Ikev2 on Windows Phone 8.1 Help



  • I read and I did all the guides that I fount for the configuration of IKEv2 at the pfsense. But I failed all the times! I just need a little help. I want an answer for anyone that manages to connect to IKEv2 vpn on his/her Windows phone 8.1! I need this extra information that need at Windows phone Ikev2 vpn client connection! Ex. What cert I need to download or not? I must create an IKE username/password and use this method as sign-in? Plz Link my some helpful guides or thoughts



  • Hello,

    The guide at https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 is the one to follow. Also, https://forum.pfsense.org/index.php?topic=81657 might me a good thread to get some more details on the matter although the guide should be pretty definitive.

    One thing that is not considered in the guide is that certificates downloaded from pfSense (.crt) don't work with WP8.1. Instead, they have to be converted to .cer. This can be done in the following way: download a cert to Windows PC and click to open it (just click Open in Security Warning). In Details tab click Copy to File…. Click Next. Select Base-64 encoded X.509 (.CER) and click Next. Save cert to some location and finally click Finish. Do this to both of the certs. Move them to your WP8.1 phone using OneDrive, email, or whatever you prefer and open them on your phone. This will install the certs and allow WP8.1 to trust your pfSense box to connect IPSec.

    On the phone in VPN settings, select IKEv2 and Username + password.



  • Notice that if you enter a User name in WP 8.1, it adds the device name to it, like "Windows Phone L\Klaus". You need to include that in your pfSense config too.
    Because you can't enter something containing a backslash in pfSense's PSKs section I managed to make it work including an "@" sign like "Klaus@Klaus". Then WP doesn't prefix it's device name and pfSense is happy too.



  • I still have no luck.
    Followed the mentioned turorial https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2, then again tried to install the CA.cer from pfsense like mentioned above (export to base64 .cer in Windows). I did the import before by just renaming crt to cer what seemed to work.

    But now I'm stuck. Windows Phone (Lumia 1520, means currently no 8.1 so IKEv2 is still the only possibility) just says in Details unable to connect to VPN…., error 13801.
    But in PFSense IPSec Log I see much activity in this short time:

    
    Jan 29 10:20:14 	charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Jan 29 10:20:14 	charon: 09[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
    Jan 29 10:20:14 	charon: 09[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    Jan 29 10:20:14 	charon: 09[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    Jan 29 10:20:14 	charon: 09[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Jan 29 10:20:14 	charon: 09[IKE] <105> 77.58.2.224 is initiating an IKE_SA
    Jan 29 10:20:14 	charon: 09[IKE] 77.58.2.224 is initiating an IKE_SA
    Jan 29 10:20:14 	charon: 09[IKE] <105> remote host is behind NAT
    Jan 29 10:20:14 	charon: 09[IKE] remote host is behind NAT
    Jan 29 10:20:14 	charon: 09[IKE] <105> sending cert request for "C=CH, ST=Zuerich, L=Zuerich, O=Xwave GmbH, E=support@xwave.ch, CN=internal-ca"
    Jan 29 10:20:14 	charon: 09[IKE] sending cert request for "C=CH, ST=Zuerich, L=Zuerich, O=Xwave GmbH, E=support@xwave.ch, CN=internal-ca"
    Jan 29 10:20:14 	charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Jan 29 10:20:14 	charon: 09[NET] sending packet: from 212.51.144.233[500] to 77.58.2.224[500] (337 bytes)
    Jan 29 10:20:14 	charon: 09[NET] received packet: from 77.58.2.224[4500] to 212.51.144.233[4500] (944 bytes)
    Jan 29 10:20:14 	charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Jan 29 10:20:14 	charon: 09[IKE] <105> received cert request for "C=CH, ST=Zuerich, L=Zuerich, O=Xwave GmbH, E=support@xwave.ch, CN=internal-ca"
    Jan 29 10:20:14 	charon: 09[IKE] received cert request for "C=CH, ST=Zuerich, L=Zuerich, O=Xwave GmbH, E=support@xwave.ch, CN=internal-ca"
    Jan 29 10:20:14 	charon: 09[IKE] <105> received 29 cert requests for an unknown ca
    Jan 29 10:20:14 	charon: 09[IKE] received 29 cert requests for an unknown ca
    Jan 29 10:20:14 	charon: 09[CFG] looking for peer configs matching 212.51.144.233[%any]...77.58.2.224[192.168.111.109]
    Jan 29 10:20:14 	charon: 09[CFG] selected peer config 'con3'
    Jan 29 10:20:14 	charon: 09[IKE] <con3|105>initiating EAP_IDENTITY method (id 0x00)
    Jan 29 10:20:14 	charon: 09[IKE] initiating EAP_IDENTITY method (id 0x00)
    Jan 29 10:20:14 	charon: 09[IKE] <con3|105>peer supports MOBIKE
    Jan 29 10:20:14 	charon: 09[IKE] peer supports MOBIKE
    Jan 29 10:20:14 	charon: 09[IKE] <con3|105>authentication of 'C=CH, ST=Zuerich, L=Zuerich, O=Xwave GmbH, E=support@xwave.ch, CN=b.fw.xwave.ch' (myself) with RSA signature successful
    Jan 29 10:20:14 	charon: 09[IKE] authentication of 'C=CH, ST=Zuerich, L=Zuerich, O=Xwave GmbH, E=support@xwave.ch, CN=b.fw.xwave.ch' (myself) with RSA signature successful
    Jan 29 10:20:14 	charon: 09[IKE] <con3|105>sending end entity cert "C=CH, ST=Zuerich, L=Zuerich, O=Xwave GmbH, E=support@xwave.ch, CN=b.fw.xwave.ch"
    Jan 29 10:20:14 	charon: 09[IKE] sending end entity cert "C=CH, ST=Zuerich, L=Zuerich, O=Xwave GmbH, E=support@xwave.ch, CN=b.fw.xwave.ch"
    Jan 29 10:20:14 	charon: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    Jan 29 10:20:14 	charon: 09[NET] sending packet: from 212.51.144.233[4500] to 77.58.2.224[4500] (1728 bytes)</con3|105></con3|105></con3|105></con3|105> 
    

