• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Trying to configure IPsec for IOS 13.3.1, fails with "Negotiation with the VPN server failed"

Scheduled Pinned Locked Moved IPsec
15 Posts 4 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jeffc
    last edited by Mar 2, 2020, 7:22 PM

    I'm probably doing a stupid user error, so I apologize in advance! First time I've tried this.

    In trying to set up pfSense "2.4.4-RELEASE-p3 (amd64)" on IOS 13.3.1 (iPhone), I followed the directions at Netgate. Note that pfSense 2.4.4 didn't EXACTLY match what the instructions were saying, but they were pretty close.

    When I try and bring up the VPN connection, I get: "Negotiation with the VPN server failed."

    Logs follow. Any advice or suggestions would be greatly appreciated, thanks!

    Mar 2 11:19:12 	charon 		01[ENC] <17> generating INFORMATIONAL_V1 request 4279946569 [ N(NO_PROP) ]
    Mar 2 11:19:12 	charon 		01[NET] <17> sending packet: from 50.47.113.45[500] to 174.216.20.149[7717] (56 bytes)
    Mar 2 11:19:12 	charon 		01[IKE] <17> IKE_SA (unnamed)[17] state change: CONNECTING => DESTROYING
    Mar 2 11:19:12 	charon 		01[NET] <18> received packet: from 174.216.20.149[7717] to 50.47.113.45[500] (775 bytes)
    Mar 2 11:19:12 	charon 		01[ENC] <18> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Mar 2 11:19:12 	charon 		01[CFG] <18> looking for an IKEv1 config for 50.47.113.45...174.216.20.149
    Mar 2 11:19:12 	charon 		01[CFG] <18> candidate: %any...%any, prio 24
    Mar 2 11:19:12 	charon 		01[CFG] <18> candidate: 50.47.113.45...%any, prio 1052
    Mar 2 11:19:12 	charon 		01[CFG] <18> found matching ike config: 50.47.113.45...%any with prio 1052
    Mar 2 11:19:12 	charon 		01[IKE] <18> received FRAGMENTATION vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received NAT-T (RFC 3947) vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received draft-ietf-ipsec-nat-t-ike vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received XAuth vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received Cisco Unity vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> received DPD vendor ID
    Mar 2 11:19:12 	charon 		01[IKE] <18> 174.216.20.149 is initiating a Aggressive Mode IKE_SA
    Mar 2 11:19:12 	charon 		01[IKE] <18> IKE_SA (unnamed)[18] state change: CREATED => CONNECTING
    Mar 2 11:19:12 	charon 		01[CFG] <18> selecting proposal:
    Mar 2 11:19:12 	charon 		01[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
    Mar 2 11:19:12 	charon 		01[CFG] <18> selecting proposal:
    Mar 2 11:19:12 	charon 		01[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
    Mar 2 11:19:12 	charon 		01[CFG] <18> selecting proposal:
    Mar 2 11:19:12 	charon 		01[CFG] <18> no acceptable INTEGRITY_ALGORITHM found
    Mar 2 11:19:12 	charon 		01[CFG] <18> selecting proposal:
    Mar 2 11:19:12 	charon 		01[CFG] <18> no acceptable INTEGRITY_ALGORITHM found
    Mar 2 11:19:12 	charon 		01[CFG] <18> selecting proposal:
    Mar 2 11:19:12 	charon 		01[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
    Mar 2 11:19:12 	charon 		01[CFG] <18> selecting proposal:
    Mar 2 11:19:12 	charon 		01[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
    Mar 2 11:19:12 	charon 		01[CFG] <18> selecting proposal:
    Mar 2 11:19:12 	charon 		01[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
    Mar 2 11:19:12 	charon 		01[CFG] <18> selecting proposal:
    Mar 2 11:19:12 	charon 		01[CFG] <18> no acceptable ENCRYPTION_ALGORITHM found
    Mar 2 11:19:12 	charon 		01[CFG] <18> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Mar 2 11:19:12 	charon 		01[CFG] <18> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Mar 2 11:19:12 	charon 		01[IKE] <18> no proposal found
    Mar 2 11:19:12 	charon 		01[IKE] <18> queueing INFORMATIONAL task
    Mar 2 11:19:12 	charon 		01[IKE] <18> activating new tasks
    Mar 2 11:19:12 	charon 		01[IKE] <18> activating INFORMATIONAL task
    Mar 2 11:19:12 	charon 		01[ENC] <18> generating INFORMATIONAL_V1 request 979376487 [ N(NO_PROP) ]
    Mar 2 11:19:12 	charon 		01[NET] <18> sending packet: from 50.47.113.45[500] to 174.216.20.149[7717] (56 bytes)
    Mar 2 11:19:12 	charon 		01[IKE] <18> IKE_SA (unnamed)[18] state change: CONNECTING => DESTROYING 
    
