Editing
Mobile IPsec Clients
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
After a significant false start, I got the mobile IPsec VPN set up for the mobile clients using IKEv2 and TLS certificates. The major false start was caused by not marking the certificate I created for the server as a 'server' certificate ... a selection way down in the bottom of the screen for creating certificates. The basic instructions are in this note: [https://www.netgate.com/docs/pfsense/vpn/ipsec/ikev2-with-eap-tls.html VPN β IPsec β IKEv2 with EAP-TLS | pfSense Documentation] as an intermediate (before I figured out what the problem was with the certificate, I had it working with user/password authentication: [https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html VPN β IPsec β Configuring an IPsec Remote Access Mobile VPN using IKEv2 with EAP-MSCHAPv2 | pfSense Documentation] The native windows client is very opaque ... but once I figured out it's language, I made progress: * "Policy conflict" == couldn't agree on an encryption/hash algorithm * "IKE Credentials not acceptable" == the server certificate isn't valid Different OS/devices may need different encryption algorithms ... add each one as a separate item in the Phase 1 entry ... but make sure the Phase 2 entry has all the boxes checked for the union of all the device requirements: * Windows client: AES256, SHA1, and DH group 2 * Android client (StrongSwan): AES256, SHA256, DH group 14 The native android client wouldn't connect to the server in this configuration ... it's choices for authentication didn't include EAP-TLS. I downloaded the StrongSwan client (seems to be connected to the pfSense group), and it connected right away -- even with the bad server certificate. When configuring the clients, it seems to be key to use the .p12 certificate package (downloadable from the cert manager in pfSense) for the client certificates and the straight .crt file for the CA certificate: * (Windows) just download the certs, then click them in the file explorer ** client certificate goes in the user store ** CA certificate goes in the machine store, force it into the "root certificate authority" group * (Android) install them using the system tools in settings/security/other (or some such path .... it is buried) ** you have to get them on the device in a hard folder -- not dropbox or anything else; I put them in dropbox then exported them to the downloads directory to get them where the utility could find them to install Configuring the clients was straightforward based on the instructions in the pfSense documentation linked above
Summary:
Please note that all contributions to WilliamsNet Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
WilliamsNet Wiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
View history
More
Navigation
Commons
Architecture
How-To
Systems
Hardware
SysAdmin
Kubernetes
OpenSearch
Special
Pages to create
All pages
Recent changes
Random page
Help about MediaWiki
Formatting Help
Tools
What links here
Related changes
Special pages
Page information