    I don't even see it coming to the point to submit the login. I'm using just the identifier and Pre-Shared Key (EAP) from the Pre-Shared Keys Table as username and password right? Or has it still something to do with the system users?



  • This is how I made it connect. I'm however suffering other ipsec problems so I disabled it again.

    Here is my log:

    
    Jan 29 14:58:02 	charon: 06[IKE] peer supports MOBIKE
    Jan 29 14:58:02 	charon: 06[IKE] <con2|8>authentication of 'C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com' (myself) with RSA signature successful
    Jan 29 14:58:02 	charon: 06[IKE] authentication of 'C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com' (myself) with RSA signature successful
    Jan 29 14:58:02 	charon: 06[IKE] <con2|8>sending end entity cert "C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com"
    Jan 29 14:58:02 	charon: 06[IKE] sending end entity cert "C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com"
    Jan 29 14:58:02 	charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    Jan 29 14:58:02 	charon: 06[NET] sending packet: from 84.119.xxx.xxx[4500] to 80.187.xxx.xxx[26972] (1692 bytes)
    Jan 29 14:58:02 	charon: 06[NET] received packet: from 80.187.xxx.xxx[26972] to 84.119.xxx.xxx[4500] (92 bytes)
    Jan 29 14:58:02 	charon: 06[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
    Jan 29 14:58:02 	charon: 06[IKE] <con2|8>received EAP identity 'Joel@Joel'
    Jan 29 14:58:02 	charon: 06[IKE] received EAP identity 'Joel@Joel'
    Jan 29 14:58:02 	charon: 06[IKE] <con2|8>initiating EAP_MSCHAPV2 method (id 0xA7)
    Jan 29 14:58:02 	charon: 06[IKE] initiating EAP_MSCHAPV2 method (id 0xA7)
    Jan 29 14:58:02 	charon: 06[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
    Jan 29 14:58:02 	charon: 06[NET] sending packet: from 84.119.xxx.xxx[4500] to 80.187.xxx.xxx[26972] (108 bytes)
    Jan 29 14:58:02 	charon: 06[NET] received packet: from 80.187.xxx.xxx[26972] to 84.119.xxx.xxx[4500] (140 bytes)
    Jan 29 14:58:02 	charon: 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
    Jan 29 14:58:02 	charon: 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
    Jan 29 14:58:02 	charon: 06[NET] sending packet: from 84.119.xxx.xxx[4500] to 80.187.xxx.xxx[26972] (140 bytes)
    Jan 29 14:58:02 	charon: 13[NET] received packet: from 80.187.xxx.xxx[26972] to 84.119.xxx.xxx[4500] (76 bytes)
    Jan 29 14:58:02 	charon: 13[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
    Jan 29 14:58:02 	charon: 13[IKE] <con2|8>EAP method EAP_MSCHAPV2 succeeded, MSK established
    Jan 29 14:58:02 	charon: 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
    Jan 29 14:58:02 	charon: 13[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
    Jan 29 14:58:02 	charon: 13[NET] sending packet: from 84.119.xxx.xxx[4500] to 80.187.xxx.xxx[26972] (76 bytes)
