Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 13
Registered: ‎11-12-2009
0 Kudos

ikev2, anyone got it working?

So with minimal effort so far, I tried to get IKEv2 working. I set it up on the Appliance based on the (very minimal) documentation in the manual. I've tried connecting with a number of different clients, but so far the appliances is refusing to answer. I see, on the client, an initial ike packet go out over port 500. I see, on the appliance, that the packet makes it to the appliance. I never see any replies go out from the appliance. I see nothing in the logs. There is no indication of anything happening at all. With the exact same setup, 7.0beta4 would crash (one of the daemons that seems to be responsible for ike), but with the release version I see nothing. Has anyone gotten it working? Thanks Dan
Contributor
Posts: 88
Registered: ‎12-02-2009
0 Kudos

Re: ikev2, anyone got it working?

Tried with win7 client, get the "error 13843:invalid payload received" message..

---------------------------------------------------
Please mark this post as 'accepted solution' if my input answers your question!
A kudo would be nice if you think I deserve it.
---------------------------------------------------
2 A/P clustered 6500, 7.4R9.1
2 A/P clustered 2500, 8.0R3.1 LAB
New User
Posts: 1
Registered: ‎06-24-2010
0 Kudos

Re: ikev2, anyone got it working?

Running 7.0R1 (build 16007) no joy either, doco is limited

Contributor
Posts: 13
Registered: ‎11-12-2009
0 Kudos

Re: ikev2, anyone got it working?

According to the case I have open with Juniper, the IKEv2 support is limited to MOBIKE. http://www.rfc-editor.org/rfc/rfc4555.txt I am still waiting to get details on what clients it's supposed to work with.
Visitor
Posts: 6
Registered: ‎07-31-2009
0 Kudos

Re: ikev2, anyone got it working?

We are having the same problem.   I have also asked our Juniper rep for the clients that have been tested.  Please post if you get a response from Juniper.

Contributor
Posts: 21
Registered: ‎08-18-2010
0 Kudos

Re: ikev2, anyone got it working?

I'm also looking at this new feature but can't get the gateway to log any messages or send any reply packets to the client. Anybpody had any luck getting this working yet?

 

Thanks

Contributor
Posts: 13
Registered: ‎11-12-2009
0 Kudos

Re: ikev2, anyone got it working?

I did get it to work with the Windows7 Agile VPN client. We also have it working using the Strongswan vpn client on linux.
Contributor
Posts: 21
Registered: ‎08-18-2010
0 Kudos

Re: ikev2, anyone got it working?

I've just tried this with the WIndows 7 Agile VPN and get the same error as mentioned previously: "error 13843:invalid payload received". Have you seen this and do you know the reason for it?

 

I have so many questions about how this feature works and what with, but no clue from the admin guide.

 

If I have multiple realms / sign-in policies configured, how does the IKEv2 feature know which realm to go against or this there some unwritten feature that it has to be the "Users" realm?

Contributor
Posts: 13
Registered: ‎11-12-2009
0 Kudos

Re: ikev2, anyone got it working?

I haven''t seen that error specifically. As for realms, if you look under Configuration/IKEv2, you can tell it which Realm to use. then, under the role that you will assign, Under General/Overview, make sure IKEv2 is checked. I suspect that if you don't have IKEv2 checked under Role, you might get the error you are seeing.
Visitor
Posts: 1
Registered: ‎11-19-2010
0 Kudos

Re: ikev2, anyone got it working?

I succeeded to use IKEv2 with strongswan on linux. I didn't try with another client.

But here is the steps I followed :

 - Create a CA certificate and a client certificate and key.

 - Put on the SSLVPN box the CA certificate in the section configuration -> certificate -> Trusted client certificate

 - I created a new authentication server as a certificate server.

 - I created a new Realm using this server for authentication and selecting a role based on userAgent (IKEv2) or the username.

 - I check IKEv2 in the role used for these users

 - I choose the new-created realm in configuration -> IKEv2.

 

But if anyone succeeded to authenticate the user with username/password, I'm interested...

Juniper Employee
Posts: 3
Registered: ‎08-20-2008
0 Kudos

Re: ikev2, anyone got it working?

Hi,

 

User/PW Auth will be supported with 7.1. Can you please share strong swan config. I have the same SA config, but it does not work!

 

Regards

 

JS

Contributor
Posts: 32
Registered: ‎08-04-2008
0 Kudos

Re: ikev2, anyone got it working?

[ Edited ]

Hi There,

 

I have the same problem as yours. So this makes me open a case this morning...

 

- Strongswan IKEv2 Client is working Fine on Linux (for both EAP-MSCHAPv2 and certificate authentication)

- But, I'am unable to connect with Windows 7: I've got a 13868 error on Windows 7. SSL VPN user logs shows that  credentials are accepted and a IKEv2 Protocol error  (IKEV2_NO_PROPOSAL_CHOSEN).

 

For info, on linux, my ipsec.conf contains the following:

 

# ipsec.conf - strongSwan IPsec configuration file
config setup
    charonstart=yes
    plutostart=yes

# Add connections here.
conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

conn sslvpn
    leftauth=eap-mschapv2
    leftid=<your username>
    right=<your SSL VPN IP Address used for IKEv2>
    rightid=%any
    rightauth=rsasig
    rightsubnet=<the subnet you want to have access>
    auto=add
    leftsourceip=%config

 

 

 

You should  add the corresponding password on ipsec.secrets file:

<your username> : EAP "<your password>"

 

You should add the corresponding ROOT CA used for the SSL VPN certificate on the /etc/ipsec.d/cacerts folder.

 

On the SSL VPN, I use a local backend, with clear text password. Do not forget that only local auth (with clear text password option ) and Active Directory Backend are supported to do MSCHAPv2.

 

I hope that radius backend will be supported soon (all the EAP stuff is already on my radius server...).

 

 

Regards,

 

 

Vincent

Contributor
Posts: 32
Registered: ‎08-04-2008
0 Kudos

Re: ikev2, anyone got it working?

Finally, I am able to connect with IKEv2 on Windows 7 Client.

 

I had to change something on my "Ressource profile":

I had to set "Network Connect" Transport mode to "ESP AES128/SHA1" (as shown on screenshot) "ESP AES128/MD5" is not working.

 

 

Now IKEv2 tunnels works on Windows 7 and Linux clients.

Highlighted
oge
Visitor
Posts: 1
Registered: ‎03-19-2009
0 Kudos

Re: ikev2, anyone got it working?

Are certs still needed to do EAP user auth with IVE 7.1? Admin Guide has lttle on this and seems to merge EAP and Cert auth. I didn't do anything with certs and I'm getting following error from Windows 7  client "Error 13801: IKE auth credentials are unacceptable".

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: ikev2, anyone got it working?

No, certificate authentication is no longer needed (starting with 7.1).

Have you verified the steps/instructions outlined here: KB21321?