11> sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
      			15[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
      			15[NET] <11> sending packet: from XX.XX.106.220[500] to xx.xx.21.60[500] (493 bytes)
      			15[NET] <11> received packet: from xx.xx.21.60[4500] to XX.XX.106.220[4500] (512 bytes)
      			15[ENC] <11> unknown attribute type (25)
      			15[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
      			15[CFG] <11> looking for peer configs matching XX.XX.106.220[test.domain.net]...xx.xx.21.60[192.168.2.109]
      			15[CFG] <11> no matching peer config found
      			15[IKE] <11> processing INTERNAL_IP4_ADDRESS attribute
      			15[IKE] <11> processing INTERNAL_IP4_DHCP attribute
      			15[IKE] <11> processing INTERNAL_IP4_DNS attribute
      			15[IKE] <11> processing INTERNAL_IP4_NETMASK attribute
      			15[IKE] <11> processing INTERNAL_IP6_ADDRESS attribute
      			15[IKE] <11> processing INTERNAL_IP6_DHCP attribute
      			15[IKE] <11> processing INTERNAL_IP6_DNS attribute
      			15[IKE] <11> processing (25) attribute
      			15[IKE] <11> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      			15[IKE] <11> peer supports MOBIKE
      			15[ENC] <11> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      			15[NET] <11> sending packet: from XX.XX.106.220[4500] to xx.xx.21.60[4500] (80 bytes)
      			15[IKE] <11> IKE_SA (unnamed)[11] state change: CONNECTING => DESTROYING
      

      Android

      Oct 14 02:59:37	charon		15[IKE] <8> received 151 cert requests for an unknown ca
      Oct 14 02:59:37	charon		15[CFG] <8> looking for peer configs matching XX.XX.106.220[test.domain.net]...xx.xx.21.60[test]
      Oct 14 02:59:37	charon		15[CFG] <8> no matching peer config found
      Oct 14 02:59:37	charon		15[IKE] <8> processing INTERNAL_IP4_ADDRESS attribute
      Oct 14 02:59:37	charon		15[IKE] <8> processing INTERNAL_IP6_ADDRESS attribute
      Oct 14 02:59:37	charon		15[IKE] <8> processing INTERNAL_IP4_DNS attribute
      Oct 14 02:59:37	charon		15[IKE] <8> processing INTERNAL_IP6_DNS attribute
      Oct 14 02:59:37	charon		15[IKE] <8> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Oct 14 02:59:37	charon		15[IKE] <8> peer supports MOBIKE
      Oct 14 02:59:37	charon		15[ENC] <8> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Oct 14 02:59:37	charon		15[NET] <8> sending packet: from XX.XX.106.220[4500] to xx.xx.21.60[60554] (80 bytes)
      Oct 14 02:59:37	charon		15[IKE] <8> IKE_SA (unnamed)[8] state change: CONNECTING => DESTROYING
      

      Settings Attached

      Mobile Clients
      Mobile Clients

      Phase 1
      Phase1
      Phase1

      Phase2
      Phase2

      1 Reply Last reply Reply Quote 0
      • N nzlv referenced this topic on
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.