Struggling to get IPsec working for windows clients



  • I've spent the last few days trying to get our clients able to connect to our pfSense VPN.  Initially the pfSense was behind our Verizon router (this was old topology that we never had a need to replace), but to rule out the extra NAT as a culprit I've now got the pfSense connected directly to the ONT.  Prior to having a static IP we used dyndns for tunneling, so I've continued to use that same address for thngs like the CN on the server cert (and included the IP as an alternative).

    We're running pfSense 2.2.2

    I've tried the configurations here: https://doc.pfsense.org/index.php/L2TP/IPsec and here: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    My clients will mostly be win7/win8 boxes, but for ease of access I've been connecting from an Amazon AWS windows 2012 server box.  We don't want to install any 3rd party clients, so IPsec has been my go-to solution; I'm a VPN neophyte so I'm willing to explore other options so long as they don't require additional clients to be installed.

    The log from the first configuration (ikev1/psk)

    May 7 11:58:47 charon: 11[CFG] left nor right host is our side, assuming left=local
    May 7 11:58:47 charon: 11[CFG] added configuration 'con2'
    May 7 11:58:59 charon: 11[NET] <89> received packet: from 54.yyy.yyy.yyy[500] to 108.xxx.xxx.xxx[500] (408 bytes)
    May 7 11:58:59 charon: 11[ENC] <89> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    May 7 11:58:59 charon: 11[ENC] <89> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
    May 7 11:58:59 charon: 11[IKE] <89> received MS NT5 ISAKMPOAKLEY vendor ID
    May 7 11:58:59 charon: 11[IKE] <89> received MS NT5 ISAKMPOAKLEY vendor ID
    May 7 11:58:59 charon: 11[IKE] <89> received NAT-T (RFC 3947) vendor ID
    May 7 11:58:59 charon: 11[IKE] <89> received NAT-T (RFC 3947) vendor ID
    May 7 11:58:59 charon: 11[IKE] <89> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 7 11:58:59 charon: 11[IKE] <89> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 7 11:58:59 charon: 11[IKE] <89> received FRAGMENTATION vendor ID
    May 7 11:58:59 charon: 11[IKE] <89> received FRAGMENTATION vendor ID
    May 7 11:58:59 charon: 11[ENC] <89> received unknown vendor ID: fb:1d:e3💿f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    May 7 11:58:59 charon: 11[ENC] <89> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    May 7 11:58:59 charon: 11[ENC] <89> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
    May 7 11:58:59 charon: 11[IKE] <89> 54.yyy.yyy.yyy is initiating a Main Mode IKE_SA
    May 7 11:58:59 charon: 11[IKE] <89> 54.yyy.yyy.yyy is initiating a Main Mode IKE_SA
    May 7 11:58:59 charon: 11[ENC] <89> generating ID_PROT response 0 [ SA V V V V V ]
    May 7 11:58:59 charon: 11[NET] <89> sending packet: from 108.xxx.xxx.xxx[500] to 54.yyy.yyy.yyy[500] (180 bytes)
    May 7 11:58:59 charon: 11[NET] <89> received packet: from 54.yyy.yyy.yyy[500] to 108.xxx.xxx.xxx[500] (388 bytes)
