Mobile IPsec Clients: Difference between revisions

From WilliamsNet Wiki
Jump to navigation Jump to search
(Created page with "After a significant false start, I got the mobile IPsec VPN set up for the mobile clients using IKEv2 and TLS certificates. The major false start was caused by not marking th...")
 
(No difference)

Latest revision as of 01:22, 3 August 2019

After a significant false start, I got the mobile IPsec VPN set up for the mobile clients using IKEv2 and TLS certificates.

The major false start was caused by not marking the certificate I created for the server as a 'server' certificate ... a selection way down in the bottom of the screen for creating certificates.

The basic instructions are in this note: VPN — IPsec — IKEv2 with EAP-TLS | pfSense Documentation as an intermediate (before I figured out what the problem was with the certificate, I had it working with user/password authentication: VPN — IPsec — Configuring an IPsec Remote Access Mobile VPN using IKEv2 with EAP-MSCHAPv2 | pfSense Documentation

The native windows client is very opaque ... but once I figured out it's language, I made progress:

  • "Policy conflict" == couldn't agree on an encryption/hash algorithm
  • "IKE Credentials not acceptable" == the server certificate isn't valid

Different OS/devices may need different encryption algorithms ... add each one as a separate item in the Phase 1 entry ... but make sure the Phase 2 entry has all the boxes checked for the union of all the device requirements:

  • Windows client: AES256, SHA1, and DH group 2
  • Android client (StrongSwan): AES256, SHA256, DH group 14

The native android client wouldn't connect to the server in this configuration ... it's choices for authentication didn't include EAP-TLS. I downloaded the StrongSwan client (seems to be connected to the pfSense group), and it connected right away -- even with the bad server certificate.

When configuring the clients, it seems to be key to use the .p12 certificate package (downloadable from the cert manager in pfSense) for the client certificates and the straight .crt file for the CA certificate:

  • (Windows) just download the certs, then click them in the file explorer
    • client certificate goes in the user store
    • CA certificate goes in the machine store, force it into the "root certificate authority" group
  • (Android) install them using the system tools in settings/security/other (or some such path .... it is buried)
    • you have to get them on the device in a hard folder -- not dropbox or anything else; I put them in dropbox then exported them to the downloads directory to get them where the utility could find them to install

Configuring the clients was straightforward based on the instructions in the pfSense documentation linked above

Retrieved from "http://wiki.williams-net.org/index.php?title=Mobile_IPsec_Clients&oldid=28"