    1 Reply Last reply Reply Quote 0
    • ?
      A Former User
      last edited by Mar 2, 2020, 7:44 PM

      I have this config working here.

      ios13.JPG
      ios132.JPG

      1 Reply Last reply Reply Quote 0
      • J
        jeffc
        last edited by Mar 2, 2020, 8:09 PM

        @egoisst That was super useful, thanks for the help! Unfortunately, though, it got me a little farther, but now I fail with "User authentication failed."

        I have a long (random) password cut/pasted in, and the secret key is correct as well.

        In terms of the user setting, the user is NOT a member of admins. Then, further down, my effective privilege is User - VPN: IPsec xauth Dialin. No user cert, no authorized key, and it doesn't seem to matter if I put the IPsec Pre-Shared key in the user record, it fails either way.

        Any secrets as to how you set up the user? Any tips on how you set up the VPN under IOS?

        Thanks so much for your help! I'm closer, but not quite there.

        Finally, I thought that the SHA1 hash was insecure. Is that still safe to use here in IPsec? Can a different hash be used?

        Thanks again!

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by Mar 2, 2020, 8:23 PM

          Hahaha,
          struggled with that a bit too ;-)

          You should create a VPN Group and add the VPN Users.
          The default admin Group is not enought!

          user1.JPG

          user 2.JPG

          IMG_0753.PNG

          1 Reply Last reply Reply Quote 0
          • J
            jeffc
            last edited by Mar 2, 2020, 9:07 PM

            Okay, after making the group changes (and rebooting), I now get a longish delay and finally get "Negotiation with the VPN server failed." I was going to post all of my WWW pages, but I can't see how you're doing that? What steps are you doing to post pfSense WWW configuration pages here in this forum?

            I've gone through all the screens you posted, and I'm pretty sure I have everything correct. It doesn't seem to matter if I put the IPsec Pre-Shared Key in the user record or not, it fails both ways (although I did note that you didn't have it there).

            I'm wondering if there's some other screen that I'm missing? Perhaps VPN->IPsec, Mobile Clients tab?

            I'll include the current log here, in case that helps. If you can tell me how to post pfSense setting screens to this forum, I'll be happy to copy my exact configuration.

            Thanks so much for your patience and hand holding in getting me going here!

