Any IPSec Mobile client that actually works in Windows?



  • Hello,

    I got a pfSense box with IPsec VPN setup. Site to Site works great. Cant get any better.
    Mobile IPSec works out of the box on my Mac with the integrated IPsec client. No 3rd party apps needed. No matter what encryption type I pick. Awesome
    On Windows 7 I can't get it to work no matter what. I tried all the guides, from the pfsense official doc to various blogs that show basically the same setup with just different types of encryption. ShrewSoft client doesnt wanna establish the connection. I use Mutual PSK + Xauth.

    I am trying to setup some mobile VPN clients on Windows, but this problem is really restricting me and make me use Untangle instead. I don't like Untangle much, but I have no other choice. Any help will be greatly appreciated.



  • Just to add here is the IPsec Log. I have same Encryption types on both sides, but the log still says "no proposal found". Weird.

    Apr 20 16:25:26 charon 08[NET] <25> received packet: from x.x.x.x [500] to x.x.x.x [500] (443 bytes)
    Apr 20 16:25:26 charon 08[ENC] <25> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V ]
    Apr 20 16:25:26 charon 08[IKE] <25> received XAuth vendor ID
    Apr 20 16:25:26 charon 08[IKE] <25> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Apr 20 16:25:26 charon 08[IKE] <25> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Apr 20 16:25:26 charon 08[IKE] <25> received NAT-T (RFC 3947) vendor ID
    Apr 20 16:25:26 charon 08[IKE] <25> received FRAGMENTATION vendor ID
    Apr 20 16:25:26 charon 08[ENC] <25> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
    Apr 20 16:25:26 charon 08[ENC] <25> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
    Apr 20 16:25:26 charon 08[ENC] <25> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
    Apr 20 16:25:26 charon 08[IKE] <25> received Cisco Unity vendor ID
    Apr 20 16:25:26 charon 08[IKE] <25> x.x.x.x is initiating a Aggressive Mode IKE_SA
    Apr 20 16:25:26 charon 08[CFG] <25> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Apr 20 16:25:26 charon 08[CFG] <25> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Apr 20 16:25:26 charon 08[IKE] <25> no proposal found
    Apr 20 16:25:26 charon 08[ENC] <25> generating INFORMATIONAL_V1 request 2241021620 [ N(NO_PROP) ]
    Apr 20 16:25:26 charon 08[NET] <25> sending packet: from x.x.x.x [500] to x.x.x.x [500] (56 bytes)
    Apr 20 16:25:31 charon 08[NET] <26> received packet: from x.x.x.x [500] to x.x.x.x [500] (443 bytes)
    Apr 20 16:25:31 charon 08[ENC] <26> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V ]
    Apr 20 16:25:31 charon 08[IKE] <26> received XAuth vendor ID
    Apr 20 16:25:31 charon 08[IKE] <26> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Apr 20 16:25:31 charon 08[IKE] <26> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Apr 20 16:25:31 charon 08[IKE] <26> received NAT-T (RFC 3947) vendor ID
    Apr 20 16:25:31 charon 08[IKE] <26> received FRAGMENTATION vendor ID
    Apr 20 16:25:31 charon 08[ENC] <26> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
    Apr 20 16:25:31 charon 08[ENC] <26> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
    Apr 20 16:25:31 charon 08[ENC] <26> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
    Apr 20 16:25:31 charon 08[IKE] <26> received Cisco Unity vendor ID
    Apr 20 16:25:31 charon 08[IKE] <26> x.x.x.x  is initiating a Aggressive Mode IKE_SA
    Apr 20 16:25:31 charon 08[CFG] <26> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Apr 20 16:25:31 charon 08[CFG] <26> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    Apr 20 16:25:31 charon 08[IKE] <26> no proposal found
    Apr 20 16:25:31 charon 08[ENC] <26> generating INFORMATIONAL_V1 request 3419511389 [ N(NO_PROP) ]
    Apr 20 16:25:31 charon 08[NET] <26> sending packet: fromx.x.x.x [500] to x.x.x.x [500] (56 bytes)



  • You've got a mismatch because your pfsense box expects the client to have the Phase 1 Hash Algorithm configured as SHA2 (SHA256), but your client is on SHA1. One of them needs changing to be a match…



  • What version of pfSense?  I am routinely deploying native IPSec ikev2 on Windows boxes with no issues.  I am running 2.2.6



  • @JustMe:

    You've got a mismatch because your pfsense box expects the client to have the Phase 1 Hash Algorithm configured as SHA2 (SHA256), but your client is on SHA1. One of them needs changing to be a match…

    Yeah. Mismatch is here:

    Apr 20 16:25:31  charon      08[CFG] <26> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
    Apr 20 16:25:31  charon      08[CFG] <26> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024



  • @JustMe:

    You've got a mismatch because your pfsense box expects the client to have the Phase 1 Hash Algorithm configured as SHA2 (SHA256), but your client is on SHA1. One of them needs changing to be a match…

    I saw that, but both sides are configured as SHA1. Check out the screenshootss for P1 and P2 and the Mobile client






  • @kapara:

    What version of pfSense?  I am routinely deploying native IPSec ikev2 on Windows boxes with no issues.  I am running 2.2.6

    I'm running the latest version 2.3, but I had this problem on 2.2.6 also.



