IPhone + IPSec

kingjedi

I have my iphone working well through IPSec minus some minor DNS issues which i havent bothered isolating yet

Setup:

March 20th Snapshot 2.0-Beta1 running on ESX 4.0 Update 1

VPN: IPSec: Edit Phase 1: Mobile Client

Interface: WAN
Negotiation mode: Aggressive
My identifier: My IP Address
Peer identifiier: Distinguished name - private.local
Encryption Algorithm: AES 256bits
Hash Algorithm: SHA1
DH Key Group: 2
Lifetime: 28800
Authentication Method: Mutual PSK + Xauth
Pre-Shared Key: <private key="">NAT Transveral: Enable
Enable DPD: ON 10s Delay, 5 Retry

–-------

VPN: IPsec: Edit Phase 2: Mobile Client

Mode: Tunnel
Local Network: Network 172.18.1.0 / 24

Note this is the subnet that will be added to the remote devices routing table ie 172.18.1.0 / 24 to utun0, the remote device must be able to configure it's routing table to send packets back to your network.

Protocol: ESP
Encryption: AES 256bits
Hash Algorithms: SHA1
PFS Key Group: Off
Lifetime: 3600s

VPN: IPsec: Mobile

IKE Extensions: Enable IPsec Mobile Client Support

User Authentication: system
Group Authentication: system

Virtual Address Pool: ON - Network 172.18.254.0 / 24

Note this network MUST NOT be a network already in use on your local network
Also of note there is a bug in this particular snapshot in that racoon's conf file is not generated correctly. The php generation code will insert an erroneous value into pool_size, this can be corrected so the gui works with a workaround of editing vpn.inc and manually setting the pool_size to your correct network value. ie in this case 253.

Network List: ON
DNS Default Domain: ON - private.local
DNS Servers: ON - <dns server="" ip="" address="">WINS Servers: OFF
Phase2 PFS Group: OFF
Login Banner: OFF

Now that IPsec is setup correctly you must give a firewall rule to pass traffic, goto your firewall rules page, IPsec tab, and add a rule to pass all traffic to test with.

Also be sure to add a new local user to the system so you can login.

Iphone settings:

Server: address of pfsense ipsec server
Account: Your newly created local user
Password: Password of your new local user
Group Name: private.local
Secret: <private key="">--------

Enjoy

Edit:

Just noticed that there appears to be nowhere in the GUI to enable client save password, if you want this nugget you need to edit your vpn.inc file and throw this gem in

$racoonconf .= "\tsave_passwd on;\n";

into the mode_cfg area, the same area you need to apply the fix for pool_size

Edit: Corrected pool_size for network above, should be 253</private></dns></private>

azzido

Thanks a lot for your post kingjedi. My config was very close to yours, but I changed it to be exactly as yours and still the same issue. ESP traffic coming into pfSense box, but nothing is being sent to iPhone. What iPhone OS version are you running? I am on 3.1.2. I also assume you are running full pfSense install and not nanobsd? Thanks again.

kingjedi

It's on 3.1.3 but it's the cisco vpn stack.. this should also apply to any cisco client just the same.

Did you try restarting racoon? Also after restarting it and trying a connection, post your log dump

azzido

Another strange thing is if I select AES 256 bit in phase two then SAs are not created. So in this example I am using 3DES in phase 2.
a.b.c.d - pf box external ip
k.l.m.n - iPhone ip

