IKEv2 - Cannot Connect Android, iOS & macOS



  • Hi All,

    I have setup IKEv2 on my pfSense machine (2.4.4) to authenticate with windows RAS.

    Windows machines can successfully authenticate and connect to pfsense no problem but Android, iOS and macOS cannot connect.

    My pfsense machine has a wild card certificate installed which i assume is working fine (from what I can tell)

    Below are the logs from pfsense after trying to connect from iOS and android

    iOS

    			15[CFG] <11> found matching ike config: XX.XX.106.220...%any with prio 1052
    			15[IKE] <11> xx.xx.21.60 is initiating an IKE_SA
    			15[IKE] <11> IKE_SA (unnamed)[11] state change: CREATED => CONNECTING
    			15[CFG] <11> selecting proposal:
    			15[CFG] <11> proposal matches
    			15[CFG] <11> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    			15[CFG] <11> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_256
    			15[CFG] <11> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    			15[IKE] <11> remote host is behind NAT
    			15[IKE] <11> sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL RSA CA 2018"
    			15[IKE] <11> sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
    			15[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
    			15[NET] <11> sending packet: from XX.XX.106.220[500] to xx.xx.21.60[500] (493 bytes)
    			15[NET] <11> received packet: from xx.xx.21.60[4500] to XX.XX.106.220[4500] (512 bytes)
    			15[ENC] <11> unknown attribute type (25)
    			15[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    			15[CFG] <11> looking for peer configs matching XX.XX.106.220[test.domain.net]...xx.xx.21.60[192.168.2.109]
    			15[CFG] <11> no matching peer config found
    			15[IKE] <11> processing INTERNAL_IP4_ADDRESS attribute
    			15[IKE] <11> processing INTERNAL_IP4_DHCP attribute
    			15[IKE] <11> processing INTERNAL_IP4_DNS attribute
    			15[IKE] <11> processing INTERNAL_IP4_NETMASK attribute
    			15[IKE] <11> processing INTERNAL_IP6_ADDRESS attribute
    			15[IKE] <11> processing INTERNAL_IP6_DHCP attribute
    			15[IKE] <11> processing INTERNAL_IP6_DNS attribute
    			15[IKE] <11> processing (25) attribute
    			15[IKE] <11> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    			15[IKE] <11> peer supports MOBIKE
    			15[ENC] <11> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    			15[NET] <11> sending packet: from XX.XX.106.220[4500] to xx.xx.21.60[4500] (80 bytes)
    			15[IKE] <11> IKE_SA (unnamed)[11] state change: CONNECTING => DESTROYING
    

    Android

    Oct 14 02:59:37	charon		15[IKE] <8> received 151 cert requests for an unknown ca
    Oct 14 02:59:37	charon		15[CFG] <8> looking for peer configs matching XX.XX.106.220[test.domain.net]...xx.xx.21.60[test]
    Oct 14 02:59:37	charon		15[CFG] <8> no matching peer config found
    Oct 14 02:59:37	charon		15[IKE] <8> processing INTERNAL_IP4_ADDRESS attribute
    Oct 14 02:59:37	charon		15[IKE] <8> processing INTERNAL_IP6_ADDRESS attribute
    Oct 14 02:59:37	charon		15[IKE] <8> processing INTERNAL_IP4_DNS attribute
    Oct 14 02:59:37	charon		15[IKE] <8> processing INTERNAL_IP6_DNS attribute
    Oct 14 02:59:37	charon		15[IKE] <8> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Oct 14 02:59:37	charon		15[IKE] <8> peer supports MOBIKE
    Oct 14 02:59:37	charon		15[ENC] <8> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Oct 14 02:59:37	charon		15[NET] <8> sending packet: from XX.XX.106.220[4500] to xx.xx.21.60[60554] (80 bytes)
    Oct 14 02:59:37	charon		15[IKE] <8> IKE_SA (unnamed)[8] state change: CONNECTING => DESTROYING
    

    Settings Attached

    Mobile Clients
    Mobile Clients

    Phase 1
    Phase1
    Phase1

    Phase2
    Phase2