iOS / IPsec Connection Error
-
Setting up a brand new Netgate 1100 for a customer's site for use with iOS devices and remote access. I followed the Configuring IPsec IKEv2 Remote Access VPN Clients doc and got everything set up, certs installed on the initial iOS device for testing. Seems like I'm able to get all the way through the connection until the very end where I'm getting an "generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]" error message. Not really sure at this point where the failure is; in the Authentication settings of the VPN on the phone I'm using the username and password set up under VPN / IPsec / Pre-Shared Keys.
A bit of looking around I found this may be because the IP address I'm connecting from is not configured in the tunnel; I doubt any of my customer's home locations have static IP addresses, so I guess my question is what are my options if that is the case?
-
@rchiocchio Look at the My id & Peer id, you've got IP addresses in the FQDN field and Peer Id.
Change the Peer id to Any.
-
@rchiocchio I use EAP-RADIUS with the following settings and can connect fine with IOS devices, I also tunnel everything over the VPN:-
I've blanked out the FQDN & Cert name.
-
@nogbadthebad whoops, that was the wrong screenshot. Here's an updated one:
Looks like changing My Identifier to My IP Address and Peer Identifier to Any did the trick.
Now I can work on getting the local DNS entries working, since my access to the local subnet works via IP (but need to use the locally defined dns names).
Thanks! (will mark as resolved once I can confirm the actual devices I'm trying to configure are all set)
-
An update on this; the above settings still being the same, I cannot get the connected devices to use the firewall/DNS resolver when doing a lookup/attempting to connect to any of the devices on the LAN via hostname. Also attached a screenshot of the DNS Resolver settings in case I'm missing anything. I just get the generic "A server with the specified hostname could not be found" message when trying to connect.
For reference, the Netgate itself is able to ping anything in the DNS Resolver list by name without any issue:
-