IPSEC IkeV2 Mobile client with EAP-MSCHAPv2 working!



  • Hi All,

    FYI for anyone that might have struggled with this as I did. I followed the steps at: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 but could not get past Error 13801 (https://technet.microsoft.com/en-us/library/dd941612(v=ws.10).aspx). After reading a bunch of different posts all over the place, I decided to try importing the self-signing CA cert using the steps for EAP-TLS (https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS) where you use the MMC console to import the CA cert to the (Local) Computer (not the User). After I did this, it worked (passing Internet traffic across the VPN connection even). As a test, I switched back to User cert import approach, and 13801 again. One other thing I also did that was suggested on a post over at StrongSWAN, though this may or may not have made any difference, was that on the server cert, I put the server's IP address in the Subject CN, and then in SubjectAltName, I put the server info in again as BOTH IP address and FQDN form. One caveat specifically noted in the StrongSWAN post I was pulling this from was the need to use "DNS" type for the IP address (not "IP" type). Not sure why this would need to be the case, but I just did as the post instructed.

    So far, it seems to be staying up. I would assume that if I had a publicly signed server cert, I wouldn't need to import any sort of CA cert, leaving only the EAP username and passphrase to deal with on clients.

    I thought I would share this as the Wiki for EAP-MSCHAPv2 didn't work with regards to the CA importing. Note that I've only tried this on Windows 7, so Windows 8+ may do fine with the cert imported into User.

    One other thing not noted in either Wiki was that in addition to Rules for IPSEC to permit the Mobile IkeV2 subnet to pass in, as I don't use Automatic NAT, I had to manually add an Outbound NAT for the IveK2 subnet. This may or may not be required depending on your individual configurations. But until I did this, obviously, no Internet! :)

    Anyways, FYI and a hearty thanks to the pfSense Team for the effort to get StrongSWAN pulled into 2.2!!

    Mark



  • Here is an explanation why the Alt Name "DNS" should be present in key
    https://wiki.strongswan.org/issues/813



  • Thanks! This post actually helped solve one of the issues I had setting this up for myself.

    The issue I have now, hopefully the last issue, I am able to get connected just fine, and have outbound internet access through my VPN.

    What I don't have, however is access to hosts within my network, and there appears to be no DNS name resolution.

    Through my VPN, I can browse to webconfigurator, by IP, but not by name. And I cannot reach any other host on my network by IP or by hostname.

    I have allow any rules set on my firewall which should be allowing the traffic between LAN, IPsec and the virtual network set in the mobile clients.

    Don't know if this is relevant or not, but doesn't look normal to me, so I'll include it

    When the VPN is established on the Windows device,

    DNS Suffice= <empty>IP address=192.168.33.2 (within the range I set on Mobile Clients)
    Subnet mask=255.255.255.255
    Default Gateway=0.0.0.0

    If anyone has any insight, I would be grateful.

    Thanks!

    EDIT: Turns out the reason I can't hit the windows machine on my network has to do with the firewall settings on said boxes. But still no DNS. can only hit them by IP.</empty>



  • Thank you, jobsoft - IKEv2 works now also by me. The trick with MMC has worked!

    I have made also an investigation about server certificates with Alternative Names (SAN). The VPN works only if a SAN-containing certificate has no IP-address as the Common Name, IP-addresses can be listed as alternative names with type "DNS".

    Best regards
    yarick123



  • There were EKU issues with certificates generated on versions prior to 2.2.4. If you start from scratch with your certs on 2.2.4, following the updated details in the doc article linked originally, it'll work without disabling EKU.
    https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS



  • Hello!
    I want to share my expirience of setting up IKeV2 on Windows 8 and iOS 9 with connection by IP address.
    I hope it will be usefull for someone.

    Firstly, i used this guide https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 .
    Every settings were Ok, but my pc still could not connect to server (809 Error).
    The key was: setup .p12 server sertificate on Windows, and restart pfsense.

