Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC IKEv2 with EAP-MSCHAPv2 Not working. Could use some help.

    Scheduled Pinned Locked Moved
    IPsec
    2
    6
    997
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CryptoNight
      last edited by

      I followed this guide link and I for the life of me cannot successfully get IPSEC to authenticate or connect properly with Windows 10.

      I am using the correct certificate from the certificate authority on the client.

      Here's some screenshots of my configuration with a blacked-out WAN IP address

      Certificate Authority:
      3fbc798f-d889-4d7c-86dd-3e30cfc5c764-image.png

      Server Certificate:
      09140557-fc12-4340-80ef-ec368ab47ca2-image.png

      Mobile Client Setup:
      8ff17867-705d-4e1a-a848-d1d9c8515109-image.png

      Phase 1 Setup:
      3159bbd3-0906-42d6-b7eb-9c04ca19bd52-image.png

      f1536b87-fcda-40ee-80c0-954c3532b541-image.png

      Phase 2 Setup:
      7ed41d03-c933-405f-8ec2-1e4a913fe029-image.png

      Pre-Shared Keys:
      e270ad09-5e85-4078-9c41-84f5c8850925-image.png

      When I attempt to connect via Windows 10 I get error 87 the parameter is incorrect:
      088e1281-046f-4eeb-922e-50719d2733cb-image.png

      When I attempt to connect via Android with strongSwan:
      218a47d4-79ad-4c6e-a6e1-ea8a9e13e9b2-image.png

      I tried my best to look at existing documentation and other user forum posts but from my configuration, I cannot for the life of me determine what is wrong. Any and all help is appreciated, thank you!

      1 Reply Last reply Reply Quote 0
      • N
        NOCling
        last edited by

        I run my Win 10 without problem:

        P1:
        AES256
        SHA256
        DH14
        Responder Only
        Mobike enable

        P2:
        ESP
        AES256
        SHA256
        PFS 14

        Your DH Group is 2 and very weak.

        On Win 10 Side, i use Powershell to setup the VPN Client Profile.

        Add-VpnConnection -Name "pfSense" -ServerAddress "WAN-IP" -TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -AllUserConnection

        Set-VpnConnectionIPsecConfiguration -ConnectionName "pfSense" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup PFS2048 -PassThru

        Netgate 6100 & Netgate 2100

        1 Reply Last reply Reply Quote 0
        • C
          CryptoNight
          last edited by

          Thanks @NOCling I'm now able to connect via strongSwan on Android. I think the reason why I didn't originally use DH 14 is that the default Windows client is not configured for that but using your Powershell alongside updating Phase 1 got me further however I still cannot connect on Windows 10.
          I still get the same error on the client side of windows with "87 The parameter is incorrect"

          I've updated my phase 1 to this:
          81ab2c4c-921f-4935-8829-c47513594af3-image.png
          d80bda5f-ca61-4b04-9405-54535b0f3a75-image.png

          I've updated my phase 2 to this:
          355ea946-a244-44af-8650-91356e8389d9-image.png

          Did I miss something from your advice to finish the connection for Windows 10?
          Here's the logs for the connection attempt:
          9bc9cfbe-d00c-405c-ab98-b674f21ec55e-image.png

          1 Reply Last reply Reply Quote 0
          • C
            CryptoNight
            last edited by

            Bump. Here's the current pastebin of what happens when I attempt to connect using Windows 10 (https://pastebin.com/ndeHZm9W). Note, my android phone is able to connect with strong swan

            1 Reply Last reply Reply Quote 0
            • N
              NOCling
              last edited by

              Sorry got the wrong Line:

              Set-VpnConnectionIPsecConfiguration -ConnectionName "pfSense" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup PFS2048 -PassThru

              AES 256 is right, but gave you GCMAES256 before.

              Netgate 6100 & Netgate 2100

              1 Reply Last reply Reply Quote 0
              • C
                CryptoNight
                last edited by

                Still getting issues: https://pastebin.com/wpWqPEYZ

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post