Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN IPSec iOS 13 VPN on Demand from App

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 389 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? Offline
      A Former User
      last edited by

      Hi,
      i switched to a new SG-3100 and all Site 2 Site Connections are working fine.

      The last thing doesn´t work is the VPN on Demand IPSec Tunnel from my iPhone ( iOS13) pocketControl App.

      On the iPhone i can´t see what settings are necessary to connect to the pfsense.

      The only thing i can enter in the App are:

      Server
      Account
      Passwort
      Groupname
      and Shared Secret

      the App creates its own VPN Connection under Settings -> VPN -> Personal VPN.

      Mar 1 22:53:11	charon		11[CFG] vici client 178 disconnected
Mar 1 22:53:11	charon		10[CFG] vici client 178 requests: list-sas
Mar 1 22:53:11	charon		10[CFG] vici client 178 registered for: list-sa
Mar 1 22:53:11	charon		16[CFG] vici client 178 connected
Mar 1 22:53:06	charon		07[IKE] <52> IKE_SA (unnamed)[52] state change: CONNECTING => DESTROYING
Mar 1 22:53:06	charon		07[NET] <52> sending packet: from 178.251.xx.xx[500] to 92.248.xx.xxx[500] (56 bytes)
Mar 1 22:53:06	charon		07[ENC] <52> generating INFORMATIONAL_V1 request 3435498570 [ N(NO_PROP) ]
Mar 1 22:53:06	charon		07[IKE] <52> activating INFORMATIONAL task
Mar 1 22:53:06	charon		07[IKE] <52> activating new tasks
Mar 1 22:53:06	charon		07[IKE] <52> queueing INFORMATIONAL task
Mar 1 22:53:06	charon		07[IKE] <52> no proposal found
Mar 1 22:53:06	charon		07[CFG] <52> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 1 22:53:06	charon		07[CFG] <52> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Mar 1 22:53:06	charon		07[CFG] <52> no acceptable ENCRYPTION_ALGORITHM found
Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
Mar 1 22:53:06	charon		07[CFG] <52> no acceptable ENCRYPTION_ALGORITHM found
Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
Mar 1 22:53:06	charon		07[CFG] <52> no acceptable ENCRYPTION_ALGORITHM found
Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
Mar 1 22:53:06	charon		07[CFG] <52> no acceptable ENCRYPTION_ALGORITHM found
Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
Mar 1 22:53:06	charon		07[CFG] <52> no acceptable ENCRYPTION_ALGORITHM found
Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
Mar 1 22:53:06	charon		07[CFG] <52> no acceptable ENCRYPTION_ALGORITHM found
Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
Mar 1 22:53:06	charon		07[CFG] <52> no acceptable INTEGRITY_ALGORITHM found
Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
Mar 1 22:53:06	charon		07[CFG] <52> no acceptable INTEGRITY_ALGORITHM found
Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
Mar 1 22:53:06	charon		07[IKE] <52> IKE_SA (unnamed)[52] state change: CREATED => CONNECTING
Mar 1 22:53:06	charon		07[IKE] <52> 92.248.xx.xxx is initiating a Aggressive Mode IKE_SA
Mar 1 22:53:06	charon		07[IKE] <52> received DPD vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received Cisco Unity vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received XAuth vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received NAT-T (RFC 3947) vendor ID
Mar 1 22:53:06	charon		07[IKE] <52> received FRAGMENTATION vendor ID
Mar 1 22:53:06	charon		07[CFG] <52> found matching ike config: 178.251.xx.xx...%any with prio 1052
Mar 1 22:53:06	charon		07[CFG] <52> candidate: 178.251.xx.xx...%any, prio 1052
Mar 1 22:53:06	charon		07[CFG] <52> looking for an IKEv1 config for 178.251.xx.xx...92.248.xx.xxx
Mar 1 22:53:06	charon		07[ENC] <52> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Mar 1 22:53:06	charon		07[NET] <52> received packet: from 92.248.xx.xxx[500] to 178.251.xx.xx[500] (766 bytes)
Mar 1 22:53:06	charon		07[IKE] <51> IKE_SA (unnamed)[51] state change: CONNECTING => DESTROYING
Mar 1 22:53:06	charon		07[NET] <51> sending packet: from 178.251.xx.xx[500] to 92.248.xx.xxx[500] (56 bytes)