    Jan 29 14:58:02 	charon: 13[NET] received packet: from 80.187.xxx.xxx[26972] to 84.119.xxx.xxx[4500] (92 bytes)
    Jan 29 14:58:02 	charon: 13[ENC] parsed IKE_AUTH request 5 [ AUTH ]
    Jan 29 14:58:02 	charon: 13[IKE] <con2|8>authentication of '10.44.235.13' with EAP successful
    Jan 29 14:58:02 	charon: 13[IKE] authentication of '10.44.235.13' with EAP successful
    Jan 29 14:58:02 	charon: 13[IKE] <con2|8>authentication of 'C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com' (myself) with EAP
    Jan 29 14:58:02 	charon: 13[IKE] authentication of 'C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com' (myself) with EAP
    Jan 29 14:58:02 	charon: 13[IKE] <con2|8>IKE_SA con2[8] established between 84.119.xxx.xxx[C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com]...80.187.xxx.xxx[10.44.235.13]
    Jan 29 14:58:02 	charon: 13[IKE] IKE_SA con2[8] established between 84.119.xxx.xxx[C=US, ST=NRW, L=Lennestadt, O=Linn, E=mail@domain.com, CN=vpn.domain.com]...80.187.xxx.xxx[10.44.235.13]
    Jan 29 14:58:02 	charon: 13[IKE] <con2|8>scheduling reauthentication in 27974s
    Jan 29 14:58:02 	charon: 13[IKE] scheduling reauthentication in 27974s
    Jan 29 14:58:02 	charon: 13[IKE] <con2|8>maximum IKE_SA lifetime 28514s
    Jan 29 14:58:02 	charon: 13[IKE] maximum IKE_SA lifetime 28514s
    Jan 29 14:58:02 	charon: 13[IKE] <con2|8>peer requested virtual IP %any
    Jan 29 14:58:02 	charon: 13[IKE] peer requested virtual IP %any
    Jan 29 14:58:02 	charon: 13[CFG] assigning new lease to 'Joel@Joel'
    Jan 29 14:58:02 	charon: 13[IKE] <con2|8>assigning virtual IP 172.19.20.1 to peer 'Joel@Joel'
    Jan 29 14:58:02 	charon: 13[IKE] assigning virtual IP 172.19.20.1 to peer 'Joel@Joel'
    Jan 29 14:58:02 	charon: 13[IKE] <con2|8>peer requested virtual IP %any6
    Jan 29 14:58:02 	charon: 13[IKE] peer requested virtual IP %any6
    Jan 29 14:58:02 	charon: 13[IKE] <con2|8>no virtual IP found for %any6 requested by 'Joel@Joel'
    Jan 29 14:58:02 	charon: 13[IKE] no virtual IP found for %any6 requested by 'Joel@Joel'
    Jan 29 14:58:02 	charon: 13[IKE] <con2|8>CHILD_SA con2{2} established with SPIs c6229f08_i 187bb69e_o and TS 10.50.0.0/16|/0 === 172.19.20.0/24|/0
    Jan 29 14:58:02 	charon: 13[IKE] CHILD_SA con2{2} established with SPIs c6229f08_i 187bb69e_o and TS 10.50.0.0/16|/0 === 172.19.20.0/24|/0
    Jan 29 14:58:02 	charon: 13[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR SUBNET DNS U_SPLITINC U_DEFDOM U_SPLITDNS U_BANNER) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
    Jan 29 14:58:02 	charon: 13[NET] sending packet: from 84.119.xxx.xxx[4500] to 80.187.xxx.xxx[26972] (332 bytes)</con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8></con2|8> 
    








  • JoelLinn

    Got the same config working on lumia 930 (Denin update, this could make some difference).