$ cat /var/log/ipsec.log

Mar 22 20:19:47 pfsense racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
Mar 22 20:19:47 pfsense racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
Mar 22 20:19:47 pfsense racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Mar 22 20:19:47 pfsense racoon: INFO: Resize address pool from 0 to 254
Mar 22 20:19:47 pfsense racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Protocol not available
Mar 22 20:19:47 pfsense racoon: INFO: a.b.c.d[4500] used as isakmp port (fd=8)
Mar 22 20:19:47 pfsense racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Protocol not available
Mar 22 20:19:47 pfsense racoon: INFO: a.b.c.d[500] used as isakmp port (fd=9)
Mar 22 20:19:55 pfsense racoon: INFO: respond new phase 1 negotiation: a.b.c.d[500]<=>k.l.m.n[50940]
Mar 22 20:19:55 pfsense racoon: INFO: begin Aggressive mode.
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: RFC 3947
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: DPD
Mar 22 20:19:55 pfsense racoon: INFO: Selected NAT-T version: RFC 3947
Mar 22 20:19:56 pfsense racoon: INFO: Adding remote and local NAT-D payloads.
Mar 22 20:19:56 pfsense racoon: INFO: Hashing k.l.m.n[50940] with algo #2
Mar 22 20:19:56 pfsense racoon: INFO: Hashing a.b.c.d[500] with algo #2
Mar 22 20:19:56 pfsense racoon: INFO: Adding xauth VID payload.
Mar 22 20:19:56 pfsense racoon: WARNING: the packet retransmitted in a short time from k.l.m.n[50940]
Mar 22 20:19:56 pfsense racoon: NOTIFY: the packet is retransmitted by k.l.m.n[50940] (1).
Mar 22 20:19:56 pfsense racoon: INFO: NAT-T: ports changed to: k.l.m.n[17531]<->a.b.c.d[4500]
Mar 22 20:19:56 pfsense racoon: INFO: Hashing a.b.c.d[4500] with algo #2
Mar 22 20:19:56 pfsense racoon: INFO: NAT-D payload #0 verified
Mar 22 20:19:56 pfsense racoon: INFO: Hashing k.l.m.n[17531] with algo #2
Mar 22 20:19:56 pfsense racoon: INFO: NAT-D payload #1 doesn't match
Mar 22 20:19:56 pfsense racoon: ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Mar 22 20:19:56 pfsense racoon: INFO: NAT detected: PEER
Mar 22 20:19:56 pfsense racoon: INFO: Sending Xauth request
Mar 22 20:19:56 pfsense racoon: INFO: ISAKMP-SA established a.b.c.d[4500]-k.l.m.n[17531] spi:438bae0be73b0b53:8485b1bbf6e7f82f
Mar 22 20:20:08 pfsense racoon: INFO: Using port 0
Mar 22 20:20:08 pfsense racoon: INFO: login succeeded for user "username"
Mar 22 20:20:10 pfsense racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Mar 22 20:20:10 pfsense racoon: WARNING: Ignored attribute 28683
Mar 22 20:20:11 pfsense racoon: INFO: respond new phase 2 negotiation: a.b.c.d[4500]<=>k.l.m.n[17531]
Mar 22 20:20:11 pfsense racoon: INFO: no policy found, try to generate the policy : 192.168.103.1/32[0] 192.168.100.0/24[0] proto=any dir=in
Mar 22 20:20:11 pfsense racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Mar 22 20:20:11 pfsense racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Mar 22 20:20:11 pfsense racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Mar 22 20:20:11 pfsense last message repeated 3 times
Mar 22 20:20:12 pfsense racoon: INFO: IPsec-SA established: ESP a.b.c.d[500]->k.l.m.n[500] spi=267341062(0xfef4d06)
Mar 22 20:20:12 pfsense racoon: INFO: IPsec-SA established: ESP a.b.c.d[500]->k.l.m.n[500] spi=35705435(0x220d25b)
Mar 22 20:20:12 pfsense racoon: ERROR: such policy does not already exist: "192.168.103.1/32[0] 192.168.100.0/24[0] proto=any dir=in"
Mar 22 20:20:12 pfsense racoon: ERROR: such policy does not already exist: "192.168.100.0/24[0] 192.168.103.1/32[0] proto=any dir=out"
CLOG��

$ setkey -D
a.b.c.d[4500] k.l.m.n[17531]
esp-udp mode=any spi=35705435(0x0220d25b) reqid=1(0x00000001)
E: 3des-cbc 8e9ec11a 3bb59911 dd07fe15 4c92d410 eef3e449 4470d6c6
A: hmac-sha1 8929b853 29c35dfe 91db6c6e 0508c951 f2593c1a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 22 20:20:12 2010 current: Mar 22 20:20:21 2010
diff: 9(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=51497 refcnt=1
k.l.m.n[17531] a.b.c.d[4500]
esp-udp mode=tunnel spi=267341062(0x0fef4d06) reqid=1(0x00000001)
E: 3des-cbc de063f0f c0f82961 86eae7ff 0f6326a8 6c718478 519873ef
A: hmac-sha1 b529c065 e5141885 a92b3d59 4dd79e9c 77b95276
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 22 20:20:12 2010 current: Mar 22 20:20:21 2010
diff: 9(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=51497 refcnt=1