    May 7 11:58:59 charon: 11[ENC] <89> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    May 7 11:58:59 charon: 11[IKE] <89> remote host is behind NAT
    May 7 11:58:59 charon: 11[IKE] <89> remote host is behind NAT
    May 7 11:58:59 charon: 11[ENC] <89> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    May 7 11:58:59 charon: 11[NET] <89> sending packet: from 108.xxx.xxx.xxx[500] to 54.yyy.yyy.yyy[500] (372 bytes)
    May 7 11:58:59 charon: 11[NET] <89> received packet: from 54.yyy.yyy.yyy[4500] to 108.xxx.xxx.xxx[4500] (76 bytes)
    May 7 11:58:59 charon: 11[ENC] <89> parsed ID_PROT request 0 [ ID HASH ]
    May 7 11:58:59 charon: 11[CFG] <89> looking for pre-shared key peer configs matching 108.xxx.xxx.xxx…54.yyy.yyy.yyy[10.zzz.zzz.zzz]
    May 7 11:58:59 charon: 11[CFG] <89> selected peer config "con2"
    May 7 11:58:59 charon: 11[IKE] <con2|89>IKE_SA con2[89] established between 108.xxx.xxx.xxx[108.xxx.xxx.xxx]…54.yyy.yyy.yyy[10.zzz.zzz.zzz]
    May 7 11:58:59 charon: 11[IKE] <con2|89>IKE_SA con2[89] established between 108.xxx.xxx.xxx[108.xxx.xxx.xxx]…54.yyy.yyy.yyy[10.zzz.zzz.zzz]
    May 7 11:58:59 charon: 11[IKE] <con2|89>scheduling reauthentication in 28242s
    May 7 11:58:59 charon: 11[IKE] <con2|89>scheduling reauthentication in 28242s
    May 7 11:58:59 charon: 11[IKE] <con2|89>maximum IKE_SA lifetime 28782s
    May 7 11:58:59 charon: 11[IKE] <con2|89>maximum IKE_SA lifetime 28782s
    May 7 11:58:59 charon: 11[IKE] <con2|89>DPD not supported by peer, disabled
    May 7 11:58:59 charon: 11[IKE] <con2|89>DPD not supported by peer, disabled
    May 7 11:58:59 charon: 11[ENC] <con2|89>generating ID_PROT response 0 [ ID HASH ]
    May 7 11:58:59 charon: 11[NET] <con2|89>sending packet: from 108.xxx.xxx.xxx[4500] to 54.yyy.yyy.yyy[4500] (76 bytes)
    May 7 11:58:59 charon: 16[NET] <con2|89>received packet: from 54.yyy.yyy.yyy[4500] to 108.xxx.xxx.xxx[4500] (380 bytes)
    May 7 11:58:59 charon: 16[ENC] <con2|89>parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    May 7 11:58:59 charon: 16[IKE] <con2|89>received 250000000 lifebytes, configured 0
    May 7 11:58:59 charon: 16[IKE] <con2|89>received 250000000 lifebytes, configured 0
    May 7 11:58:59 charon: 16[ENC] <con2|89>generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    May 7 11:58:59 charon: 16[NET] <con2|89>sending packet: from 108.xxx.xxx.xxx[4500] to 54.yyy.yyy.yyy[4500] (204 bytes)
    May 7 11:58:59 charon: 16[NET] <con2|89>received packet: from 54.yyy.yyy.yyy[4500] to 108.xxx.xxx.xxx[4500] (60 bytes)
    May 7 11:58:59 charon: 16[ENC] <con2|89>parsed QUICK_MODE request 1 [ HASH ]
    May 7 11:58:59 charon: 16[IKE] <con2|89>CHILD_SA con2{39} established with SPIs c0ce8d56_i 4b59fea8_o and TS 108.xxx.xxx.xxx/32|/0[udp/l2f] === 54.yyy.yyy.yyy/32|/0[udp/l2f]
    May 7 11:58:59 charon: 16[IKE] <con2|89>CHILD_SA con2{39} established with SPIs c0ce8d56_i 4b59fea8_o and TS 108.xxx.xxx.xxx/32|/0[udp/l2f] === 54.yyy.yyy.yyy/32|/0[udp/l2f]
    Windows error 809 after a few seconds</con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89></con2|89>

    The log from the second configuration (IKEv2 EAP-MSChap)