Mar 1 22:53:06	charon		07[ENC] <51> generating INFORMATIONAL_V1 request 2473055166 [ N(AUTH_FAILED) ]
Mar 1 22:53:06	charon		07[IKE] <51> activating INFORMATIONAL task
Mar 1 22:53:06	charon		07[IKE] <51> activating new tasks
Mar 1 22:53:06	charon		07[IKE] <51> queueing INFORMATIONAL task
Mar 1 22:53:06	charon		07[IKE] <51> found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode
Mar 1 22:53:06	charon		07[CFG] <51> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
Mar 1 22:53:06	charon		07[CFG] <51> looking for XAuthInitPSK peer configs matching 178.251.xx.xx...92.248.xx.xxx[maximilian]
Mar 1 22:53:06	charon		07[CFG] <51> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 1 22:53:06	charon		07[CFG] <51> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 1 22:53:06	charon		07[CFG] <51> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Mar 1 22:53:06	charon		07[CFG] <51> proposal matches
Mar 1 22:53:06	charon		07[CFG] <51> selecting proposal:
Mar 1 22:53:06	charon		07[IKE] <51> IKE_SA (unnamed)[51] state change: CREATED => CONNECTING
Mar 1 22:53:06	charon		07[IKE] <51> 92.248.xx.xxx is initiating a Aggressive Mode IKE_SA
Mar 1 22:53:06	charon		07[IKE] <51> received DPD vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received Cisco Unity vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received XAuth vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received NAT-T (RFC 3947) vendor ID
Mar 1 22:53:06	charon		07[IKE] <51> received FRAGMENTATION vendor ID
Mar 1 22:53:06	charon		07[CFG] <51> found matching ike config: 178.251.xx.xx...%any with prio 1052
Mar 1 22:53:06	charon		07[CFG] <51> candidate: 178.251.xx.xx...%any, prio 1052
Mar 1 22:53:06	charon		07[CFG] <51> looking for an IKEv1 config for 178.251.xx.xx...92.248.xx.xxx
Mar 1 22:53:06	charon		07[ENC] <51> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Mar 1 22:53:06	charon		07[NET] <51> received packet: from 92.248.xx.xxx[500] to 178.251.xx.xx[500] (766 bytes)
Mar 1 22:53:05	charon		09[CFG] vici client 177 disconnected
Mar 1 22:53:05	charon		13[CFG] vici client 177 requests: list-sas
Mar 1 22:53:05	charon		13[CFG] vici client 177 registered for: list-sa
Mar 1 22:53:05	charon		09[CFG] vici client 177 connected
Mar 1 22:52:59	charon		08[CFG] vici client 176 disconnected
Mar 1 22:52:59	charon		05[CFG] vici client 176 requests: list-sas
Mar 1 22:52:59	charon		08[CFG] vici client 176 registered for: list-sa
Mar 1 22:52:59	charon		05[CFG] vici client 176 connected
Mar 1 22:52:56	charon		05[IKE] <50> IKE_SA (unnamed)[50] state change: CONNECTING => DESTROYING
Mar 1 22:52:56	charon		05[NET] <50> sending packet: from 178.251.xx.xx[500] to 92.248.xx.xxx[500] (56 bytes)
Mar 1 22:52:56	charon		05[ENC] <50> generating INFORMATIONAL_V1 request 1405839326 [ N(NO_PROP) ]
Mar 1 22:52:56	charon		05[IKE] <50> activating INFORMATIONAL task
Mar 1 22:52:56	charon		05[IKE] <50> activating new tasks
Mar 1 22:52:56	charon		05[IKE] <50> queueing INFORMATIONAL task
Mar 1 22:52:56	charon		05[IKE] <50> no proposal found
Mar 1 22:52:56	charon		05[CFG] <50> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 1 22:52:56	charon		05[CFG] <50> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Mar 1 22:52:56	charon		05[CFG] <50> no acceptable ENCRYPTION_ALGORITHM found
Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
Mar 1 22:52:56	charon		05[CFG] <50> no acceptable ENCRYPTION_ALGORITHM found
Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
Mar 1 22:52:56	charon		05[CFG] <50> no acceptable ENCRYPTION_ALGORITHM found
Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
Mar 1 22:52:56	charon		05[CFG] <50> no acceptable ENCRYPTION_ALGORITHM found
Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
Mar 1 22:52:56	charon		05[CFG] <50> no acceptable ENCRYPTION_ALGORITHM found
Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
Mar 1 22:52:56	charon		05[CFG] <50> no acceptable ENCRYPTION_ALGORITHM found
Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
Mar 1 22:52:56	charon		05[CFG] <50> no acceptable INTEGRITY_ALGORITHM found
Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
Mar 1 22:52:56	charon		05[CFG] <50> no acceptable INTEGRITY_ALGORITHM found
Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
Mar 1 22:52:56	charon		05[IKE] <50> IKE_SA (unnamed)[50] state change: CREATED => CONNECTING
Mar 1 22:52:56	charon		05[IKE] <50> 92.248.xx.xxx is initiating a Aggressive Mode IKE_SA
Mar 1 22:52:56	charon		05[IKE] <50> received DPD vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received Cisco Unity vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received XAuth vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received NAT-T (RFC 3947) vendor ID
Mar 1 22:52:56	charon		05[IKE] <50> received FRAGMENTATION vendor ID
Mar 1 22:52:56	charon		05[CFG] <50> found matching ike config: 178.251.xx.xx...%any with prio 1052
Mar 1 22:52:56	charon		05[CFG] <50> candidate: 178.251.xx.xx...%any, prio 1052
Mar 1 22:52:56	charon		05[CFG] <50> looking for an IKEv1 config for 178.251.xx.xx...92.248.xx.xxx
Mar 1 22:52:56	charon		05[ENC] <50> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Mar 1 22:52:56	charon		05[NET] <50> received packet: from 92.248.xx.xxx[500] to 178.251.xx.xx[500] (766 bytes)
Mar 1 22:52:56	charon		05[IKE] <49> IKE_SA (unnamed)[49] state change: CONNECTING => DESTROYING
Mar 1 22:52:56	charon		05[NET] <49> sending packet: from 178.251.xx.xx[500] to 92.248.xx.xxx[500] (56 bytes)
Mar 1 22:52:56	charon		05[ENC] <49> generating INFORMATIONAL_V1 request 683185568 [ N(AUTH_FAILED) ]
Mar 1 22:52:56	charon		05[IKE] <49> activating INFORMATIONAL task
Mar 1 22:52:56	charon		05[IKE] <49> activating new tasks
Mar 1 22:52:56	charon		05[IKE] <49> queueing INFORMATIONAL task
Mar 1 22:52:56	charon		05[IKE] <49> found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode
Mar 1 22:52:56	charon		05[CFG] <49> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
Mar 1 22:52:56	charon		05[CFG] <49> looking for XAuthInitPSK peer configs matching 178.251.xx.xx...92.248.xx.xxx[maximilian]
Mar 1 22:52:56	charon		05[CFG] <49> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 1 22:52:56	charon		05[CFG] <49> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 1 22:52:56	charon		05[CFG] <49> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Mar 1 22:52:56	charon		05[CFG] <49> proposal matches
Mar 1 22:52:56	charon		05[CFG] <49> selecting proposal:
Mar 1 22:52:56	charon		05[IKE] <49> IKE_SA (unnamed)[49] state change: CREATED => CONNECTING
Mar 1 22:52:56	charon		05[IKE] <49> 92.248.xx.xxx is initiating a Aggressive Mode IKE_SA
Mar 1 22:52:56	charon		05[IKE] <49> received DPD vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received Cisco Unity vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received XAuth vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received NAT-T (RFC 3947) vendor ID
Mar 1 22:52:56	charon		05[IKE] <49> received FRAGMENTATION vendor ID
Mar 1 22:52:56	charon		05[CFG] <49> found matching ike config: 178.251.xx.xx...%any with prio 1052
Mar 1 22:52:56	charon		05[CFG] <49> candidate: 178.251.xx.xx...%any, prio 1052
Mar 1 22:52:56	charon		05[CFG] <49> looking for an IKEv1 config for 178.251.xx.xx...92.248.xx.xxx
Mar 1 22:52:56	charon		05[ENC] <49> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Mar 1 22:52:56	charon		05[NET] <49> received packet: from 92.248.xx.xxx[500] to 178.251.xx.xx[500] (766 bytes)

      Can you help me and tell me what i have to reconfig?

      IMG_0750 - Kopie.PNG IMG_0751 - Kopie.PNG

      pfsense 3 - Kopie.JPG pfsense 2 - Kopie.JPG pfsense 1 - Kopie.JPG

      1 Reply Last reply Reply Quote 0
      • ? Offline
        A Former User
        last edited by

        Tutorial: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev1-xauth.html

        but i had to change some options:

        ios13.JPG ios132.JPG

        1 Reply Last reply Reply Quote 0
        • johnsmith3321J Offline
          johnsmith3321
          last edited by

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.