IPSec client mobile
-
Hi, I have already a "Site to Site VPN connection" with IPSec protocol and now I need to also access through an IPSec client on Windows 10.
In pfSense I enabled:
"Enable IPsec Mobile Client Support"
as shown in the attached image.
Then I specified a "Pre-Shared Keys" and configured the phase2 (as shown in the attached image).
In Windows 10 I configured the VPN client but when I try to connect to the VPN server immediately an error message appears:"L2tp connection attempt failed.
the security level cannot negotiate the parameters compatible with the remote computer"where am I wrong ?
Thanks.
-
Sounds like Windows is not attempting IKEv2 but L2TP instead. I'd look at the client:
https://docs.netgate.com/pfsense/en/latest/book/ipsec/mobile-ipsec-client-windows.html?windows-ikev2-client-configuration
-
Hi,
I'm not using the digital certificate.
Thanks. -
Sounds like there is a mismatch with the encryption algorithms you have configured on your tunnel.
Take a look at at the IPSec log (Status / System logs / IPSec) for "received proposals" and "configured proposals" to see which algorithms you client can use and which are configured on the tunnel.
You may also have to make adjustments to the encryption and hashing in Phase 2, to ensure that they are supported by your client.
Examining the log I found the config below, with two supported algorithms for Pase 1, to work with both my Window 10 client and my iPhone - but your mileage may vary :-)
-
Transport mode for mobile IPsec? That would be a first for me.
-
Hi,
thanks but for now i have preferred to use openvpn. -
I'm only just getting into psSense myself, and was following a tutorial, but could not get the setup to work.
I was looking for help myself, when I came across this problem that I had just spent time figuring out myself and thought that I would share :-) -
Yeah you almost certainly want tunnel mode there, not transport.
It really depends on the mix of intended VPN clients but if I had to use IPsec instead of OpenVPN for some reason I would try to get IKEv2 working first.