    Only difference selected I 256 in Phase 2 proposal SA/Key  Ex… you have auto.

    About certificates I only need to load and run server certificate downloaded in .p12 version.

    The CA.crt is on the phone but never loaded.

    For Windows 7 the following video helped me a lot:

    https://www.youtube.com/watch?v=UCgKB_FbVOw

    Please advise me if somebody thinks I've done something that compromise security



  • martin879

    Based on error 13801 and your logs (freezing at sending IKE_AUTH packet), I'm quite confident that the problem is in certificates. I had exactly the same issue when I had wrong kind of server certificate (the one selected in Phase 1). Are you sure that its type is Server Certificate? Also, are you sure that you have pfSense's DNS name and/or IP address (which ever you are using to connect) in certificate's Common Name or Alternative Name?



  • Hey Guys,

    i tried everything, but it won't work.

    I use Nokia Lumia 930 installed all Certs. What is wrong?

    Can anybody help?

    
    Feb 9 10:07:59	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
    Feb 9 10:07:59	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
    Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Feb 9 10:07:59	charon: 08[IKE] <380> 80.187.108.XXX is initiating an IKE_SA
    Feb 9 10:07:59	charon: 08[IKE] 80.187.108.XXX is initiating an IKE_SA
    Feb 9 10:07:59	charon: 08[IKE] <380> remote host is behind NAT
    Feb 9 10:07:59	charon: 08[IKE] remote host is behind NAT
    Feb 9 10:07:59	charon: 08[IKE] <380> sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca-Else"
    Feb 9 10:07:59	charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca-Else"
    Feb 9 10:07:59	charon: 08[IKE] <380> sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca"
    Feb 9 10:07:59	charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca"
    Feb 9 10:07:59	charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Feb 9 10:07:59	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
    Feb 9 10:08:00	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
    Feb 9 10:08:00	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Feb 9 10:08:00	charon: 08[IKE] <380> received retransmit of request with ID 0, retransmitting response
    Feb 9 10:08:00	charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
    Feb 9 10:08:00	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
    Feb 9 10:08:01	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
    Feb 9 10:08:01	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Feb 9 10:08:01	charon: 08[IKE] <380> received retransmit of request with ID 0, retransmitting response
    Feb 9 10:08:01	charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
    Feb 9 10:08:01	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
    
    


  • I am, admittedly an amateur when it comes to this stuff, and am having several problems of my own, and this is one of them.

    The cert and CA I am using was generated by the cert manager, on the cert I provided a common name and added the public IP as an alternative name.

    What I am finding is, various clients, windows and windows phone are rejecting the cert because the SAN doesn't match. almost as if the SAN is being ignored.

    On other windows devices, if I make a hosts files entry for a host name to match the public IP, and create a cert using that hostname, the windows devices will connect, but not windows phone devices (there is no hosts file)

    (hope I made some sense here)

    @AKFI:

    Hey Guys,

    i tried everything, but it won't work.

    I use Nokia Lumia 930 installed all Certs. What is wrong?

    Can anybody help?

