IPSEC IkeV2 Mobile client with EAP-MSCHAPv2 working!



  • Hi All,

    FYI for anyone that might have struggled with this as I did. I followed the steps at: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 but could not get past Error 13801 (https://technet.microsoft.com/en-us/library/dd941612(v=ws.10).aspx). After reading a bunch of different posts all over the place, I decided to try importing the self-signing CA cert using the steps for EAP-TLS (https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS) where you use the MMC console to import the CA cert to the (Local) Computer (not the User). After I did this, it worked (passing Internet traffic across the VPN connection even). As a test, I switched back to User cert import approach, and 13801 again. One other thing I also did that was suggested on a post over at StrongSWAN, though this may or may not have made any difference, was that on the server cert, I put the server's IP address in the Subject CN, and then in SubjectAltName, I put the server info in again as BOTH IP address and FQDN form. One caveat specifically noted in the StrongSWAN post I was pulling this from was the need to use "DNS" type for the IP address (not "IP" type). Not sure why this would need to be the case, but I just did as the post instructed.

    So far, it seems to be staying up. I would assume that if I had a publicly signed server cert, I wouldn't need to import any sort of CA cert, leaving only the EAP username and passphrase to deal with on clients.

    I thought I would share this as the Wiki for EAP-MSCHAPv2 didn't work with regards to the CA importing. Note that I've only tried this on Windows 7, so Windows 8+ may do fine with the cert imported into User.

    One other thing not noted in either Wiki was that in addition to Rules for IPSEC to permit the Mobile IkeV2 subnet to pass in, as I don't use Automatic NAT, I had to manually add an Outbound NAT for the IveK2 subnet. This may or may not be required depending on your individual configurations. But until I did this, obviously, no Internet! :)

    Anyways, FYI and a hearty thanks to the pfSense Team for the effort to get StrongSWAN pulled into 2.2!!

    Mark



  • Here is an explanation why the Alt Name "DNS" should be present in key
    https://wiki.strongswan.org/issues/813



  • Thanks! This post actually helped solve one of the issues I had setting this up for myself.

    The issue I have now, hopefully the last issue, I am able to get connected just fine, and have outbound internet access through my VPN.

    What I don't have, however is access to hosts within my network, and there appears to be no DNS name resolution.

    Through my VPN, I can browse to webconfigurator, by IP, but not by name. And I cannot reach any other host on my network by IP or by hostname.

    I have allow any rules set on my firewall which should be allowing the traffic between LAN, IPsec and the virtual network set in the mobile clients.

    Don't know if this is relevant or not, but doesn't look normal to me, so I'll include it

    When the VPN is established on the Windows device,

    DNS Suffice= <empty>IP address=192.168.33.2 (within the range I set on Mobile Clients)
    Subnet mask=255.255.255.255
    Default Gateway=0.0.0.0

    If anyone has any insight, I would be grateful.

    Thanks!

    EDIT: Turns out the reason I can't hit the windows machine on my network has to do with the firewall settings on said boxes. But still no DNS. can only hit them by IP.</empty>



  • Thank you, jobsoft - IKEv2 works now also by me. The trick with MMC has worked!

    I have made also an investigation about server certificates with Alternative Names (SAN). The VPN works only if a SAN-containing certificate has no IP-address as the Common Name, IP-addresses can be listed as alternative names with type "DNS".

    Best regards
    yarick123



  • There were EKU issues with certificates generated on versions prior to 2.2.4. If you start from scratch with your certs on 2.2.4, following the updated details in the doc article linked originally, it'll work without disabling EKU.
    https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS



  • Hello!
    I want to share my expirience of setting up IKeV2 on Windows 8 and iOS 9 with connection by IP address.
    I hope it will be usefull for someone.

    Firstly, i used this guide https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 .
    Every settings were Ok, but my pc still could not connect to server (809 Error).
    The key was: setup .p12 server sertificate on Windows, and restart pfsense.

    Secondly, i tried to connect from my iPhone with iOS9.
    It was connecting for 1 sec, and then disconnecting.
    When i checked log, and compared it with PC connection log, there was a little difference:
    When pc connects pfsense selected connection profile "con1", and when phone connected pfsense selected connection profile "bypass".
    I checked ipsec configuration file "/var/etc/ipsec/ipsec.conf" and delete bypass rule, after that pfsense started to log that profile is not found.

    Dec 24 21:13:04 charon: 15[CFG] <66> looking for peer configs matching 88.24.127.106[88.24.127.106]…5.18.93.113[192.168.0.101]
    Dec 24 21:13:04 charon: 15[CFG] no matching peer config found

    But the laptop peer search looked like this:

    Dec 24 21:14:14 charon: 15[CFG] <67> looking for peer configs matching 88.24.127.106…5.18.93.113

    After testing Iphone settings i realized, that IP in left brackets was "Remote ID" from iphone VPN settings, and IP in right brackets was "Local ID" from iphone settings(if u leave "Local ID" blank, iphone inserts your phone IP].