    May 7 12:08:45 charon: 09[ENC] <94> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    May 7 12:08:45 charon: 09[ENC] <94> received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
    May 7 12:08:45 charon: 09[ENC] <94> received unknown vendor ID: fb:1d:e3💿f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    May 7 12:08:45 charon: 09[ENC] <94> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    May 7 12:08:45 charon: 09[ENC] <94> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    May 7 12:08:45 charon: 09[IKE] <94> 54.yyy.yyy.yyy is initiating an IKE_SA
    May 7 12:08:45 charon: 09[IKE] <94> 54.yyy.yyy.yyy is initiating an IKE_SA
    May 7 12:08:45 charon: 09[IKE] <94> remote host is behind NAT
    May 7 12:08:45 charon: 09[IKE] <94> remote host is behind NAT
    May 7 12:08:45 charon: 09[IKE] <94> sending cert request for "C=US, ST=Virginia, L=Fairfax, O=My Company Name, E=support@mywebsite.com, CN=mydyndnsname.onastaticip.net"
    May 7 12:08:45 charon: 09[IKE] <94> sending cert request for "C=US, ST=Virginia, L=Fairfax, O=My Company Name, E=support@mywebsite.com, CN=mydyndnsname.onastaticip.net"
    May 7 12:08:45 charon: 09[IKE] <94> sending cert request for "C=US, ST=Virginia, L=Fairfax, O=My Company Name, E=support@mywebsite.com, CN=internal-ca"
    May 7 12:08:45 charon: 09[IKE] <94> sending cert request for "C=US, ST=Virginia, L=Fairfax, O=My Company Name, E=support@mywebsite.com, CN=internal-ca"
    May 7 12:08:45 charon: 09[ENC] <94> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    May 7 12:08:45 charon: 09[NET] <94> sending packet: from 108.xxx.xxx.xxx[500] to 54.yyy.yyy.yyy[500] (357 bytes)
    May 7 12:08:45 charon: 09[NET] <94> received packet: from 54.yyy.yyy.yyy[4500] to 108.xxx.xxx.xxx[4500] (720 bytes)
    May 7 12:08:45 charon: 09[ENC] <94> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    May 7 12:08:45 charon: 09[IKE] <94> received cert request for "C=US, ST=Virginia, L=Fairfax, O=My Company Name, E=support@mywebsite.com, CN=mydyndnsname.onastaticip.net"
    May 7 12:08:45 charon: 09[IKE] <94> received cert request for "C=US, ST=Virginia, L=Fairfax, O=My Company Name, E=support@mywebsite.com, CN=mydyndnsname.onastaticip.net"
    May 7 12:08:45 charon: 09[IKE] <94> received 18 cert requests for an unknown ca
    May 7 12:08:45 charon: 09[IKE] <94> received 18 cert requests for an unknown ca
    May 7 12:08:45 charon: 09[CFG] <94> looking for peer configs matching 108.xxx.xxx.xxx[%any]…54.yyy.yyy.yyy[10.zzz.zzz.zzz]
    May 7 12:08:45 charon: 09[CFG] <con2|94>selected peer config 'con2'
    May 7 12:08:45 charon: 09[IKE] <con2|94>initiating EAP_IDENTITY method (id 0x00)
    May 7 12:08:45 charon: 09[IKE] <con2|94>initiating EAP_IDENTITY method (id 0x00)
    May 7 12:08:45 charon: 09[IKE] <con2|94>peer supports MOBIKE, but disabled in config
    May 7 12:08:45 charon: 09[IKE] <con2|94>peer supports MOBIKE, but disabled in config
    May 7 12:08:45 charon: 09[IKE] <con2|94>authentication of 'mydyndnsname.onastaticip.net' (myself) with RSA signature successful
    May 7 12:08:45 charon: 09[IKE] <con2|94>authentication of 'mydyndnsname.onastaticip.net' (myself) with RSA signature successful
    May 7 12:08:45 charon: 09[IKE] <con2|94>sending end entity cert "C=US, ST=Virginia, L=Fairfax, O=My Company Name, E=support@mywebsite.com, CN=mydyndnsname.onastaticip.net"
    May 7 12:08:45 charon: 09[IKE] <con2|94>sending end entity cert "C=US, ST=Virginia, L=Fairfax, O=My Company Name, E=support@mywebsite.com, CN=mydyndnsname.onastaticip.net"
    May 7 12:08:45 charon: 09[ENC] <con2|94>generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    May 7 12:08:45 charon: 09[NET] <con2|94>sending packet: from 108.xxx.xxx.xxx[4500] to 54.yyy.yyy.yyy[4500] (1776 bytes)
    Windows erorr 13801 almost immediately</con2|94></con2|94></con2|94></con2|94></con2|94></con2|94></con2|94></con2|94></con2|94></con2|94></con2|94>

    I'd appreciate any help or insight anyone might offer.



  • Usually you need certificates with proper properties and that is the most common error.