$setkey -DP
192.168.103.1[any] 192.168.100.0/24[any] any
in ipsec
esp/tunnel/k.l.m.n-a.b.c.d/unique:1
created: Mar 22 20:20:12 2010 lastused: Mar 22 20:20:12 2010
lifetime: 3600(s) validtime: 0(s)
spid=67 seq=1 pid=51688
refcnt=1
192.168.100.0/24[any] 192.168.103.1[any] any
out ipsec
esp/tunnel/a.b.c.d-k.l.m.n/unique:1
created: Mar 22 20:20:12 2010 lastused: Mar 22 20:20:12 2010
lifetime: 3600(s) validtime: 0(s)
spid=68 seq=0 pid=51688
refcnt=1

$ cat /var/etc/racoon.conf

This file is automatically generated. Do not edit

path pre_shared_key "/var/etc/psk.txt";

path certificate "/var/etc";

listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp a.b.c.d [500];
isakmp_natt a.b.c.d [4500];
}

mode_cfg
{
auth_source system;
group_source system;
pool_size 254;
network4 192.168.103.1;
netmask4 255.255.255.0;
split_network include 192.168.100.0/24;
dns4 208.67.222.222;
default_domain "local.lan";
}

remote anonymous
{
ph1id 2;
exchange_mode aggressive;
my_identifier address a.b.c.d;
peers_identifier fqdn "local.lan";
ike_frag on;
generate_policy = unique;
initial_contact = off;
nat_traversal = on;

dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;

proposal
{
authentication_method xauth_psk_server;
encryption_algorithm aes 256;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}

sainfo subnet 192.168.100.0/24 any anonymous
{
remoteid 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;

lifetime time 3600 secs;
compression_algorithm deflate;
}

horsedragon

azzido, I do the same as you, but not traffic in VPN tunnel!

cmb

@kingjedi:

Also of note there is a bug in this particular snapshot in that racoon's conf file is not generated correctly. The php generation code will insert an erroneous value into pool_size, this can be corrected so the gui works with a workaround of editing vpn.inc and manually setting the pool_size to your correct network value. ie in this case 254.

How is it erroneous? It looks accurate to me, it's the subnet size minus one, which is what the ipsec-tools docs show (i.e. 253 for a /24). I'm not sure of the exact intent as I didn't write that part, but the guy who did is an ipsec-tools committer so he definitely knows his stuff.

kingjedi

@cmb:

@kingjedi:

Also of note there is a bug in this particular snapshot in that racoon's conf file is not generated correctly. The php generation code will insert an erroneous value into pool_size, this can be corrected so the gui works with a workaround of editing vpn.inc and manually setting the pool_size to your correct network value. ie in this case 254.

How is it erroneous? It looks accurate to me, it's the subnet size minus one, which is what the ipsec-tools docs show (i.e. 253 for a /24). I'm not sure of the exact intent as I didn't write that part, but the guy who did is an ipsec-tools committer so he definitely knows his stuff.

Looked like it was coming from upstream of it, i'll admit i didnt look that hard.. just saw the -4xxxxxxxxx number in it's place so i weed wacked it, i can try again with a fresh install

Also I did trace the dns issue, the split_dns option was missing which is needed for cisco clients so threw that line in and it's working good, like the new interface as well

Edit:

Fresh install done and again it threw up a bogus value.. however i'll say this before digging to deep, dnsmasq failed to install again and nowhere to be found.. i do a manual pkg_add -r dnsmasq and it takes off like normal.. failed install on esx maybe? or is it not part of the base install?

Anyway the value it inserts into the racoon.conf is -4294967043 for pool_size

Edit: After looking further the ip2long function is returning bogus values ???, also your right about the pool_size, i forgot the sign flip when doing it by hand so it is 253

Edit: Just dawned on me what the root cause almost has to be… a 64bit issue with integer types, sorry should have mentioned earlier this is a 64bit install.

azzido

AES 256 bit started working for phase 2 after I disabled glxsb on my Alix board.

I created 2 virtual machines one i386 and one amd64 and they both have same issue - no traffic is sent back to iPhone until i flush SPDs and re-create them.

