IPsec works with iOS but failled on Windows, Android and macOS

I've setup an IPsec on Linksys 3200ACM (Router IP:192.168.1.1) running on OpenWrt SNAPSHOT r10899. My settings are as follows. This setup works fine with iOS connections, but failed on all other platforms such as Windows 10 (error messages says:security layer could not authenticate remote computer), Andriod (no erroe message given) and macOS (no response from VPN server). I wonder what might be the reason for this.

# basic configuration

config setup
  charondebug=all

# Add connections here.
conn %default                                                                          
        ikelifetime=60m                                                                
        keylife=20m                                                                    
        rekeymargin=3m                                                                 
        keyingtries=1     

conn roadwarrior                                                                       
        keyexchange=ikev1                                                              
        left=%any                                                                      
        leftid=@openwrt.lan                                                          
        leftdns=8.8.8.8,8.8.4.4                                                        
        leftsubnet=0.0.0.0/0                                                           
        leftauth=psk                                                                   
        leftfirewall=yes                                                               
        lefthostaccess=yes                                                             
        right=%any                                                                     
        rightauth=psk                                                                  
        rightauth2=xauth                                                               
        rightsourceip=192.168.11.0/24                                            
        rightdns=8.8.8.8,8.8.4.4                                                       
        auto=add

firewall setting
config rule 'ipsec_esp'
	option src 'wan'
	option name 'IPSec ESP'
	option proto 'esp'
	option target 'ACCEPT'

config rule 'ipsec_ike'
	option src 'wan'
	option name 'IPSec IKE'
	option proto 'udp'
	option dest_port '500'
	option target 'ACCEPT'

config rule 'ipsec_nat_traversal'
	option src 'wan'
	option name 'IPSec NAT-T'
	option proto 'udp'
	option dest_port '4500'
	option target 'ACCEPT'

config rule 'ipsec_auth_header'
	option src 'wan'
	option name 'Auth Header'
	option proto 'ah'
	option target 'ACCEPT'

Which windows client are you using for this IKEv1 setup?

Please follow (which works, at least on windows 7; importing the certificate is a bit special and counter-intuitive):
https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig
https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapCert

I used windows 10 embeded one, followed all sorts of tricks such as change Regedit, turn on MS-CHAP, but still no luck

Thanks, I'll keep this as my last resort as I need to use windows 10 and also a certificate is not so friendly for mobile devices.

Windows 10 embedded client does not support IKEv1/IPsec

you need to switch your strongswan setup to IKEv2/IPsec
read here: https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/roadwarrior

That page mentions eap-mschapv2 as a second further auth round, if you want eap-mschapv2 instead of eap-tls as the only single auth round just use:

conn roadwarriorEAPMSCHAPV2
 left=%any
 leftauth=pubkey
 leftcert=serverCert.pem
 leftid=myvpnserver.dyndns.org
 leftsubnet=0.0.0.0/0,::/0
 leftsendcert=always
 right=%any
 rightsourceip=10.0.1.0/24
 rightauth=eap-mschapv2
 rightcert=clientCert.pem
 eap_identity=%identity
 auto=add
1 Like

If you do certificate auth via EAP-TLS in place of machine certificates the setup is straightforward, double click the cert pack (.p12) always click Next in the import wizard and create a new VPN from Settings app selecting just the server name. It's quicker then typing username and password.

1 Like

Thanks, Luke. I guess I figured out something tonight. StrongSwan configuration only support CISCO IPsec, that's why I change to "CISCO IPsec" on Mac ,it worked. so as on the iOS. Windows natively VPN and Andorid is not supported.

Later, I installed SoftEther on another server it works for all plattforms even on Windows 10 native VPN client, like a CHARM ! So, SoftEther is the way to go, much less headaches

Cisco IPsec is IKEv1/IPsec that's why your IKEv1 setup worked with it. A windows client for such protocol is ShrewSoft or TheGreenBow, Also built-in VPN server into some Netgear and AVM routers use such old protocol.

Unless your strongswan server is too old, it also supports IKEv2/IPsec and this also works on windows and iOS native platforms like a charm.

SoftEther is really nice, I love it, but it only supports L2TP/IPsec and some other custom TLS-based tunneling.

IKEv2 just rocks. and works even for mobile clients changing their IP while roaming across different cells, and is much easier to configure then the older IKEv1

The other nice thing of pure IKEv2/v1 IPsec VPNs is that they don't need tun/tap divers like in OpenVPN and similar TLS-based tunnels, nor ppp daemons like in L2TP or PPTP

1 Like

Thanks for the thorough explanation, this clears all the fog.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.