IPsec on Windows Mobile

Raul Ramos

Can't connect with windows phone 8.1 (Lumia 820).

I see no one put config information i put mine:

Phase 1:
General

• Key Exchange version: v2
• Internet protocol: ipv4
• Interface: WAN
  Phase 1 proposal
• Authentication method: Mutual PSK
• Negotiation mode: Main
• My identifier: Distinguished name: allusers (i tested with admin)
• Encryption algorithm: AES 128
• Hash algorithm: SHA256
• DH key group: 2(1024)
  Advanced Options
• NAT Traversal : enable (i tried disable  )

Phase 2 (for WP8.1 ESP is needed i think)

• mode: Tunnel ipv4 (i use mobile settings, transport dose't work)
  Phase 2 proposa
• Protocol: ESP
• Encryption algorithms: AES auto (tried 128/256), 3DES
• Hash algorithms:  SHA256, SHA384, SHA512
• PFS key group: 2 (1024bit)(tried off)

Mobile Clients:

• User Authentication: Local DB
• Group Authentication: System (tried none)
• Virtual Address Pool: 10.0.1.0/24
• Network List: check
    -Phase2 PFS Group: off (tried 2 1024bit)

Restart servicelogs:

May 16 14:38:40	charon: 16[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
May 16 14:38:40	charon: 16[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
May 16 14:38:40	charon: 16[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
May 16 14:38:40	charon: 16[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
May 16 14:38:40	charon: 16[CFG] loaded ca certificate "C=PT, ST=Tr?s-os-Montes, L=xxxxxxx, O=Ramos Lda, E=xxxxxxxx@outlook.com, CN=Vpn-ca" from '/var/etc/ipsec/ipsec.d/cacerts/dcef2970.0'
May 16 14:38:40	charon: 16[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
May 16 14:38:40	charon: 16[CFG] loaded IKE secret for ripmaisum@gmail.com
May 16 14:38:40	charon: 16[CFG] loaded IKE secret for csharemu.no-ip.org
May 16 14:38:40	charon: 16[CFG] loaded IKE secret for allusers
May 16 14:38:40	charon: 16[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'

Trying connection logs

May 16 17:40:02	charon: 10[NET] sending packet: from 2.80.xx.xx[4500] to 87.103.xxxx[4781] (72 bytes)
May 16 17:40:02	charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
May 16 17:40:02	charon: 10[IKE] <con1-1|100> peer supports MOBIKE
May 16 17:40:02	charon: 10[IKE] peer supports MOBIKE
May 16 17:40:02	charon: 10[CFG] no alternative config found
May 16 17:40:02	charon: 10[IKE] <con1-1|100> peer requested EAP, config inacceptable
May 16 17:40:02	charon: 10[IKE] peer requested EAP, config inacceptable
May 16 17:40:02	charon: 10[CFG] selected peer config 'con1-1'
May 16 17:40:02	charon: 10[CFG] looking for peer configs matching 2.80.xx.xx[%any]...87.103.xx.xx[10.64.47.23]
May 16 17:40:02	charon: 10[IKE] <100> received 35 cert requests for an unknown ca
May 16 17:40:02	charon: 10[IKE] received 35 cert requests for an unknown ca
May 16 17:40:02	charon: 10[IKE] <100> received cert request for "C=PT, ST=Tr?s-os-Montes, L=xxxxxx, O=Ramos Lda, E=xxxxxxxx@outlook.com, CN=Vpn-ca"
May 16 17:40:02	charon: 10[IKE] received cert request for "C=PT, ST=Tr?s-os-Montes, L=Chaves, O=Ramos Lda, E=xxxxxxxxxx@outlook.com, CN=Vpn-ca"
May 16 17:40:02	charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
May 16 17:40:02	charon: 10[NET] received packet: from 87.103.xx.xx[4781] to 2.80.xx.1xx[4500] (1048 bytes)
May 16 17:40:02	charon: 10[NET] sending packet: from 2.80.xx.xx[500] to 87.103.xx.xx[4770] (333 bytes)
May 16 17:40:02	charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May 16 17:40:02	charon: 10[IKE] <100> sending cert request for "C=PT, ST=Tr?s-os-Montes, L=xxxxxx, O=Ramos Lda, E=xxxxxxxx@outlook.com, CN=Vpn-ca"
May 16 17:40:02	charon: 10[IKE] sending cert request for "C=PT, ST=Tr?s-os-Montes, L=xxxxxxxxxx, O=Ramos Lda, E=xxxxxxxxx@outlook.com, CN=Vpn-ca"
May 16 17:40:02	charon: 10[IKE] <100> remote host is behind NAT
May 16 17:40:02	charon: 10[IKE] remote host is behind NAT
May 16 17:40:02	charon: 10[IKE] <100> 87.103.xx.xx is initiating an IKE_SA
May 16 17:40:02	charon: 10[IKE] 87.103.xx.xx is initiating an IKE_SA
May 16 17:40:02	charon: 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:xx:18:xx:ab:9a:xx:5b:xx:51:00:00:00:02
May 16 17:40:02	charon: 10[ENC] received unknown vendor ID: 26:xx:4d:38:xx:db:xx:b3:17:xx:36xx:d0:xx:b8:xx
May 16 17:40:02	charon: 10[ENC] received unknown vendor ID: fb:1d:xx:cd:xx:41:xx:ea:xx:b7:xx:bexx:55:xx:20
May 16 17:40:02	charon: 10[ENC] received unknown vendor ID: 1e:xx:51:xx:05:xx:1c:xx:7c:xx:fc:bf:xx:87:xx:61:00:00:00:xx
May 16 17:40:02	charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]</con1-1|100></con1-1|100>

This is  too early for Windows Phone 8.1 and is not a final version but was worth a try, i read that authentication with WP8.1 is not easy.

Thanks

jimp

Are those logs in reverse or forward order? It looks reverse.

From the logs it appears that the phone wants EAP which we don't have yet AFAIK.

Raul Ramos

In reverse order.

I see the EAP need, i don't know if is in the box.

The propose is provide information. I can test this scenario.

Thanks

M0nty

Have you tryed pfsense 2.2 "Beta" with better IKEv2 support?

dstroot

@M0nty > "Have you tryed pfsense 2.2 "Beta" with better IKEv2 support?"

I think this is the 2.2 snapshot and feedback forum  :o

M0nty

Oh.  ::)

@mais_um: Does it work with the newest snapshot?