IPSEC IkeV2 Mobile client with EAP-MSCHAPv2 - not connecting.



  • Hi guys,
        Please let me know if you need me to post more config or logs.

    I was running an IPSEC VPN connection to my iphone but could not get Windows to connect so decided to try out the instructions here for an IKEv2 vpn.
    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    Unfortunately, no luck now with either iPhone or Windows (despite recreating CA's/cert's etc).

    I am running pfsense 2.2.5-RELEASE (also tested under 2.2.5-RELEASE).

    Symptoms:
    When I try to connect the vpn on the iPhone 6 with iOS9.1 (both on wifi on 4G) the button literally flashes on then off and does not even register on the pfsense logs.

    The cert's have been setup correctly (have carefully recreated them a few times now - including making sure both common name and alternate names are "the DNS name that points to my server, "chadho.me") The Server CA has been downloaded correctly (export CA cert. on the pfsense gui) and is installed.

    Here is a video of the connection from withing my lan, same result from outside the lan (over 4G mobile).

    Youtube Video

    EDIT: If I change the domain name on the iPhone from chadho.me to my ipaddress, it at least attempts a connection and shows the following in the IPSEC logs in pfsense:
    Note the DNS entry for chadho.me is correctly updates with the correct ip address and I can connect using this ip for a web browser session.

    Nov 7 12:37:29	charon: 13[ENC] <10> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Nov 7 12:37:29	charon: 13[IKE] <10> 1.136.54.225 is initiating an IKE_SA
    Nov 7 12:37:29	charon: 13[LIB] <10> size of DH secret exponent: 1023 bits
    Nov 7 12:37:29	charon: 13[IKE] <10> remote host is behind NAT
    Nov 7 12:37:29	charon: 13[IKE] <10> sending cert request for "C=US, ST=melb, L=melb, O=chadmail, E=davros@chadmail.com, CN=chadho.me"
    Nov 7 12:37:29	charon: 13[ENC] <10> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
    Nov 7 12:37:29	charon: 13[NET] <10> sending packet: from 116.240.155.243[500] to 1.136.54.225[500] (341 bytes)
    Nov 7 12:37:29	charon: 08[NET] <10> received packet: from 1.136.54.225[4500] to 116.240.155.243[4500] (396 bytes)
    Nov 7 12:37:29	charon: 08[ENC] <10> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Nov 7 12:37:29	charon: 08[CFG] <10> looking for peer configs matching 116.240.155.243[116.240.155.243]...1.136.54.225[10.192.206.121]
    Nov 7 12:37:29	charon: 08[CFG] <bypasslan|10> selected peer config 'bypasslan'
    Nov 7 12:37:29	charon: 08[IKE] <bypasslan|10> peer requested EAP, config inacceptable
    Nov 7 12:37:29	charon: 08[CFG] <bypasslan|10> no alternative config found
    Nov 7 12:37:29	charon: 08[IKE] <bypasslan|10> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Nov 7 12:37:29	charon: 08[IKE] <bypasslan|10> peer supports MOBIKE
    Nov 7 12:37:29	charon: 08[ENC] <bypasslan|10> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Nov 7 12:37:29	charon: 08[NET] <bypasslan|10> sending packet: from 116.240.155.243[4500] to 1.136.54.225[4500] (68 bytes)</bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10>
    

    ![ipsec summary.png](/public/imported_attachments/1/ipsec summary.png)
    ![ipsec summary.png_thumb](/public/imported_attachments/1/ipsec summary.png_thumb)











  • Same issue - no change under 2.2.5

    EDIT: If I change the domain name on the iPhone from chadho.me to my ipaddress, it at least attempts a connection and shows the following in the IPSEC logs in pfsense:
    Note the DNS entry for chadho.me is correctly updates with the correct ip address and I can connect using this ip for a web browser session.

