IPsec on Windows Mobile



  • Can't connect with windows phone 8.1 (Lumia 820).

    I see no one put config information i put mine:

    Phase 1:
    General

    • Key Exchange version: v2
    • Internet protocol: ipv4
    • Interface: WAN
      Phase 1 proposal
    • Authentication method: Mutual PSK
    • Negotiation mode: Main
    • My identifier: Distinguished name: allusers (i tested with admin)
    • Encryption algorithm: AES 128
    • Hash algorithm: SHA256
    • DH key group: 2(1024)
      Advanced Options
    • NAT Traversal : enable (i tried disable  )

    Phase 2 (for WP8.1 ESP is needed i think)

    • mode: Tunnel ipv4 (i use mobile settings, transport dose't work)
      Phase 2 proposa
    • Protocol: ESP
    • Encryption algorithms: AES auto (tried 128/256), 3DES
    • Hash algorithms:  SHA256, SHA384, SHA512
    • PFS key group: 2 (1024bit)(tried off)

    Mobile Clients:

    • User Authentication: Local DB
    • Group Authentication: System (tried none)
    • Virtual Address Pool: 10.0.1.0/24
    • Network List: check
        -Phase2 PFS Group: off (tried 2 1024bit)

    Restart servicelogs:

    May 16 14:38:40	charon: 16[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    May 16 14:38:40	charon: 16[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    May 16 14:38:40	charon: 16[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    May 16 14:38:40	charon: 16[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    May 16 14:38:40	charon: 16[CFG] loaded ca certificate "C=PT, ST=Tr?s-os-Montes, L=xxxxxxx, O=Ramos Lda, E=xxxxxxxx@outlook.com, CN=Vpn-ca" from '/var/etc/ipsec/ipsec.d/cacerts/dcef2970.0'
    May 16 14:38:40	charon: 16[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    May 16 14:38:40	charon: 16[CFG] loaded IKE secret for ripmaisum@gmail.com
    May 16 14:38:40	charon: 16[CFG] loaded IKE secret for csharemu.no-ip.org
    May 16 14:38:40	charon: 16[CFG] loaded IKE secret for allusers
    May 16 14:38:40	charon: 16[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    
    

    Trying connection logs

    May 16 17:40:02	charon: 10[NET] sending packet: from 2.80.xx.xx[4500] to 87.103.xxxx[4781] (72 bytes)
    May 16 17:40:02	charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    May 16 17:40:02	charon: 10[IKE] <con1-1|100> peer supports MOBIKE
    May 16 17:40:02	charon: 10[IKE] peer supports MOBIKE
    May 16 17:40:02	charon: 10[CFG] no alternative config found
    May 16 17:40:02	charon: 10[IKE] <con1-1|100> peer requested EAP, config inacceptable
    May 16 17:40:02	charon: 10[IKE] peer requested EAP, config inacceptable
    May 16 17:40:02	charon: 10[CFG] selected peer config 'con1-1'
    May 16 17:40:02	charon: 10[CFG] looking for peer configs matching 2.80.xx.xx[%any]...87.103.xx.xx[10.64.47.23]
    May 16 17:40:02	charon: 10[IKE] <100> received 35 cert requests for an unknown ca
    May 16 17:40:02	charon: 10[IKE] received 35 cert requests for an unknown ca
    May 16 17:40:02	charon: 10[IKE] <100> received cert request for "C=PT, ST=Tr?s-os-Montes, L=xxxxxx, O=Ramos Lda, E=xxxxxxxx@outlook.com, CN=Vpn-ca"
    May 16 17:40:02	charon: 10[IKE] received cert request for "C=PT, ST=Tr?s-os-Montes, L=Chaves, O=Ramos Lda, E=xxxxxxxxxx@outlook.com, CN=Vpn-ca"
    May 16 17:40:02	charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    May 16 17:40:02	charon: 10[NET] received packet: from 87.103.xx.xx[4781] to 2.80.xx.1xx[4500] (1048 bytes)
    May 16 17:40:02	charon: 10[NET] sending packet: from 2.80.xx.xx[500] to 87.103.xx.xx[4770] (333 bytes)
    May 16 17:40:02	charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    May 16 17:40:02	charon: 10[IKE] <100> sending cert request for "C=PT, ST=Tr?s-os-Montes, L=xxxxxx, O=Ramos Lda, E=xxxxxxxx@outlook.com, CN=Vpn-ca"
    May 16 17:40:02	charon: 10[IKE] sending cert request for "C=PT, ST=Tr?s-os-Montes, L=xxxxxxxxxx, O=Ramos Lda, E=xxxxxxxxx@outlook.com, CN=Vpn-ca"
    May 16 17:40:02	charon: 10[IKE] <100> remote host is behind NAT
    May 16 17:40:02	charon: 10[IKE] remote host is behind NAT
    May 16 17:40:02	charon: 10[IKE] <100> 87.103.xx.xx is initiating an IKE_SA
    May 16 17:40:02	charon: 10[IKE] 87.103.xx.xx is initiating an IKE_SA
    May 16 17:40:02	charon: 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:xx:18:xx:ab:9a:xx:5b:xx:51:00:00:00:02
    May 16 17:40:02	charon: 10[ENC] received unknown vendor ID: 26:xx:4d:38:xx:db:xx:b3:17:xx:36xx:d0:xx:b8:xx
    May 16 17:40:02	charon: 10[ENC] received unknown vendor ID: fb:1d:xx:cd:xx:41:xx:ea:xx:b7:xx:bexx:55:xx:20
    May 16 17:40:02	charon: 10[ENC] received unknown vendor ID: 1e:xx:51:xx:05:xx:1c:xx:7c:xx:fc:bf:xx:87:xx:61:00:00:00:xx
    May 16 17:40:02	charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]</con1-1|100></con1-1|100>
    

    This is  too early for Windows Phone 8.1 and is not a final version but was worth a try, i read that authentication with WP8.1 is not easy.

    Thanks


  • Rebel Alliance Developer Netgate

    Are those logs in reverse or forward order? It looks reverse.

    From the logs it appears that the phone wants EAP which we don't have yet AFAIK.



  • In reverse order.

    I see the EAP need, i don't know if is in the box.

    The propose is provide information. I can test this scenario.

    Thanks



  • Have you tryed pfsense 2.2 "Beta" with better IKEv2 support?



  • @M0nty > "Have you tryed pfsense 2.2 "Beta" with better IKEv2 support?"

    I think this is the 2.2 snapshot and feedback forum  :o



  • Oh.  ::)

    @mais_um: Does it work with the newest snapshot?


Log in to reply