One IPSec client failing to get `received packet` at certificate stage

seanmcb

I have a 'road warrior' IPSec setup that's been working fine for years. I now have a new Windows 10 user that's trying to set up his connection. We've followed the same steps that have worked for other Windows 10 users. But it's not working for him.

I've compared /var/log/ipsec.log for a successful connection vs his attempts.

For a successful connection by me:

sending cert request for "CN=MyCo IPSec CA, C=CA, ST=Quebec, L=Montreal, O=MyCo Inc."
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
sending packet: from w.x.y.z[500] to a.b.c.d[500] (481 bytes)

received packet: from a.b.c.d[4500] to w.x.y.z[4500] (512 bytes)
parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
<stuff>
authentication of 'vpn.example.com' (myself) with RSA signature successful
sending end entity cert "CN=vpn.example.com, C=CA, ST=Quebec, L=Montreal, O=MyCo Inc."

For failure by him:

sending cert request for "CN=MyCo IPSec CA, C=CA, ST=Quebec, L=Montreal, O=MyCo Inc."
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
sending packet: from w.x.y.z[500] to e.f.g.h[500] (481 bytes)

deleting half open IKE_SA with e.f.g.h after timeout
IKE_SA (unnamed)[8901] state change: CONNECTING => DESTROYING

There's no received packet after that sending packet, which seems unexpected. What would cause that?

I've looked at https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec.html (which is great!) but I don't see my scenario listed there.

Thanks!

seanmcb

I think I've maybe found the issue. I think his home ISP is blocking something. If he creates a wifi hotspot on his smartphone, his Window PC can then connect to our VPN!