            Mar 2 13:04:43 	charon 		05[IKE] <con-mobile|1> IKE_SA con-mobile[1] state change: ESTABLISHED => DELETING
            Mar 2 13:04:43 	charon 		05[IKE] <con-mobile|1> IKE_SA con-mobile[1] state change: DELETING => DELETING
            Mar 2 13:04:43 	charon 		05[IKE] <con-mobile|1> IKE_SA con-mobile[1] state change: DELETING => DESTROYING
            Mar 2 13:04:43 	charon 		05[NET] <2> received packet: from 174.216.20.149[7712] to 50.47.113.45[500] (775 bytes)
            Mar 2 13:04:43 	charon 		05[ENC] <2> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
            Mar 2 13:04:43 	charon 		05[CFG] <2> looking for an IKEv1 config for 50.47.113.45...174.216.20.149
            Mar 2 13:04:43 	charon 		05[CFG] <2> candidate: %any...%any, prio 24
            Mar 2 13:04:43 	charon 		05[CFG] <2> candidate: 50.47.113.45...%any, prio 1052
            Mar 2 13:04:43 	charon 		05[CFG] <2> found matching ike config: 50.47.113.45...%any with prio 1052
            Mar 2 13:04:43 	charon 		05[IKE] <2> received FRAGMENTATION vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received NAT-T (RFC 3947) vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received draft-ietf-ipsec-nat-t-ike vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received XAuth vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received Cisco Unity vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> received DPD vendor ID
            Mar 2 13:04:43 	charon 		05[IKE] <2> 174.216.20.149 is initiating a Aggressive Mode IKE_SA
            Mar 2 13:04:43 	charon 		05[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
            Mar 2 13:04:43 	charon 		05[CFG] <2> selecting proposal:
            Mar 2 13:04:43 	charon 		05[CFG] <2> no acceptable DIFFIE_HELLMAN_GROUP found
            Mar 2 13:04:43 	charon 		05[CFG] <2> selecting proposal:
            Mar 2 13:04:43 	charon 		05[CFG] <2> no acceptable INTEGRITY_ALGORITHM found
            Mar 2 13:04:43 	charon 		05[CFG] <2> selecting proposal:
            Mar 2 13:04:43 	charon 		05[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found
            Mar 2 13:04:43 	charon 		05[CFG] <2> selecting proposal:
            Mar 2 13:04:43 	charon 		05[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found
            Mar 2 13:04:43 	charon 		05[CFG] <2> selecting proposal:
            Mar 2 13:04:43 	charon 		05[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found
            Mar 2 13:04:43 	charon 		05[CFG] <2> selecting proposal:
            Mar 2 13:04:43 	charon 		05[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found
            Mar 2 13:04:43 	charon 		05[CFG] <2> selecting proposal:
            Mar 2 13:04:43 	charon 		05[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found
            Mar 2 13:04:43 	charon 		05[CFG] <2> selecting proposal:
            Mar 2 13:04:43 	charon 		05[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found
            Mar 2 13:04:43 	charon 		05[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
            Mar 2 13:04:43 	charon 		05[CFG] <2> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
            Mar 2 13:04:43 	charon 		05[IKE] <2> no proposal found
            Mar 2 13:04:43 	charon 		05[IKE] <2> queueing INFORMATIONAL task
            Mar 2 13:04:43 	charon 		05[IKE] <2> activating new tasks
            Mar 2 13:04:43 	charon 		05[IKE] <2> activating INFORMATIONAL task
            Mar 2 13:04:43 	charon 		05[ENC] <2> generating INFORMATIONAL_V1 request 2858304773 [ N(NO_PROP) ]
            Mar 2 13:04:43 	charon 		05[NET] <2> sending packet: from 50.47.113.45[500] to 174.216.20.149[7712] (56 bytes)
            Mar 2 13:04:43 	charon 		05[IKE] <2> IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
            
            N 1 Reply Last reply Mar 3, 2020, 9:09 AM Reply Quote 0
            • N
              NogBadTheBad @jeffc
              last edited by NogBadTheBad Mar 3, 2020, 9:09 AM Mar 3, 2020, 9:09 AM

              @jeffc

              If you can tell me how to post pfSense setting screens to this forum, I'll be happy to copy my exact configuration.

              Take a screenshot and drag it into the message window.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • J
                jeffc
                last edited by Mar 3, 2020, 4:06 PM

                Hi @NogBadTheBad Thanks for the suggestion!

                I'll include all of my configuration screens (let me know if I missed anything), in case this helps to diagnose my issue":

                • Firewall screen:

                Firewall.png

                • IPsec Settings, Phase 1: (Note that I did change the pre-shared key)

                Phase 1A.png

                Phase 1B.png

                • IPsec Settings, Phase 2:

                Phase 2.png

                • IPsec Settings, Mobile Clients:

                Mobile Clients.png

                • User Settings:

                Users.png

                • And finally, Group Settings:

                Groups.png

                Thanks in advance for help in diagnosing my issue! If you need the current log, the one I posted before this would still be relevant.

                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User
                  last edited by Mar 3, 2020, 6:59 PM

                  Can you try DH Group 2 (1024 bit) in Phase 1.

                  1 Reply Last reply Reply Quote 0
                  • J
                    jeffc
                    last edited by Mar 4, 2020, 8:36 PM

                    Sorry for the delay. I did try changing the DH group to 2 (1024 bit) in phase 1, and that has no obvious affect. I still get Negotiation with the VPN server failed.

                    Any other suggestions? Thanks again for your willingness to help me with this, I really appreciate it!

