IKEv2 - Cannot Connect Android, iOS & macOS

zooky

Hi All,

I have setup IKEv2 on my pfSense machine (2.4.4) to authenticate with windows RAS.

Windows machines can successfully authenticate and connect to pfsense no problem but Android, iOS and macOS cannot connect.

My pfsense machine has a wild card certificate installed which i assume is working fine (from what I can tell)

Below are the logs from pfsense after trying to connect from iOS and android

iOS

			15[CFG] <11> found matching ike config: XX.XX.106.220...%any with prio 1052
			15[IKE] <11> xx.xx.21.60 is initiating an IKE_SA
			15[IKE] <11> IKE_SA (unnamed)[11] state change: CREATED => CONNECTING
			15[CFG] <11> selecting proposal:
			15[CFG] <11> proposal matches
			15[CFG] <11> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
			15[CFG] <11> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_256
			15[CFG] <11> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
			15[IKE] <11> remote host is behind NAT
			15[IKE] <11> sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL RSA CA 2018"
			15[IKE] <11> sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
			15[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
			15[NET] <11> sending packet: from XX.XX.106.220[500] to xx.xx.21.60[500] (493 bytes)
			15[NET] <11> received packet: from xx.xx.21.60[4500] to XX.XX.106.220[4500] (512 bytes)
			15[ENC] <11> unknown attribute type (25)
			15[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
			15[CFG] <11> looking for peer configs matching XX.XX.106.220[test.domain.net]...xx.xx.21.60[192.168.2.109]
			15[CFG] <11> no matching peer config found
			15[IKE] <11> processing INTERNAL_IP4_ADDRESS attribute
			15[IKE] <11> processing INTERNAL_IP4_DHCP attribute
			15[IKE] <11> processing INTERNAL_IP4_DNS attribute
			15[IKE] <11> processing INTERNAL_IP4_NETMASK attribute
			15[IKE] <11> processing INTERNAL_IP6_ADDRESS attribute
			15[IKE] <11> processing INTERNAL_IP6_DHCP attribute
			15[IKE] <11> processing INTERNAL_IP6_DNS attribute
			15[IKE] <11> processing (25) attribute
			15[IKE] <11> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
			15[IKE] <11> peer supports MOBIKE
			15[ENC] <11> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
			15[NET] <11> sending packet: from XX.XX.106.220[4500] to xx.xx.21.60[4500] (80 bytes)
			15[IKE] <11> IKE_SA (unnamed)[11] state change: CONNECTING => DESTROYING

Android

Oct 14 02:59:37	charon		15[IKE] <8> received 151 cert requests for an unknown ca
Oct 14 02:59:37	charon		15[CFG] <8> looking for peer configs matching XX.XX.106.220[test.domain.net]...xx.xx.21.60[test]
Oct 14 02:59:37	charon		15[CFG] <8> no matching peer config found
Oct 14 02:59:37	charon		15[IKE] <8> processing INTERNAL_IP4_ADDRESS attribute
Oct 14 02:59:37	charon		15[IKE] <8> processing INTERNAL_IP6_ADDRESS attribute
Oct 14 02:59:37	charon		15[IKE] <8> processing INTERNAL_IP4_DNS attribute
Oct 14 02:59:37	charon		15[IKE] <8> processing INTERNAL_IP6_DNS attribute
Oct 14 02:59:37	charon		15[IKE] <8> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 14 02:59:37	charon		15[IKE] <8> peer supports MOBIKE
Oct 14 02:59:37	charon		15[ENC] <8> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 14 02:59:37	charon		15[NET] <8> sending packet: from XX.XX.106.220[4500] to xx.xx.21.60[60554] (80 bytes)
Oct 14 02:59:37	charon		15[IKE] <8> IKE_SA (unnamed)[8] state change: CONNECTING => DESTROYING

Settings Attached

Mobile Clients

Phase 1
Phase1
Phase1

Phase2
Phase2