  • I've modified the values in the logs; my initial configuration was failing to get a valid cert.  After I re-created the certs and re-configured the VPN it looks like it worked, I assume that's what this line from the logs is:

    authentication of 'mydyndnsname.onastaticip.net' (myself) with RSA signature successful

    That was all done before my initial post.  The fact that we're getting authentication seems to infer that the certs are setup properly, or am I misunderstanding that (which is entirely possible)?



  • Ok, after trying the temporary solution here:

    http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801

    Involving the registry hack I was able to connect.  I'm not able to access lan computers from my remote client yet, but it's progress.



  • It looks like my mobile clients aren't getting a gateway.  I assume they need one, though I'm not sure what it should be since the pfSense doesn't actually have an IP on the VPN/mobile client subnet (virtual address pool).



  • I'm still trying to get either IPsec/L2TP or IKEv2 Mobile Clients working and I've made a little progress with both.

    With IKEv2/Mobile Clients I'm able to connect but I can't ping/access anything on my LAN or other VPN clients.  No entries are showing up on the firewall and adding a static route to my LANGW doesn't seem to help.  If I change the phase2 to a tunnel instead of transport I'm able to get to my LANGW bot no other machine on that network.

    With IPsec/L2TP I'm able to connect and ping a subset of the machines on my LAN and other VPN clients.  The machines I'm unable seem arbitrary but consistent: it's always the same computers I can't access, but I can't determine any rhyme or reason as to why I can't access them.  The two problem computers off the top of my head are a Synology NAS and an ubuntu database server; the NAS doesn't appear to have any firewall reasons it couldn't be accessed, and there are a half dozen other identical boxes to the  ubuntu one that I'm able to access.  I've been using an Amazon EC2 instance running Windows Server 2012 to test the VPN since it was the easiest way for me to spin up an off-site Windows PC for testing.  However when I went to work on this from home I found out that my Windows 8 box couldn't connect.  Looking through the logs the suspicious items I saw were:

    • On the pfSense box, it looks like it's sending 2 certs; my Internal CA and an old Internal CA that I deleted (but may not have revoked)

    • The client seems to be complaining about the machine certificate, and the only thing I could think to do was to load the new/valid Internal CA (this didn't resolve my problem)



  • I feel like I'm on the home stretch, but still fighting with some of the same problems I've yet to be able to tackle.

    My IKEv2/Mobile Client connection doesn't allow the remote user any access to my LAN.  If I change phase2 from transport to tunnel then I can access my LANGW (the pfSense box) and that's it (still no access to the rest of the LAN)
    My IPsec/L2TP (IKEv1) connection works wonderfully…. for windows server 2012 clients, but not for windows7/8.  Depending on the client I'm either getting NO_PROPOSAL_FOUND or charon: 06[IKE] <bypasslan|9>received retransmit of request with ID 0, retransmitting response</bypasslan|9>



  • Did you set the any<->any rule on the IPSec interface?

    What did you set as local network on the phase 2 config?



  • I believe I finally managed to get a working solution:
    Using IKE2/Mobile Clients if I disable "Use default gateway on remote network" on the VPN connection TCP/IP settings things seem to work.  I wouldn't hate, for academic reason, to also get the IPsec/L2TP configuration working as well.

    @noija:

    Did you set the any<->any rule on the IPSec interface?

    What did you set as local network on the phase 2 config?

    My ipsec interface has an allow all rule.
    My local network is LAN subnet.



  • The last problem item on the IKE2 setup seems to be DNS.  My network config looks something like this:

    LAN: 10.10.42.0/24
    VPN: 10.10.69.0/24

    We had a dedicated DNS box prior to the pfSense that I'd like to phase out since the pfSense is easier to configure.  From the VPN network I can't get the pfSense DNS resolver to work, but the dedicated DNS box does.

    10.10.42.1 = pfSense
    10.10.42.6 = DNS server

    from my lan i can successfully do the following:
    nslookup myserver.mydomain 10.10.42.1
    nslookup myserver.mydomain 10.10.42.6

    from my VPN I can't nslookup via 10.10.42.1, only the .6 box works.  I've tried telnetting to 10.10.42.1:53 and I'm able to establish a connection, so something about the response is getting lost.