    So i checked "/var/etc/ipsec/ipsec.conf again.
    And i found something interesting:
    leftid = fqdn:88.24.127.106
    I tried use this as Remote ID but got no result.
    Then i go to pfsense->VPN->IPsec->Phase1->My identifier and set it to "IP address" from "Distinguished Name"
    After that config string changed to:
    leftid = 88.24.127.106
    And my iphone connects with settings from guide.

    So, i think there need to be a mark about this in the guide.

    Thanks for reading and sorry for mistakes.



  • Any OSX El Captain clients working?


  • Rebel Alliance Developer Netgate

    @j@svg:

    Any OSX El Captain clients working?

    Yes it works fine from El Capitan



  • @andymcfishka:

    Hello!
    I want to share my expirience of setting up IKeV2 on Windows 8 and iOS 9 with connection by IP address.
    I hope it will be usefull for someone.

    Firstly, i used this guide https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 .
    Every settings were Ok, but my pc still could not connect to server (809 Error).
    The key was: setup .p12 server sertificate on Windows, and restart pfsense.

    Secondly, i tried to connect from my iPhone with iOS9.
    It was connecting for 1 sec, and then disconnecting.
    When i checked log, and compared it with PC connection log, there was a little difference:
    When pc connects pfsense selected connection profile "con1", and when phone connected pfsense selected connection profile "bypass".
    I checked ipsec configuration file "/var/etc/ipsec/ipsec.conf" and delete bypass rule, after that pfsense started to log that profile is not found.

    Dec 24 21:13:04 charon: 15[CFG] <66> looking for peer configs matching 88.24.127.106[88.24.127.106]…5.18.93.113[192.168.0.101]
    Dec 24 21:13:04 charon: 15[CFG] no matching peer config found

    But the laptop peer search looked like this:

    Dec 24 21:14:14 charon: 15[CFG] <67> looking for peer configs matching 88.24.127.106…5.18.93.113

    After testing Iphone settings i realized, that IP in left brackets was "Remote ID" from iphone VPN settings, and IP in right brackets was "Local ID" from iphone settings(if u leave "Local ID" blank, iphone inserts your phone IP].

    So i checked "/var/etc/ipsec/ipsec.conf again.
    And i found something interesting:
    leftid = fqdn:88.24.127.106
    I tried use this as Remote ID but got no result.
    Then i go to pfsense->VPN->IPsec->Phase1->My identifier and set it to "IP address" from "Distinguished Name"
    After that config string changed to:
    leftid = 88.24.127.106
    And my iphone connects with settings from guide.

    So, i think there need to be a mark about this in the guide.

    Thanks for reading and sorry for mistakes.

    Really wish I knew how you got this to work with IOS 9 on an iPhone….

    Everything I have tried results in:

    
    charon: 07[ENC] <bypasslan|67>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</bypasslan|67> 
    

    Update: Ok.  I finally got somewhere by following the directions from: https://forum.pfsense.org/index.php?topic=85367.0.  Thank you harbord for the directions!  I am not sure how to add more than one user using this method, but I at least got one of my phones connected!



  • @meluvalli glad to see that i helped someone



  • Dear all,

    with the help of
    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html
    I managed to configure a IKEv2 SA and child SA for the ESP IPsec tunnel for my iPhone iOS v13.5.1
    to pfSense 2.4.5.

    I created a new PKI and converted the client certificate .p12 with a OpenSSL lib workaround I found here.
    And after trying a while it works now for me. IPsec connection establishes fast and reliable.

    But what I still do not understand with the above method is:
    Why do I need to define PSK keys for the EAP authentication part after IKE handshake although
    I already have a client certificate in place on the mobile that actually could also do this job (or even better).
    iPhone allows to configure IKE connections to use the certificate as user authentication method.
    But with this method set (instead of the user / pw pattern) I cannot manage to authenticate successfully.
    EAP authentication of the client (iPhone) always gets aborted:

    Last 1000 IPsec Log Entries. (Maximum 1000)
    09[IKE] <con-mobile|2> IKE_SA con-mobile[2] state change: CONNECTING => DESTROYING
    09[NET] <con-mobile|2> sending packet: from <ServerIP> [4500] to <iPhoneIP>[19330] (80 bytes)
    09[ENC] <con-mobile|2> generating IKE_AUTH response 3 [ EAP/FAIL ]
    09[IKE] <con-mobile|2> received EAP_NAK, sending EAP_FAILURE
    09[ENC] <con-mobile|2> parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
    09[NET] <con-mobile|2> received packet: from <iPhoneIP>[19330] to <ServerIP>[4500] (80 bytes)
    09[NET] <con-mobile|2> sending packet: from <ServerIP>[4500] to <iPhoneIP> [19330] (112 bytes)
    09[ENC] <con-mobile|2> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
    09[IKE] <con-mobile|2> initiating EAP_MSCHAPV2 method (id 0xDC)
    09[IKE] <con-mobile|2> received EAP identity 'Markus'
    09[ASN] <con-mobile|2> file content is not binary ASN.1
    09[ENC] <con-mobile|2> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
    ...

    Do you have an idea?

    kind regards
    Markus


Log in to reply