IPSEC IKEv2 with EAP-MSCHAPv2 Not working. Could use some help.



  • I followed this guide link and I for the life of me cannot successfully get IPSEC to authenticate or connect properly with Windows 10.

    I am using the correct certificate from the certificate authority on the client.

    Here's some screenshots of my configuration with a blacked-out WAN IP address

    Certificate Authority:
    3fbc798f-d889-4d7c-86dd-3e30cfc5c764-image.png

    Server Certificate:
    09140557-fc12-4340-80ef-ec368ab47ca2-image.png

    Mobile Client Setup:
    8ff17867-705d-4e1a-a848-d1d9c8515109-image.png

    Phase 1 Setup:
    3159bbd3-0906-42d6-b7eb-9c04ca19bd52-image.png

    f1536b87-fcda-40ee-80c0-954c3532b541-image.png

    Phase 2 Setup:
    7ed41d03-c933-405f-8ec2-1e4a913fe029-image.png

    Pre-Shared Keys:
    e270ad09-5e85-4078-9c41-84f5c8850925-image.png

    When I attempt to connect via Windows 10 I get error 87 the parameter is incorrect:
    088e1281-046f-4eeb-922e-50719d2733cb-image.png

    When I attempt to connect via Android with strongSwan:
    218a47d4-79ad-4c6e-a6e1-ea8a9e13e9b2-image.png

    I tried my best to look at existing documentation and other user forum posts but from my configuration, I cannot for the life of me determine what is wrong. Any and all help is appreciated, thank you!



  • I run my Win 10 without problem:

    P1:
    AES256
    SHA256
    DH14
    Responder Only
    Mobike enable

    P2:
    ESP
    AES256
    SHA256
    PFS 14

    Your DH Group is 2 and very weak.

    On Win 10 Side, i use Powershell to setup the VPN Client Profile.

    Add-VpnConnection -Name "pfSense" -ServerAddress "WAN-IP" -TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -AllUserConnection

    Set-VpnConnectionIPsecConfiguration -ConnectionName "pfSense" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup PFS2048 -PassThru



  • Thanks @NOCling I'm now able to connect via strongSwan on Android. I think the reason why I didn't originally use DH 14 is that the default Windows client is not configured for that but using your Powershell alongside updating Phase 1 got me further however I still cannot connect on Windows 10.
    I still get the same error on the client side of windows with "87 The parameter is incorrect"

    I've updated my phase 1 to this:
    81ab2c4c-921f-4935-8829-c47513594af3-image.png
    d80bda5f-ca61-4b04-9405-54535b0f3a75-image.png

    I've updated my phase 2 to this:
    355ea946-a244-44af-8650-91356e8389d9-image.png

    Did I miss something from your advice to finish the connection for Windows 10?
    Here's the logs for the connection attempt:
    9bc9cfbe-d00c-405c-ab98-b674f21ec55e-image.png


Log in to reply