    Secondly, i tried to connect from my iPhone with iOS9.
    It was connecting for 1 sec, and then disconnecting.
    When i checked log, and compared it with PC connection log, there was a little difference:
    When pc connects pfsense selected connection profile "con1", and when phone connected pfsense selected connection profile "bypass".
    I checked ipsec configuration file "/var/etc/ipsec/ipsec.conf" and delete bypass rule, after that pfsense started to log that profile is not found.

    Dec 24 21:13:04 charon: 15[CFG] <66> looking for peer configs matching 88.24.127.106[88.24.127.106]…5.18.93.113[192.168.0.101]
    Dec 24 21:13:04 charon: 15[CFG] no matching peer config found

    But the laptop peer search looked like this:

    Dec 24 21:14:14 charon: 15[CFG] <67> looking for peer configs matching 88.24.127.106…5.18.93.113

    After testing Iphone settings i realized, that IP in left brackets was "Remote ID" from iphone VPN settings, and IP in right brackets was "Local ID" from iphone settings(if u leave "Local ID" blank, iphone inserts your phone IP].

    So i checked "/var/etc/ipsec/ipsec.conf again.
    And i found something interesting:
    leftid = fqdn:88.24.127.106
    I tried use this as Remote ID but got no result.
    Then i go to pfsense->VPN->IPsec->Phase1->My identifier and set it to "IP address" from "Distinguished Name"
    After that config string changed to:
    leftid = 88.24.127.106
    And my iphone connects with settings from guide.

    So, i think there need to be a mark about this in the guide.

    Thanks for reading and sorry for mistakes.



  • Any OSX El Captain clients working?


  • Rebel Alliance Developer Netgate

    @j@svg:

    Any OSX El Captain clients working?

    Yes it works fine from El Capitan



  • @andymcfishka:

    Hello!
    I want to share my expirience of setting up IKeV2 on Windows 8 and iOS 9 with connection by IP address.
    I hope it will be usefull for someone.

    Firstly, i used this guide https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 .
    Every settings were Ok, but my pc still could not connect to server (809 Error).
    The key was: setup .p12 server sertificate on Windows, and restart pfsense.

    Secondly, i tried to connect from my iPhone with iOS9.
    It was connecting for 1 sec, and then disconnecting.
    When i checked log, and compared it with PC connection log, there was a little difference:
    When pc connects pfsense selected connection profile "con1", and when phone connected pfsense selected connection profile "bypass".
    I checked ipsec configuration file "/var/etc/ipsec/ipsec.conf" and delete bypass rule, after that pfsense started to log that profile is not found.

    Dec 24 21:13:04 charon: 15[CFG] <66> looking for peer configs matching 88.24.127.106[88.24.127.106]…5.18.93.113[192.168.0.101]
    Dec 24 21:13:04 charon: 15[CFG] no matching peer config found

    But the laptop peer search looked like this:

    Dec 24 21:14:14 charon: 15[CFG] <67> looking for peer configs matching 88.24.127.106…5.18.93.113

    After testing Iphone settings i realized, that IP in left brackets was "Remote ID" from iphone VPN settings, and IP in right brackets was "Local ID" from iphone settings(if u leave "Local ID" blank, iphone inserts your phone IP].

    So i checked "/var/etc/ipsec/ipsec.conf again.
    And i found something interesting:
    leftid = fqdn:88.24.127.106
    I tried use this as Remote ID but got no result.
    Then i go to pfsense->VPN->IPsec->Phase1->My identifier and set it to "IP address" from "Distinguished Name"
    After that config string changed to:
    leftid = 88.24.127.106
    And my iphone connects with settings from guide.

    So, i think there need to be a mark about this in the guide.

    Thanks for reading and sorry for mistakes.

    Really wish I knew how you got this to work with IOS 9 on an iPhone….

    Everything I have tried results in:

    
    charon: 07[ENC] <bypasslan|67>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</bypasslan|67> 
    

    Update: Ok.  I finally got somewhere by following the directions from: https://forum.pfsense.org/index.php?topic=85367.0.  Thank you harbord for the directions!  I am not sure how to add more than one user using this method, but I at least got one of my phones connected!


Log in to reply