  • No matter what Algorithm I pick on the pfSense side the log still shows that  my configured proposal is: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 even tho its not.

    A bug maybe?



  • Something definitely is wrong on my pfsense box. I tested this on a new pfSense that I recently installed and it works. Go figure. I might have to do a clean install



  • Very odd. Amazingly neither the pfsense box nor the remote client appear to offer / request your configured 3des in your log, both request AES. It is almost as if the log is from a different machine… Reinstall sounds sensible. Perhaps you can have a look in the saved backup file to see what was locally stored.



  • Do you happen to have a site to site VPN configured using the IP of the system your mobile client is connecting with? In that case, strongswan will end up trying to match your mobile client to the site to site VPN. That's the only situation I can think of where that wouldn't match up with mobile.

    The log you pasted shows the client's trying to use AES, where your screenshots clearly show 3DES. AES would be preferable regardless, but seems like either your client config changed since the logs earlier, or your client isn't actually using what you have configured in that screenshot.



  • @cmb:

    Do you happen to have a site to site VPN configured using the IP of the system your mobile client is connecting with? In that case, strongswan will end up trying to match your mobile client to the site to site VPN. That's the only situation I can think of where that wouldn't match up with mobile.

    The log you pasted shows the client's trying to use AES, where your screenshots clearly show 3DES. AES would be preferable regardless, but seems like either your client config changed since the logs earlier, or your client isn't actually using what you have configured in that screenshot.

    Yes I do! ;D.But it was inactive at the time of the mobile client testing. I kinda suspected that might be messing thing up. Thanks for pointing that to me.

    I was clearing the log before any connection attempt so I knew I got the right logs from the mobile client trying to connect. Lesson learned. Thanks a lot!  :D



  • I have IPSec site to site and VPN client working with shrewsoft and Cisco vpnclient 5.0.07.

    If you need help PM and u will help you



  • On Windows 7 I can't get it to work no matter what. I tried all the guides, from the pfsense official doc to various blogs that show basically the same setup with just different types of encryption. ShrewSoft client doesnt wanna establish the connection. I use Mutual PSK + Xauth.

    The ShrewSoftVPN Client should be really nice and well running, in your case here surely it can really be 
    that you were installing some more clients together on your Windows based PC and this is often then causing
    errors too, but no one is able to solve it out or you are not able to get rid of it. Please think about that point.

    I am trying to setup some mobile VPN clients on Windows, but this problem is really restricting me and make me use Untangle instead. I don't like Untangle much, but I have no other choice. Any help will be greatly appreciated.

    No one needs Untangle UTM only to set up a IPSec connection! Please beware of telling us such a story!
    If all is breaking you could place in the DMZ a small RaspBerry PI 2.0 for ~$30 together with a Debian
    for RAPI and SoftEtherVPN server and client. For small budget and serving many VPN methods!!!

    To clarify two other things here would be not really helping you out of your problem, but having more
    to think this is more normal, what is going on at your side! In former days very experienced admins
    were afraid of setting up a proper and smooth running VPN connection, this is as today more common
    no since smartphones and tablet computers are in the game, but not really less complicated and often
    only a smaller thing will be missed or a typo was occurring during the config.

    I have IPSec site to site and VPN client working with shrewsoft and Cisco vpnclient 5.0.07.

    In my Eyes there are two main VPN connections that are in the game and many other VPN methods.
    Site-to-Side = Router - router or firewall to firewall or router to firewall.
    Client-to-Side = Is also called "road warrior" VPN, thats a client device such a mobile phone, smartphone,
    table PC or any other kind of devices such a laptop or MacBook that is not sitting behind a NAT solution!

    So if now someone is setting up the PC behind a router or firewall that is doing NAT or the mobile ISP is
    doing NAT because he is using between the Internet and your device a private network, it will be also
    really often causing problems too.



  • Hi !

    Have you solved it ?

    Reading your post I remembered I had problems with ShrewSoft client.
    What fixed it for me was the setting
    NAT Traversal: Force  ( in mobile clients / advanced )

    LP, Miro


Log in to reply