                    In case it helps, here's my settings screen on the iPhone:

                    IMG_5730132E120B-1.jpeg

                    If I drill down into the pfSense VPN configuration:

                    IMG_30679D85AAED-1.jpeg

                    And, finally, when I try and launch the VPN:

                    IMG_1432.PNG

                    N J 2 Replies Last reply Mar 5, 2020, 12:09 PM Reply Quote 0
                    • N
                      NogBadTheBad @jeffc
                      last edited by Mar 5, 2020, 12:09 PM

                      @jeffc any reason your using IKEv1 ?

                      I followed https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html but I'm using Freeradius.

                      Andy

                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                      1 Reply Last reply Reply Quote 0
                      • J
                        jeffc
                        last edited by Mar 5, 2020, 6:55 PM

                        @NogBadTheBad I'm using IKEv1 for two reasons:

                        • A doc that I found specified using that for mobile iPhone access,
                        • That was also recommended in @egoisst posts, so I didn't change that.

                        Given that it's not working, I'm happy to try something else. This requires certs, though? I guess I'm okay with that, but it's an extra step I haven't currently done. Is that mandatory for EAP-MSChapv2?

                        I'll give this a try in a bit and see if it helps ... thanks!

                        1 Reply Last reply Reply Quote 0
                        • J
                          jeffc @jeffc
                          last edited by Jul 5, 2020, 12:06 AM

                          I just wanted to follow up on this (really old) topic.

                          I did finally get IPsec configured with the iPhone, and it works great. In the end, I found that the pfSense documentation had everything I needed, including:

                          • How to configure the router, and
                          • How to configure the iPhone with the VPN properly.

                          See pfSense IPsec documentation for full details. Hope this helps someone!

                          1 Reply Last reply Reply Quote 0
                          • N
                            NOCling
                            last edited by Jul 5, 2020, 8:16 AM

                            Please uses IKEv2.
                            With IPsec Export: Apple Profile you can easy setup your iOS Device.
                            But if you want to use PFS, you have to insert 2 lines in the Profile output from pfsense.

                            <key>EnablePFS</key>
                            <true/>
                            

                            My Setup:
                            P1:
                            EAP-MSChapv2
                            AES 256
                            SHA 256
                            DH 14
                            Responder only
                            NAT Auto
                            Mobike enable

                            P2:
                            Tunnel IPv4
                            ESP
                            AES 256
                            SHA 256
                            PFS key group 14

                            Rekey works well if you inser the 2 lines in the ios Profile file.

                            Netgate 6100 & Netgate 2100

                            1 Reply Last reply Reply Quote 0
                            • J
                              jeffc
                              last edited by Jul 5, 2020, 7:21 PM

                              @NOCling Thanks for your feedback. After I got the IPsec VPN working (and posting to this topic), I did look more closely at negotiated protocols. The default protocols in the pfSense documentation does get you up and running, but the encryption is not nearly as strong as desired.

                              After looking at what was actually negotiated between pfSense and the iPhone, I picked identical settings to you in terms of encryption.

                              In Phase 1, I didn't change the defaults for "Responder Only", "NAT Auto", or "Mobike enable". So, for me, "Responder Only" is disabled and "Mobike" is disabled. The rest is identical.

                              Why did you specifically change "Responder Only" or "Mobike enable", since it doesn't affect the iPhone? Or did you enable those for other reasons?

                              Also, why do "Rekey", since that's not needed either (at least for the iPhone)?

                              Thanks!

                              1 Reply Last reply Reply Quote 0
                              • N
                                NOCling
                                last edited by Jul 5, 2020, 7:47 PM

                                I want a Tunnel that use PFS:
                                https://en.wikipedia.org/wiki/Forward_secrecy

                                Client VPN is incomming, nerver use for outgoing connections, to i set responder only.
                                For Outgoing i use Side 2 Side IKEv2.

                                Mobike is a nice feature, so I turned on this crazy shit.
                                At my point of view, Microsoft support it 7 and Apple up iOS 9 or newer this feature.
                                https://tools.ietf.org/html/rfc4555

                                Netgate 6100 & Netgate 2100

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                  This community forum collects and processes your personal information.
                                  consent.not_received