    Nov 7 12:37:29	charon: 13[ENC] <10> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Nov 7 12:37:29	charon: 13[IKE] <10> 1.136.54.225 is initiating an IKE_SA
    Nov 7 12:37:29	charon: 13[LIB] <10> size of DH secret exponent: 1023 bits
    Nov 7 12:37:29	charon: 13[IKE] <10> remote host is behind NAT
    Nov 7 12:37:29	charon: 13[IKE] <10> sending cert request for "C=US, ST=melb, L=melb, O=chadmail, E=davros@chadmail.com, CN=chadho.me"
    Nov 7 12:37:29	charon: 13[ENC] <10> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
    Nov 7 12:37:29	charon: 13[NET] <10> sending packet: from 116.240.155.243[500] to 1.136.54.225[500] (341 bytes)
    Nov 7 12:37:29	charon: 08[NET] <10> received packet: from 1.136.54.225[4500] to 116.240.155.243[4500] (396 bytes)
    Nov 7 12:37:29	charon: 08[ENC] <10> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Nov 7 12:37:29	charon: 08[CFG] <10> looking for peer configs matching 116.240.155.243[116.240.155.243]...1.136.54.225[10.192.206.121]
    Nov 7 12:37:29	charon: 08[CFG] <bypasslan|10> selected peer config 'bypasslan'
    Nov 7 12:37:29	charon: 08[IKE] <bypasslan|10> peer requested EAP, config inacceptable
    Nov 7 12:37:29	charon: 08[CFG] <bypasslan|10> no alternative config found
    Nov 7 12:37:29	charon: 08[IKE] <bypasslan|10> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Nov 7 12:37:29	charon: 08[IKE] <bypasslan|10> peer supports MOBIKE
    Nov 7 12:37:29	charon: 08[ENC] <bypasslan|10> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Nov 7 12:37:29	charon: 08[NET] <bypasslan|10> sending packet: from 116.240.155.243[4500] to 1.136.54.225[4500] (68 bytes)</bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10></bypasslan|10>
    


  • Your certificate may have issues. Delete it and generate a new one making sure the CN/Subject matches your "Distinguished Name"/Identifier. There was some issue in generating certs in previous builds.

    Also your domain "chadho.me" resolves to a different IP than your logs show. That is why there is nothing in the logs, cause it's trying to connect to something else. If you have a static IP you can generate a certificate with the IP address as the CN and use that as the identifier. It will then work.

    Also the following settings worked for me with iOS in 2.2.5:
    Phase 1: AES 128 SHA1 DH 1024 (note that Windows requires AES256, and iOS doesn't like AES256)
    Phase 2: AES 256 SHA1 & SHA2 PFS Off



  • Thanks itctech. Much appreciate the help.

    I did regen the cert's in 2.2.4 but will do so again under 2.2.5

    Also your domain "chadho.me" resolves to a different IP than your logs show. That is why there is nothing in the logs, cause it's trying to connect to something else. If you have a static IP you can generate a certificate with the IP address as the CN and use that as the identifier. It will then work.

    Hi it is a dynamic IP but was correctly pointing to the Ip address when I did my testing (I verified this) but I reset it as part of my testing hence the ip changed by the time you tested it.

    I suspect the ikev2 may not like it if you do not specify a fixed IP address (ie. only use dns names)…but will test this and report back.

    I'll redo the cert. again and retry.

    I've restored my old config (L2TP) for now as it works.

    Need to go off shopping now with the missus...joy...so will test again later.

    Thanks!



  • No Joy.

    It looks like the IKEv2 does not like using a DNS (and not IP address).

    I can connect/resolve "chadho.me" using IPSEC but unless I use the IP address for the server (and not chadho.me).

    however, while that will connect 9and I see it in the logs), I still can not make a connections (even after changing settings to those suggested by itctech).

