User authentication failed with iPhone and IPsec VPN
-
Hello,
I've configured a VPN on pfSense using these instructions:
https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html
I'm able to successfully connect to the VPN my Windows 10 laptop, but when I try to connect my iPhone using the same username and password, I get the following message:
User authentication failed
The iPhone is using iOS 12.1.
Here are the last few entries of the log:
Dec 5 09:30:56 charon 01[ENC] <con-mobile|6> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Dec 5 09:30:56 charon 01[ENC] <con-mobile|6> splitting IKE message with length of 1552 bytes into 2 fragments Dec 5 09:30:56 charon 01[ENC] <con-mobile|6> generating IKE_AUTH response 1 [ EF(1/2) ] Dec 5 09:30:56 charon 01[ENC] <con-mobile|6> generating IKE_AUTH response 1 [ EF(2/2) ] Dec 5 09:30:56 charon 01[NET] <con-mobile|6> sending packet: from 74.112.16.144[4500] to 166.137.219.164[19052] (1236 bytes) Dec 5 09:30:56 charon 01[NET] <con-mobile|6> sending packet: from 74.112.16.144[4500] to 166.137.219.164[19052] (388 bytes) Dec 5 09:31:26 charon 15[JOB] <con-mobile|6> deleting half open IKE_SA with 166.137.219.164 after timeout Dec 5 09:31:26 charon 15[IKE] <con-mobile|6> IKE_SA con-mobile[6] state change: CONNECTING => DESTROYING
It seems that the iPhone is never reponding to the IKE_AUTH response 1.
I'm not sure what to do next to troubleshoot this. Thanks in advance for your help!
Alan
-
I figured out the problem.
I had exported and installed the wrong cert on my phone. Instead of installing the CA cert, I had mistakenly installed the "Server Certificate".
After correcting this, I was able to connect to the VPN successfully.
Hopefully this will help someone else.
-
@avalanchis I am SOOOO glad you commented on the resolution in this thread, I made exactly the same error and after hours of trying and surfing I found your thread, THANKS!
-
@murphster_matt What's funny about this is that I had the same problem when trying to set up a different phone, and I'd completely forgotten about this solution until you posted your comment! Thanks for reminding me!