    
    Feb 9 10:07:59	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
    Feb 9 10:07:59	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
    Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    Feb 9 10:07:59	charon: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Feb 9 10:07:59	charon: 08[IKE] <380> 80.187.108.XXX is initiating an IKE_SA
    Feb 9 10:07:59	charon: 08[IKE] 80.187.108.XXX is initiating an IKE_SA
    Feb 9 10:07:59	charon: 08[IKE] <380> remote host is behind NAT
    Feb 9 10:07:59	charon: 08[IKE] remote host is behind NAT
    Feb 9 10:07:59	charon: 08[IKE] <380> sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca-Else"
    Feb 9 10:07:59	charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca-Else"
    Feb 9 10:07:59	charon: 08[IKE] <380> sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca"
    Feb 9 10:07:59	charon: 08[IKE] sending cert request for "C=DE, ST=NRW, L=dorf, O=test, E=admin@test.de, CN=internal-ca"
    Feb 9 10:07:59	charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Feb 9 10:07:59	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
    Feb 9 10:08:00	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
    Feb 9 10:08:00	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Feb 9 10:08:00	charon: 08[IKE] <380> received retransmit of request with ID 0, retransmitting response
    Feb 9 10:08:00	charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
    Feb 9 10:08:00	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
    Feb 9 10:08:01	charon: 08[NET] received packet: from 80.187.108.XXX[500] to 217.91.78.XXX[500] (616 bytes)
    Feb 9 10:08:01	charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Feb 9 10:08:01	charon: 08[IKE] <380> received retransmit of request with ID 0, retransmitting response
    Feb 9 10:08:01	charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
    Feb 9 10:08:01	charon: 08[NET] sending packet: from 217.91.78.XXX[500] to 80.187.108.XXX[500] (357 bytes)
    
    


  • I activated the config again today.
    Interestingly it does not work anymore over mobile connection (home wifi[LAN interface] works), last thing in the logs is that it has sent a package.
    The phone says server not responding / timeout. There have been updates to my phone, which may be the cause.
    Works fine on my windows 8 tablet when I share my mobile connection over wifi.



  • This is weird.
    I added a allow all rule to my WAN, then my phone can connect. I tried to allow UDP on 500 and 4500 only, which didn't work. I logged the allow all rule (last in list) and it still got packages where it says UDP 500,or 4500. It also displays a UDP package without any port info.
    Packet capture just shows some isakmp traffic, seems to be alright (with allow all rule)



  • try

    ![2015-03-18 19_04_31-bear.home.com - VPN_ IPsec_ Mobile.jpg](/public/imported_attachments/1/2015-03-18 19_04_31-bear.home.com - VPN_ IPsec_ Mobile.jpg)
    ![2015-03-18 19_04_31-bear.home.com - VPN_ IPsec_ Mobile.jpg_thumb](/public/imported_attachments/1/2015-03-18 19_04_31-bear.home.com - VPN_ IPsec_ Mobile.jpg_thumb)
    ![2015-03-18 18_59_45-bear.home.com - VPN_ IPsec.jpg](/public/imported_attachments/1/2015-03-18 18_59_45-bear.home.com - VPN_ IPsec.jpg)
    ![2015-03-18 18_59_45-bear.home.com - VPN_ IPsec.jpg_thumb](/public/imported_attachments/1/2015-03-18 18_59_45-bear.home.com - VPN_ IPsec.jpg_thumb)
    ![2015-03-18 18_58_58-bear.home.com - VPN_ IPsec_ Edit Phase 2_ Mobile Client.jpg](/public/imported_attachments/1/2015-03-18 18_58_58-bear.home.com - VPN_ IPsec_ Edit Phase 2_ Mobile Client.jpg)
    ![2015-03-18 18_58_58-bear.home.com - VPN_ IPsec_ Edit Phase 2_ Mobile Client.jpg_thumb](/public/imported_attachments/1/2015-03-18 18_58_58-bear.home.com - VPN_ IPsec_ Edit Phase 2_ Mobile Client.jpg_thumb)



  • I got it to work on a Windows 10 laptop by following the exact steps in https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2. On my Windows 10 Phone device, I had to export just the CA certificate from pfSense (System -> Cert Manager -> Certificates (important!) -> Click on the blue box next to your IKEv2 Server certificate to export it as P12. Mail the P12 to your phone and open it.

    On my Windows 10 laptop, all works fine. On my Windows 10 Phone, it connects just fine, but no data seems to flow through the VPN connection. All still goes over the WiFi connection. Not sure why.





  • Thanks for sharing. That would figure as I do have VPN working on my Lumia 930 and that's configured using MDM and going through a Windows Server as the VPN server. Configuring it manually for pfSense lets it connect, but no data flows through. I'll provide feedback on this issue through the insider hub as the product group does read that stuff.

    -edit-

    Giving it another thought though, how can it be that if the UI was broken, it does connect? I don't see the connection between a broken UI and it connecting, but not sending data through. Sounds more like pfSense and Windows 10 Phone not cooperating well in sharing network config. Nevertheless will share in Windows Feedback App.