    Nov 7 19:44:50	charon: 09[ENC] <6> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Nov 7 19:44:50	charon: 09[IKE] <6> 1.136.54.110 is initiating an IKE_SA
    Nov 7 19:44:50	charon: 09[LIB] <6> size of DH secret exponent: 1023 bits
    Nov 7 19:44:50	charon: 09[IKE] <6> remote host is behind NAT
    Nov 7 19:44:50	charon: 09[IKE] <6> sending cert request for "C=US, ST=melb, L=melb, O=chadmail, E=davros@chadmail.com, CN=chadho.me"
    Nov 7 19:44:50	charon: 09[ENC] <6> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
    Nov 7 19:44:50	charon: 09[NET] <6> sending packet: from 58.179.156.220[500] to 1.136.54.110[500] (341 bytes)
    Nov 7 19:44:50	charon: 16[NET] <6> received packet: from 1.136.54.110[4500] to 58.179.156.220[4500] (396 bytes)
    Nov 7 19:44:50	charon: 16[ENC] <6> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Nov 7 19:44:50	charon: 16[CFG] <6> looking for peer configs matching 58.179.156.220[58.179.156.220]...1.136.54.110[10.192.206.121]
    Nov 7 19:44:50	charon: 16[CFG] <bypasslan|6> selected peer config 'bypasslan'
    Nov 7 19:44:50	charon: 16[IKE] <bypasslan|6> peer requested EAP, config inacceptable
    Nov 7 19:44:50	charon: 16[CFG] <bypasslan|6> no alternative config found
    Nov 7 19:44:50	charon: 16[IKE] <bypasslan|6> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Nov 7 19:44:50	charon: 16[IKE] <bypasslan|6> peer supports MOBIKE
    Nov 7 19:44:50	charon: 16[ENC] <bypasslan|6> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Nov 7 19:44:50	charon: 16[NET] <bypasslan|6> sending packet: from 58.179.156.220[4500] to 1.136.54.110[4500] (68 bytes)
    Nov 7 19:45:01	charon: 13[NET] <7> received packet: from 1.136.54.110[500] to 58.179.156.220[500] (388 bytes)
    Nov 7 19:45:01	charon: 13[ENC] <7> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Nov 7 19:45:01	charon: 13[IKE] <7> 1.136.54.110 is initiating an IKE_SA
    Nov 7 19:45:01	charon: 13[LIB] <7> size of DH secret exponent: 1023 bits
    Nov 7 19:45:01	charon: 13[IKE] <7> remote host is behind NAT
    Nov 7 19:45:01	charon: 13[IKE] <7> sending cert request for "C=US, ST=melb, L=melb, O=chadmail, E=davros@chadmail.com, CN=chadho.me"
    Nov 7 19:45:01	charon: 13[ENC] <7> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
    Nov 7 19:45:01	charon: 13[NET] <7> sending packet: from 58.179.156.220[500] to 1.136.54.110[500] (341 bytes)
    Nov 7 19:45:01	charon: 06[NET] <7> received packet: from 1.136.54.110[4500] to 58.179.156.220[4500] (396 bytes)
    Nov 7 19:45:01	charon: 06[ENC] <7> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Nov 7 19:45:01	charon: 06[CFG] <7> looking for peer configs matching 58.179.156.220[58.179.156.220]...1.136.54.110[10.192.206.121]
    Nov 7 19:45:01	charon: 06[CFG] <bypasslan|7> selected peer config 'bypasslan'
    Nov 7 19:45:01	charon: 06[IKE] <bypasslan|7> peer requested EAP, config inacceptable
    Nov 7 19:45:01	charon: 06[CFG] <bypasslan|7> no alternative config found
    Nov 7 19:45:01	charon: 06[IKE] <bypasslan|7> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Nov 7 19:45:01	charon: 06[IKE] <bypasslan|7> peer supports MOBIKE
    Nov 7 19:45:01	charon: 06[ENC] <bypasslan|7> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Nov 7 19:45:01	charon: 06[NET] <bypasslan|7> sending packet: from 58.179.156.220[4500] to 1.136.54.110[4500] (68 bytes)</bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|7></bypasslan|6></bypasslan|6></bypasslan|6></bypasslan|6></bypasslan|6></bypasslan|6></bypasslan|6>
    


  • You should still see your phone attempting to connect to your pfSense box even if all of the settings are wrong. The only thing I can think of is that your phone is unable to correctly resolve chadho.me.

