• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSEC IKEv2 with EAP-MSCHAPv2 Not working. Could use some help.

Scheduled Pinned Locked Moved IPsec
6 Posts 2 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    CryptoNight
    last edited by Jul 1, 2020, 4:15 AM

    I followed this guide link and I for the life of me cannot successfully get IPSEC to authenticate or connect properly with Windows 10.

    I am using the correct certificate from the certificate authority on the client.

    Here's some screenshots of my configuration with a blacked-out WAN IP address

    Certificate Authority:
    3fbc798f-d889-4d7c-86dd-3e30cfc5c764-image.png

    Server Certificate:
    09140557-fc12-4340-80ef-ec368ab47ca2-image.png

    Mobile Client Setup:
    8ff17867-705d-4e1a-a848-d1d9c8515109-image.png

    Phase 1 Setup:
    3159bbd3-0906-42d6-b7eb-9c04ca19bd52-image.png

    f1536b87-fcda-40ee-80c0-954c3532b541-image.png

    Phase 2 Setup:
    7ed41d03-c933-405f-8ec2-1e4a913fe029-image.png

    Pre-Shared Keys:
    e270ad09-5e85-4078-9c41-84f5c8850925-image.png

    When I attempt to connect via Windows 10 I get error 87 the parameter is incorrect:
    088e1281-046f-4eeb-922e-50719d2733cb-image.png

    When I attempt to connect via Android with strongSwan:
    218a47d4-79ad-4c6e-a6e1-ea8a9e13e9b2-image.png

    I tried my best to look at existing documentation and other user forum posts but from my configuration, I cannot for the life of me determine what is wrong. Any and all help is appreciated, thank you!

    1 Reply Last reply Reply Quote 0
    • N
      NOCling
      last edited by Jul 1, 2020, 6:27 AM

      I run my Win 10 without problem:

      P1:
      AES256
      SHA256
      DH14
      Responder Only
      Mobike enable

      P2:
      ESP
      AES256
      SHA256
      PFS 14

      Your DH Group is 2 and very weak.

      On Win 10 Side, i use Powershell to setup the VPN Client Profile.

      Add-VpnConnection -Name "pfSense" -ServerAddress "WAN-IP" -TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -AllUserConnection

      Set-VpnConnectionIPsecConfiguration -ConnectionName "pfSense" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup PFS2048 -PassThru

      Netgate 6100 & Netgate 2100

      1 Reply Last reply Reply Quote 0
      • C
        CryptoNight
        last edited by Jul 1, 2020, 1:31 PM

        Thanks @NOCling I'm now able to connect via strongSwan on Android. I think the reason why I didn't originally use DH 14 is that the default Windows client is not configured for that but using your Powershell alongside updating Phase 1 got me further however I still cannot connect on Windows 10.
        I still get the same error on the client side of windows with "87 The parameter is incorrect"

        I've updated my phase 1 to this:
        81ab2c4c-921f-4935-8829-c47513594af3-image.png
        d80bda5f-ca61-4b04-9405-54535b0f3a75-image.png

        I've updated my phase 2 to this:
        355ea946-a244-44af-8650-91356e8389d9-image.png

        Did I miss something from your advice to finish the connection for Windows 10?
        Here's the logs for the connection attempt:
        9bc9cfbe-d00c-405c-ab98-b674f21ec55e-image.png

        1 Reply Last reply Reply Quote 0
        • C
          CryptoNight
          last edited by Jul 29, 2020, 2:20 AM

          Bump. Here's the current pastebin of what happens when I attempt to connect using Windows 10 (https://pastebin.com/ndeHZm9W). Note, my android phone is able to connect with strong swan

          1 Reply Last reply Reply Quote 0
          • N
            NOCling
            last edited by Jul 29, 2020, 8:48 PM

            Sorry got the wrong Line:

            Set-VpnConnectionIPsecConfiguration -ConnectionName "pfSense" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup PFS2048 -PassThru

            AES 256 is right, but gave you GCMAES256 before.

            Netgate 6100 & Netgate 2100

            1 Reply Last reply Reply Quote 0
            • C
              CryptoNight
              last edited by Jul 30, 2020, 12:00 AM

              Still getting issues: https://pastebin.com/wpWqPEYZ

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received