Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Getting IPSec Working with 2.2.6 & iOS 9

    IPsec
    1
    2
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rlindenschmidt
      last edited by

      I have followed a bunch of different howto docs found online and still cannot locate where the error is.

      Negotiation mode is set as Main in VPN: IPsec: Edit Phase 1: Mobile Client.  I have tried setting it as Aggressive with no change.

      Of note is it seems that my iPhone (79.196.XXX.XXX) is requesting Main mode.  Is there a setting in VPN in iOS to change?

      Any help would be greatly appreciated.  This is driving me nuts.

      May 10 11:01:48 charon: 12[NET] <1> sending packet: from 192.168.XX.XXX [4500] to 70.196.XXX.XXX [2545] (108 bytes)
      May 10 11:01:48  charon: 12[ENC] <1> generating INFORMATIONAL_V1 request 165331397 [ HASH N(AUTH_FAILED) ]
      May 10 11:01:48 charon: 12[IKE] <1> found 1 matching config, but none allows XAuthInitPSK authentication using Main Mode
      May 10 11:01:48 charon: 12[CFG] <1> looking for XAuthInitPSK peer configs matching 192.168.XX.XXX…70.196.XXX.XXX
      May 10 11:01:48 charon: 12[ENC] <1> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
      May 10 11:01:48 charon: 12[NET] <1> received packet: from 70.196.XXX.XXX[2545] to 192.168.XX.XXX[4500] (108 bytes)
      May 10 11:01:48 charon: 12[NET] <1> sending packet: from 192.168.XX.XXX[500] to 70.196.XXX.XXX[2542] (396 bytes)
      May 10 11:01:48 charon: 12[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
      May 10 11:01:48 charon: 12[IKE] <1> remote host is behind NAT
      May 10 11:01:48 charon: 12[IKE] <1> local host is behind NAT, sending keep alives
      May 10 11:01:48 charon: 12[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
      May 10 11:01:48 charon: 12[NET] <1> received packet: from 70.196.XXX.XXX[2542] to 192.168.XX.XXX[500] (380 bytes)
      May 10 11:01:48 charon: 12[NET] <1> sending packet: from 192.168.XX.XXX [500] to 70.196.XXX.XXX[2542] (156 bytes)
      May 10 11:01:48 charon: 12[ENC] <1> generating ID_PROT response 0 [ SA V V V V ]
      May 10 11:01:48 charon: 12[IKE] <1> 70.196.XXX.XXX is initiating a Main Mode IKE_SA

      1 Reply Last reply Reply Quote 0
      • R
        rlindenschmidt
        last edited by

        OK, so if I specify a Group Name in iOS, the request becomes aggressive.  It still fails at:

        May 10 12:06:15 charon: 06[IKE] <15> found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode
        May 10 12:06:15 charon: 06[CFG] <15> looking for XAuthInitPSK peer configs matching 192.168.XX.XXX…70.196.XXX.XXX[VPN]

        From VPN: IPsec: Edit Phase 1: Mobile Client - Phase 1 Proposal:

        Authentication method - Mutual PSK & Xauth
        Negotiation mode - Aggressive
        My Identifier - My IP Address
        Peer Identifier - Distinguished Name - VPN
        Pre-Shared Key - XXX

        What am I missing?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.