    Download this on your phone:
    https://itunes.apple.com/us/app/manageengine-ping-tool/id460362949

    Use the app to ensure your domain resolves correctly on the phone. Maybe even try restarting your phone as that should flush DNS cache. Be aware that your mobile phone provider may be running a DNS server that overwrites the TTL of the record set and hence hands you a stale record. Once resolution is working correctly you should see at least something in the pfSense logs. If you do not then something is wrong with resolution.

    That being said as long as you setup your iPhone with Server being the IP of the pfSense WAN and Remote ID being chadho.me it should still connect. I verified that it works for me, it only checks the Remote ID against the certificate and "My Identifier" and not the actual Server. Leave "My Identifier" on pfSense to be chadho.me, don't change it to the IP otherwise cert validation will fail.

    I am not exactly sure what you are doing with User Manager. You need to put a username and password into VPN > IPsec, Pre-Shared Keys.

    Navigate to VPN > IPsec, Pre-Shared Keys tab on pfSense to add EAP users
        Click "+" to add a new user
        Enter an e-mail address style username, such as user@example.com
        Set Secret Type to EAP
        Enter a Pre-Shared Key (password) for the user
        Click Save

    Testing from Wi-Fi connected directly to the router can be problematic, test from an external connection, cell data is fine or a coffee shop's wifi.



  • Hi Itctech.  Thankyou for your continued help.

    You should still see your phone attempting to connect to your pfSense box even if all of the settings are wrong.

    Yes, it is very strange that it can not connect with IKEv2.
    It's definitily not the DNS resolution itself.
    I have downloaded the app you suggested (see att screenshot below) but I knew it's not the issue as have two VPN's setup on the phone
    VPN setup 1) IPSEC (with PSK) connecting to chadho.me
    VPN setup 2) IKEv2 connecting to chadho.me

    When I have setup pfsense to use IKEv2, and I try to connect using 1) IPSEC, I can see in the pfsense logs the phone trying to connect  (using chadho.me as the address).
    But when I then try to connect using the  IKEv2 VPN from the iPhone, it fails immediately and does not even show on the logs.
    I also know the iphone can resolve the name as I have a number of virtual servers running behind this IP (chadho.me) and I can connect to them no problems using this via DNS from my iPhone.

    I have been using an IPSEC connection with no issues for some time and it's very puzzling that the IKEv2 does not resolve and will only connect/show in the logs if I have the IP address in the server field.

    Testing from Wi-Fi connected directly to the router can be problematic, test from an external connection, cell data is fine or a coffee shop's wifi.

    Agree. I mostly test by turning off the wifi and use cellular (what I've refered to as a 4G network - that's what we call it here in Aus).

    I am not exactly sure what you are doing with User Manager…

    Yes, I did stuff that up. I missed that in the instructions and have now added a new user (an EAP user as per the instructions you posted).

    That however does not address the fundamental issue I have that the IKEv2 session does not even appear to try to connect unless I have the IP in the server field.

    I have updated the settings as per your post as well.


    Using this, I get the following in the logs (note if I use chadho.me..the iPhone VPN connection button quickly flips from Not connected/Connection/Not connected and nothing shows in the logs).

