Able to connect to IKEv2 IPSec from Windows but not from Android - Going insane, what am I doing wrong?



  • PFSense IPSec log: https://pastebin.com/kFSY4tas
    strongSwan log on Android: https://pastebin.com/jwUxHhYS

    I'm not sure whats wrong with my config and I why I am unable to connect, but I'm about 6 hours deep into this today alone and I'm going absolutely nuts. Instant fail, auth related error. Please assist.



  • @matt4542 Hey
    https://www.netgate.com/docs/pfsense/book/ipsec/mobile-ipsec.html
    https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient
    Show Phase 1 IPSEC PFSense settings
    And Strongswan Android settings
    Pay attention to the selected text
    You don't have that in your logs.

    Dec 25 09:06:44 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    Dec 25 09:06:44 00[DMN] Starting IKE service (strongSwan 5.7.1, Android 8.0.0 - ANE-LX1 8.0.0.162(C432)/2018-10-01, ANE-LX1 - HUAWEI/ANE-LX1/HUAWEI, Linux 4.4.23+, aarch64)
    Dec 25 09:06:44 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
    Dec 25 09:06:44 00[JOB] spawning 16 worker threads
    Dec 25 09:06:44 04[CFG] loaded user certificate 'C=ES, O=XXX, CN=sony_xperia.XXXXX' and private key
    Dec 25 09:06:45 04[IKE] initiating IKE_SA android[1] to 94.177.XXX.XXX
    Dec 25 09:06:45 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Dec 25 09:06:45 04[NET] sending packet: from 192.168.1.42[42086] to XXXX.XXXX[500] (716 bytes)
    Dec 25 09:06:45 09[NET] received packet: from 94.177.XXX.XXX[500] to 192.168.1.42[42086] (38 bytes)
    Dec 25 09:06:45 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
    Dec 25 09:06:45 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
    Dec 25 09:06:45 09[IKE] initiating IKE_SA android[1] to 94.177.XXXX
    Dec 25 09:06:45 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Dec 25 09:06:45 09[NET] sending packet: from 192.168.1.42[42086] to 94.177.XXX[500] (908 bytes)
    Dec 25 09:06:45 10[NET] received packet: from 94.177.XXX[500] to 192.168.1.42[42086] (489 bytes)
    Dec 25 09:06:45 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Dec 25 09:06:45 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Dec 25 09:06:45 10[IKE] local host is behind NAT, sending keep alives
    Dec 25 09:06:45 10[IKE] received cert request for "C=ES, O=XXX, CN=XXX"
    Dec 25 09:06:45 10[IKE] sending cert request for "C=ES, O=XXX, CN=XXXX"
    Dec 25 09:06:45 10[IKE] establishing CHILD_SA android{1}