We've enountered a lot of Issues with VPN on iOS devices.
A core-point is Apple's DNS-Privacy: When connected to a wifi, apple by default is ignoring the assigned dns servers (and therefore any dns assigned by the tunnel) and instead is using the apple cloud dns, "to protect your privacy" (at least that's the reason they claim)
You can set the dns-server for a particular wifi to manual to resolve this. Just becomes very unhandy, if you have hundrets of clients dealing with that "feature".
Your observation about the IPV6 / IPV4 difference might be the problem:
Your iPhones provider is using IPV6, and your ipv4-connection is then only an ipv4 over ipv6 tunnel (In our country referred to as "Dual-Stack-Lite / DS-Lite").
Here you'll have limits on the usable ports - depending on the provider. He might have decided, that a common user needs to use port 80 and 443, therefore created the proper rules for that, but everything else well not be forwarded.
(Your Phone would be the router here, IPV4 only over nat'd IPV6)
Your best option here would be to make your vpn-server ipv6 capable , OR (that's what we did): Use Port 143 - that's IMAPS - nobody is using imap nowadays, but that port is most likely served by your isp.
your shebang is for bash -- did you install bash on your firewall? (pfSense does not come with bash)
you could use pkill -F /var/run/charon.pid which is more concise and doesn't need the cat
wouldn't you need to tail -n10 etc to be sure you weren't just reading the same "trap not found" message over and over in a loop?
you don't need the extra if-test and pipe to wc, you can test the result code from grep directly
maybe something like this would work? (I have not tested this)
if tail -n10 /var/log/ipsec.log | /usr/bin/grep -q "trap not found, unable to acquire reqid"; then
pkill -9 -F cat /var/run/charon.pid
echo "Executed Charon kill script, IPsec seems locked up"
failback on the lan-carp-ip happened to node1
node2 has the IPSec still established
I can continue using the tunnel, if I manually change my gateway from the lan-carp-ip to the second nodes ip address.
So, overall the master node does not reestablish a connection, because the connection is healty - but it is just no longer accessible for lan-clients.
However, the roles themself claimed that fallBACK also has happened for the wan-carp-ip, so it might be an issue on the wan site, where packages of the tunnel communication are still send to the backup-node, even if it does no longe own the wan-carp-ip. This leads to the clusters assumption that the tunnel is healty and no reconnect is required.
But beyond that observation, I could only start to guess, because I'm not familiar to how the whole carp thing works. If it uses MAC-spoofing, there shouldn't be any missrouted packages. If both of the nodes use an own mac-address with the wan-carp-ip it might be the routers mac-address-table / cache that keeps sending packages to the MAC of the backup-role, keeping that tunnel alive and "healthy", which finally surpresses the reconnect of the master role, that would be the one that is accessible by the lan-carp-ip.
Ive had a play with this again over the Easter break - whats the rules around both sides trying to connect to each other at the same time? (under 2.5 it just worked either side brought up the link - in fact, it generally never dropped)
There are multiple entries about: ignoring acquire, connection attempt pending
On this side, there is an incoming SA (unnamed): #8084 as a responder
there is also an initiator outbound SA (neither connect successfully) after a while they both seem to give up then one side manages to connect first and the link comes up. (this can a few minutes as they battle to connect)
I have this setup still up and running if anyone has any time for a look - doesn't take long for one of the tunnels to drop then not reconnect for a while.
All ipsec configs must be ok - firewall etc all ok as they eventually connect and work as expected they are just dropping really often and then not reconnecting as they did under 2.5
@timboau-0 Thank you. I tried 2.5.2, and the same result just showed connecting on the same two connections that I was initially having issues with. I will mess with this more after hours and try rebuilding the P1 and P2 from scratch to see if that helps unless someone has any other suggestions.
I have the same problem.
LDAP works. An LDAP user can logging in to the web interface.
Diagnostics / Authentication also works.
When a local user (EAP Keys) logging in to Ipsec VPN, everything works.
I have the same errors when logging in to an LDAP user.
16 [IKE] <con-mobile | 60> no EAP key found for hosts '000.000.000.000' - 'ldap_user'
16 [IKE] <con-mobile | 60> EAP-MS-CHAPv2 verification failed, retry (2)
@nocling I tried Ipsec using IPV6 and had pretty weird errors (This was with a starlink service so it does drop more than you would like) - essentially it wasn't stable as an ipsec tunnel (this was using 2.5) - switched over to WireGuard and its been working really well - just doesnt seem to be 100% support from netgate yet so reluctant to replace all ipsec with WireGuard.
I've been informed, "If you have XMLRPC sync the VIPs that would work as the IDs would match on both. VIPs have to be tracked by ID, not IP address. Thus you have an unsupported configuration if you are managing the VIPs by hand but expecting other areas of the configuration to sync via XMLRPC."
It's been years since it was set up, but if I go back I do see "Virtual IPs" is unchecked in the HA sync settings. I had to dig into deep areas of my brain but looking at the config, I think it's because we have one IP alias that isn't on the WAN or LAN CARP ranges and that needed to be different on the two, so the VIPs couldn't be synced. I didn't play with that though.
What I did was edit the <uniqid>xxxx</uniqid>values in the backup router to match those on the primary router, and restore. That seems to have resolved this error message.
I install Iperf3 and run a test from Local PC to
Local pfSense. 940ish in both directions.
If you will be able to set up iperf on pc 1 behind pfsense 1
and pc 2 behind pfsnese 2 and do an iperf test again it would
more realistic and based on the entire money you spend it
might be nice to hear what comes out.
Being sure with this hardware setup like yours you may often connect two branches or companies to gain the entire throughput for workload and/or file transfer like syncing and / or db data exchange.
Recently one of my VPN's that had been running at
250-300mbps dropped to 20mbps.
By the way from what should it breaking in? Perhaps based on the other vpn end and not on your site?
It works right now if the client sends the correct identifier in P1, but the problem is that Windows doesn't. Other clients like those on Linux or the strongSwan app send the correct ID and can use per-user addresses right now.
There is a patch in the Redmine issue linked above that has shown promise with Windows clients but isn't a complete solution.
Jimp, if you could get that patch to work - and thereby enable windows native clients to use PSK defined pool addresses - would be REALLY nice!!
Any chance you could spend a little time to get the IPSec Daemon to accept a virtual address pool returned from Radius in a EAP-Radius setup? That would be the ultimate solution to get pfSense IPSec VPN go Enterprise. Right now its useless because it doesn’t scale and you cant separate user rights with firewall rules.