I can confirm that there is a bug with amd64 builds. The pool size it generates for /24 net is: pool_size -4294967043; and it looks fine in i386 builds pool_size 253;

I am really running out of ideas. kingjedi - do you have any unusual settings on your machine as far as interface setup or routing goes?

kingjedi

@azzido:

AES 256 bit started working for phase 2 after I disabled glxsb on my Alix board.

I created 2 virtual machines one i386 and one amd64 and they both have same issue - no traffic is sent back to iPhone until i flush SPDs and re-create them.

I can confirm that there is a bug with amd64 builds. The pool size it generates for /24 net is: pool_size -4294967043; and it looks fine in i386 builds pool_size 253;

I am really running out of ideas. kingjedi - do you have any unusual settings on your machine as far as interface setup or routing goes?

If you can get it working once after a flush then try this… sounds like some kinda phase2 tear down bug maybe? dunno

It's quick and dirty but should work for one user

Add these lines to your racoon.conf and then save the below shell script into the appropriate dir

This file is automatically generated. Do not edit

path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
path script "/var/etc/racoon/scripts";

and then in your remote section

remote anonymous
{
ph1id 1;
….
script "phase2flush" phase1_down;
}

Shell script: phase2flush

#!/bin/sh

/usr/local/sbin/setkey -F
/usr/local/sbin/setkey -FP

Edit: Your right... mine is also hit with that same issue.. i was just avoiding it by not dropping the link so fast and returning sometime later each time, the spds on mine are set to time out in an hour so didnt really notice it until forcing a drop and trying to drive packets.

azzido

Well, no I cannot pass traffic right after I connect. And I only flush and recreate SPDs, not SAs.

There are several other bugs in ipsec-tools so the bottom line is until someone fixes ipsec-tools roadwarrior setup is a no-go.

horsedragon

It seem the bug of ipsec-tools 0.8 ?

azzido

Does look like it. Though I have not tried 0.7.x branch of ipsec-tools so I am not 100% sure

horsedragon

I know the ipsec-tools 0.8 is a version, but why the pf2.0 choose this version! if the 0.8 have great update than the last release version?

cmb

@horsedragon:

I know the ipsec-tools 0.8 is a version, but why the pf2.0 choose this version! if the 0.8 have great update than the last release version?

As I said earlier in this thread - that's the only version that will work properly with the FreeBSD version we use. 0.7.x has its own issues with the things we've added in 2.0, so even if it could be made to work, you're just trading some problems for other problems.

pashdown

Anyone had success with iPhone > 3.1.2 and IPSec yet? I'd really like to use this over PPTP.

azzido

@pashdown:

Anyone had success with iPhone > 3.1.2 and IPSec yet? I'd really like to use this over PPTP.

Pure IPSec is still not working. As far as i know PPTP should work fine though I have not tried it myself.

eazydor

It does. As the only reasonable VPN-Solution for the iPhone right now.

L2TP is at the moment plain Layer 2 tunneled Traffic without IPSec, just Authentication so far..

OpenVPN on jailbroken iPhone is a hell of itself.

So if you aren´t firm with configuring the IPSec-Part manually, i think have to wait..

But still, 2.0 Beta?!? I mean, wonderful, brilliant..

crnet

Hi Volks,

VPN-ing is really a mess with a Mobile device. Even if you setup successful a working PPTP-Tunnel over WiFi, it must not work over 3G (UMTS): here in Germany Vodafone uses a proxy somehow to minifize Images, and the User can not turn it off in any way. The Vodafone Mac-Tam is working on the VPN-Problem since the iPad is rolled out, but still with no success (after 4 Month).

IPSec on Apples Mobile devices is made from Cisco.
If we would have CISCO-Routers, we wont read in this pfSense Forum :-/
After no Success with our pfSense we tried some alternates, and found a solution wich we had to compile into our Gentoo.
Strongswan allows in its compileable Version to set a Cisco-Parameter, and we where able to set a IPSec-Tunnel wich is working over 3G and EDGE too. Just by following the instructions.

Even if it is a bit off-topic (because the solution is not in pfsense), this Info could probably help to enhance the 2.x pfsense to be able to do this job too. (what I would prefer)

jahonix

Have you tried a recent 2.0 beta?
Lots of things have changed in there since the last post in this thread.

cmb

Yeah iOS devices and mobile IPsec work great now. One last fix for DNS specific to Cisco clients went in several days ago, though it worked at least a couple weeks prior to that aside from DNS.