Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
IKeV2 issues on Windows 10 fully patched
« previous
next »
Print
Pages: [
1
]
Author
Topic: IKeV2 issues on Windows 10 fully patched (Read 2215 times)
rubydragon
Newbie
Posts: 2
Karma: 0
IKeV2 issues on Windows 10 fully patched
«
on:
May 13, 2021, 10:49:29 pm »
Hey guys,
First time posting so a huge hi to start with!
Now the reason of my post... I'm a network IT managing many different customers and one of them started to have issues this morning. The background of what happened is I updated the router to the latest version (21.1.5) and now users are unable to connect to their VPN using the built in Windows 10 IKEv2. It worked fine before the update. As far as config goes, everything is as it should be and was before the update.
Now for the tests phase... and the results:
The error: The IKE authentication informations are unacceptable
- Tried from my laptop: failing
- Tried from my iphone: working
- Tried from another laptop I have home: failing
- Tried from my laptop using my iphone as a hotspot (thinking maybe ISP): failing
- Tried from a computer at another of my customer (another ISP as well): failing
- Tried from a colleague working from home with Windows 10 fully patched: working
- Uninstalled and reinstalled Let's Encrypt plugin: no changes
- Restarted services, rebooted router
- Looked at possible expired or old local certificates on my laptop: nothing found that matched the cert used for VPN
The configs:
- IKEv2 using Radius authentication from Windows server & LDAP users
- Let's Encrypt certificate (verified and everything is checked as OK. Also tried to renew it)
Logs:
- Last few lines from the router
****
2021-05-13T16:45:15 charon[92611] 12[JOB] <con1|56> deleting half open IKE_SA with x.x.x.x after timeout
2021-05-13T16:44:45 charon[92611] 07[NET] <con1|56> sending packet: from x.x.x.x[4500] to x.x.x.x[20110] (1152 bytes)
2021-05-13T16:44:45 charon[92611] 07[NET] <con1|56> sending packet: from x.x.x.x[4500] to x.x.x.x[20110] (1248 bytes)
2021-05-13T16:44:45 charon[92611] 07[NET] <con1|56> sending packet: from x.x.x.x[4500] to x.x.x.x[20110] (1248 bytes)
2021-05-13T16:44:45 charon[92611] 07[ENC] <con1|56> generating IKE_AUTH response 1 [ EF(3/3) ]
2021-05-13T16:44:45 charon[92611] 07[ENC] <con1|56> generating IKE_AUTH response 1 [ EF(2/3) ]
2021-05-13T16:44:45 charon[92611] 07[ENC] <con1|56> generating IKE_AUTH response 1 [ EF(1/3) ]
****
- No requests received in the Windows logs which is used as NPS
I'm clueless as to what else to look at here...
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: IKeV2 issues on Windows 10 fully patched
«
Reply #1 on:
May 14, 2021, 06:35:16 am »
What was the last known working version? Which guide did you follow for configuration?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Cerberus
Jr. Member
Posts: 63
Karma: 4
Re: IKeV2 issues on Windows 10 fully patched
«
Reply #2 on:
May 14, 2021, 12:33:04 pm »
We use OPNsense with Windows 10 Clients and IKEv2, Windows Radius Server with Cert Authentication.
No issues with 21.1.4 > 21.1.5
No issues with Windows 10 Clients (20H2,21H1) with or without May patch.
Is your OPNsense behind another Firewall? the "some clients work, some not" reminds me to MTU issues.
«
Last Edit: May 14, 2021, 12:35:13 pm by Cerberus
»
Logged
rubydragon
Newbie
Posts: 2
Karma: 0
Re: IKeV2 issues on Windows 10 fully patched
«
Reply #3 on:
May 14, 2021, 02:53:33 pm »
Hi,
I didn't pay attention to the exact version before I started rolling updates but I think it wad in the 19.x. I know it applied one or two major updates.
As for the MTU route, I don't think that's the issue here. I know having the wrong MTU will make multiple websites not load which is usually where you start noticing something is wrong. I also did the ping tests to determine the proper MTU and the largest packet size from pings is 1472 which you need to add 28 to that ending with the default 1500.
As for the VPN configuration, I didn't follow any specific guides as this is not the first one i'm doing. The router is configured like many others we have installed in the past.
I'll try configuring a new router and will see what happen. I'm convinced it's something with the certificate being corrupted or duplicated and not showing...
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: IKeV2 issues on Windows 10 fully patched
«
Reply #4 on:
May 14, 2021, 03:58:56 pm »
There are too few logs and screenshots missing to diagnose this further (as there are too many update versions involved)
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
IKeV2 issues on Windows 10 fully patched