Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec on Windows Mobile

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    6 Posts 4 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Raul RamosR
      Raul Ramos
      last edited by

      Can't connect with windows phone 8.1 (Lumia 820).

      I see no one put config information i put mine:

      Phase 1:
      General

      • Key Exchange version: v2
      • Internet protocol: ipv4
      • Interface: WAN
        Phase 1 proposal
      • Authentication method: Mutual PSK
      • Negotiation mode: Main
      • My identifier: Distinguished name: allusers (i tested with admin)
      • Encryption algorithm: AES 128
      • Hash algorithm: SHA256
      • DH key group: 2(1024)
        Advanced Options
      • NAT Traversal : enable (i tried disable  )

      Phase 2 (for WP8.1 ESP is needed i think)

      • mode: Tunnel ipv4 (i use mobile settings, transport dose't work)
        Phase 2 proposa
      • Protocol: ESP
      • Encryption algorithms: AES auto (tried 128/256), 3DES
      • Hash algorithms:  SHA256, SHA384, SHA512
      • PFS key group: 2 (1024bit)(tried off)

      Mobile Clients:

      • User Authentication: Local DB
      • Group Authentication: System (tried none)
      • Virtual Address Pool: 10.0.1.0/24
      • Network List: check
          -Phase2 PFS Group: off (tried 2 1024bit)

      Restart servicelogs:

      May 16 14:38:40	charon: 16[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
      May 16 14:38:40	charon: 16[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
      May 16 14:38:40	charon: 16[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
      May 16 14:38:40	charon: 16[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
      May 16 14:38:40	charon: 16[CFG] loaded ca certificate "C=PT, ST=Tr?s-os-Montes, L=xxxxxxx, O=Ramos Lda, E=xxxxxxxx@outlook.com, CN=Vpn-ca" from '/var/etc/ipsec/ipsec.d/cacerts/dcef2970.0'
      May 16 14:38:40	charon: 16[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
      May 16 14:38:40	charon: 16[CFG] loaded IKE secret for ripmaisum@gmail.com
      May 16 14:38:40	charon: 16[CFG] loaded IKE secret for csharemu.no-ip.org
      May 16 14:38:40	charon: 16[CFG] loaded IKE secret for allusers
      May 16 14:38:40	charon: 16[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
      
      

      Trying connection logs

      May 16 17:40:02	charon: 10[NET] sending packet: from 2.80.xx.xx[4500] to 87.103.xxxx[4781] (72 bytes)
      May 16 17:40:02	charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      May 16 17:40:02	charon: 10[IKE] <con1-1|100> peer supports MOBIKE
      May 16 17:40:02	charon: 10[IKE] peer supports MOBIKE
      May 16 17:40:02	charon: 10[CFG] no alternative config found
      May 16 17:40:02	charon: 10[IKE] <con1-1|100> peer requested EAP, config inacceptable
      May 16 17:40:02	charon: 10[IKE] peer requested EAP, config inacceptable
      May 16 17:40:02	charon: 10[CFG] selected peer config 'con1-1'
      May 16 17:40:02	charon: 10[CFG] looking for peer configs matching 2.80.xx.xx[%any]...87.103.xx.xx[10.64.47.23]
      May 16 17:40:02	charon: 10[IKE] <100> received 35 cert requests for an unknown ca
      May 16 17:40:02	charon: 10[IKE] received 35 cert requests for an unknown ca
      May 16 17:40:02	charon: 10[IKE] <100> received cert request for "C=PT, ST=Tr?s-os-Montes, L=xxxxxx, O=Ramos Lda, E=xxxxxxxx@outlook.com, CN=Vpn-ca"
      May 16 17:40:02	charon: 10[IKE] received cert request for "C=PT, ST=Tr?s-os-Montes, L=Chaves, O=Ramos Lda, E=xxxxxxxxxx@outlook.com, CN=Vpn-ca"
      May 16 17:40:02	charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
      May 16 17:40:02	charon: 10[NET] received packet: from 87.103.xx.xx[4781] to 2.80.xx.1xx[4500] (1048 bytes)
      May 16 17:40:02	charon: 10[NET] sending packet: from 2.80.xx.xx[500] to 87.103.xx.xx[4770] (333 bytes)
      May 16 17:40:02	charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
      May 16 17:40:02	charon: 10[IKE] <100> sending cert request for "C=PT, ST=Tr?s-os-Montes, L=xxxxxx, O=Ramos Lda, E=xxxxxxxx@outlook.com, CN=Vpn-ca"
      May 16 17:40:02	charon: 10[IKE] sending cert request for "C=PT, ST=Tr?s-os-Montes, L=xxxxxxxxxx, O=Ramos Lda, E=xxxxxxxxx@outlook.com, CN=Vpn-ca"
      May 16 17:40:02	charon: 10[IKE] <100> remote host is behind NAT
      May 16 17:40:02	charon: 10[IKE] remote host is behind NAT
      May 16 17:40:02	charon: 10[IKE] <100> 87.103.xx.xx is initiating an IKE_SA
      May 16 17:40:02	charon: 10[IKE] 87.103.xx.xx is initiating an IKE_SA
      May 16 17:40:02	charon: 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:xx:18:xx:ab:9a:xx:5b:xx:51:00:00:00:02
      May 16 17:40:02	charon: 10[ENC] received unknown vendor ID: 26:xx:4d:38:xx:db:xx:b3:17:xx:36xx:d0:xx:b8:xx
      May 16 17:40:02	charon: 10[ENC] received unknown vendor ID: fb:1d:xx:cd:xx:41:xx:ea:xx:b7:xx:bexx:55:xx:20
      May 16 17:40:02	charon: 10[ENC] received unknown vendor ID: 1e:xx:51:xx:05:xx:1c:xx:7c:xx:fc:bf:xx:87:xx:61:00:00:00:xx
      May 16 17:40:02	charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]</con1-1|100></con1-1|100>
      

      This is  too early for Windows Phone 8.1 and is not a final version but was worth a try, i read that authentication with WP8.1 is not easy.

      Thanks

      pfSense:
      ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
      Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
      NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Are those logs in reverse or forward order? It looks reverse.

        From the logs it appears that the phone wants EAP which we don't have yet AFAIK.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • Raul RamosR
          Raul Ramos
          last edited by

          In reverse order.

          I see the EAP need, i don't know if is in the box.

          The propose is provide information. I can test this scenario.

          Thanks

          pfSense:
          ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
          Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
          NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

          1 Reply Last reply Reply Quote 0
          • M
            M0nty
            last edited by

            Have you tryed pfsense 2.2 "Beta" with better IKEv2 support?

            1 Reply Last reply Reply Quote 0
            • D
              dstroot
              last edited by

              @M0nty > "Have you tryed pfsense 2.2 "Beta" with better IKEv2 support?"

              I think this is the 2.2 snapshot and feedback forum  :o

              1 Reply Last reply Reply Quote 0
              • M
                M0nty
                last edited by

                Oh.  ::)

                @mais_um: Does it work with the newest snapshot?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.