    Last 100 IPsec log entries
    Nov 7 23:42:25	charon: 06[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Nov 7 23:42:25	charon: 06[IKE] <1> 1.152.92.200 is initiating an IKE_SA
    Nov 7 23:42:25	charon: 06[LIB] <1> size of DH secret exponent: 1023 bits
    Nov 7 23:42:25	charon: 06[IKE] <1> remote host is behind NAT
    Nov 7 23:42:25	charon: 06[IKE] <1> sending cert request for "C=US, ST=melb, L=melb, O=chadmail, E=davros@chadmail.com, CN=chadho.me"
    Nov 7 23:42:25	charon: 06[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
    Nov 7 23:42:25	charon: 06[NET] <1> sending packet: from 210.50.83.244[500] to 1.152.92.200[500] (345 bytes)
    Nov 7 23:42:25	charon: 10[NET] <1> received packet: from 1.152.92.200[4500] to 210.50.83.244[4500] (412 bytes)
    Nov 7 23:42:25	charon: 10[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Nov 7 23:42:25	charon: 10[CFG] <1> looking for peer configs matching 210.50.83.244[chadho.me]...1.152.92.200[10.220.48.23]
    Nov 7 23:42:25	charon: 10[CFG] <con1|1> selected peer config 'con1'
    Nov 7 23:42:25	charon: 10[IKE] <con1|1> initiating EAP_IDENTITY method (id 0x00)
    Nov 7 23:42:25	charon: 10[IKE] <con1|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Nov 7 23:42:25	charon: 10[IKE] <con1|1> peer supports MOBIKE, but disabled in config
    Nov 7 23:42:25	charon: 10[IKE] <con1|1> authentication of 'chadho.me' (myself) with RSA signature successful
    Nov 7 23:42:25	charon: 10[IKE] <con1|1> sending end entity cert "C=US, ST=melb, L=melb, O=chadmail, E=davros@chadmail.com, CN=chadho.me"
    Nov 7 23:42:25	charon: 10[ENC] <con1|1> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    Nov 7 23:42:25	charon: 10[ENC] <con1|1> splitting IKE message with length of 1580 bytes into 4 fragments
    Nov 7 23:42:25	charon: 10[ENC] <con1|1> generating IKE_AUTH response 1 [ EF(1/4) ]
    Nov 7 23:42:25	charon: 10[ENC] <con1|1> generating IKE_AUTH response 1 [ EF(2/4) ]
    Nov 7 23:42:25	charon: 10[ENC] <con1|1> generating IKE_AUTH response 1 [ EF(3/4) ]
    Nov 7 23:42:25	charon: 10[ENC] <con1|1> generating IKE_AUTH response 1 [ EF(4/4) ]
    Nov 7 23:42:25	charon: 10[NET] <con1|1> sending packet: from 210.50.83.244[4500] to 1.152.92.200[4500] (544 bytes)
    Nov 7 23:42:25	charon: 10[NET] <con1|1> sending packet: from 210.50.83.244[4500] to 1.152.92.200[4500] (544 bytes)
    Nov 7 23:42:25	charon: 10[NET] <con1|1> sending packet: from 210.50.83.244[4500] to 1.152.92.200[4500] (544 bytes)
    Nov 7 23:42:25	charon: 10[NET] <con1|1> sending packet: from 210.50.83.244[4500] to 1.152.92.200[4500] (160 bytes)</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1>
    







    ![ipsec server.png](/public/imported_attachments/1/ipsec server.png)
    ![ipsec server.png_thumb](/public/imported_attachments/1/ipsec server.png_thumb)


    ![vpn settings iphone.png](/public/imported_attachments/1/vpn settings iphone.png)
    ![vpn settings iphone.png_thumb](/public/imported_attachments/1/vpn settings iphone.png_thumb)



  • OK, that log output looks like it got further than before, it actually found the correct VPN connection. Looks like the iPhone itself is dropping the connection.

    You need to add SHA256 in addition to SHA1 in Phase 2 otherwise it will fail. This may be why it doesn't full connect.

    It could also be failing if it doesn't trust the certificate it's being sent, are you sure the same CA cert that was used to generate server cert is properly installed on the phone?

    Also can you screenshot the "Mobile Clients" tab, did you specify a Virtual Address Pool?



  • Thanks Itctech. Added 256.

    I have discovered that the issue is that the iPhone does not like ".me" addresses.
    Perhaps it does some pre-validation on the device.  I have just registered a .com address and it connects to the server.
    However using the .me (which is with the same registry and the sme dynamic ns provider and pointing to the same IP) it fails to connect at all.

    Looks like an Apple issue.

    So, now I can connect no problems!  Both from my windows tablet AND my iPhone!  YAY!!!!!

    Thankyou so much for your help.


Log in to reply