IPhone + IPSec
-
Thanks a lot for your post kingjedi. My config was very close to yours, but I changed it to be exactly as yours and still the same issue. ESP traffic coming into pfSense box, but nothing is being sent to iPhone. What iPhone OS version are you running? I am on 3.1.2. I also assume you are running full pfSense install and not nanobsd? Thanks again.
-
It's on 3.1.3 but it's the cisco vpn stack.. this should also apply to any cisco client just the same.
Did you try restarting racoon? Also after restarting it and trying a connection, post your log dump
-
Another strange thing is if I select AES 256 bit in phase two then SAs are not created. So in this example I am using 3DES in phase 2.
a.b.c.d - pf box external ip
k.l.m.n - iPhone ip$ cat /var/log/ipsec.log
Mar 22 20:19:47 pfsense racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
Mar 22 20:19:47 pfsense racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
Mar 22 20:19:47 pfsense racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Mar 22 20:19:47 pfsense racoon: INFO: Resize address pool from 0 to 254
Mar 22 20:19:47 pfsense racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Protocol not available
Mar 22 20:19:47 pfsense racoon: INFO: a.b.c.d[4500] used as isakmp port (fd=8)
Mar 22 20:19:47 pfsense racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Protocol not available
Mar 22 20:19:47 pfsense racoon: INFO: a.b.c.d[500] used as isakmp port (fd=9)
Mar 22 20:19:55 pfsense racoon: INFO: respond new phase 1 negotiation: a.b.c.d[500]<=>k.l.m.n[50940]
Mar 22 20:19:55 pfsense racoon: INFO: begin Aggressive mode.
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: RFC 3947
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 22 20:19:55 pfsense racoon: INFO: received Vendor ID: DPD
Mar 22 20:19:55 pfsense racoon: INFO: Selected NAT-T version: RFC 3947
Mar 22 20:19:56 pfsense racoon: INFO: Adding remote and local NAT-D payloads.
Mar 22 20:19:56 pfsense racoon: INFO: Hashing k.l.m.n[50940] with algo #2
Mar 22 20:19:56 pfsense racoon: INFO: Hashing a.b.c.d[500] with algo #2
Mar 22 20:19:56 pfsense racoon: INFO: Adding xauth VID payload.
Mar 22 20:19:56 pfsense racoon: WARNING: the packet retransmitted in a short time from k.l.m.n[50940]
Mar 22 20:19:56 pfsense racoon: NOTIFY: the packet is retransmitted by k.l.m.n[50940] (1).
Mar 22 20:19:56 pfsense racoon: INFO: NAT-T: ports changed to: k.l.m.n[17531]<->a.b.c.d[4500]
Mar 22 20:19:56 pfsense racoon: INFO: Hashing a.b.c.d[4500] with algo #2
Mar 22 20:19:56 pfsense racoon: INFO: NAT-D payload #0 verified
Mar 22 20:19:56 pfsense racoon: INFO: Hashing k.l.m.n[17531] with algo #2
Mar 22 20:19:56 pfsense racoon: INFO: NAT-D payload #1 doesn't match
Mar 22 20:19:56 pfsense racoon: ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Mar 22 20:19:56 pfsense racoon: INFO: NAT detected: PEER
Mar 22 20:19:56 pfsense racoon: INFO: Sending Xauth request
Mar 22 20:19:56 pfsense racoon: INFO: ISAKMP-SA established a.b.c.d[4500]-k.l.m.n[17531] spi:438bae0be73b0b53:8485b1bbf6e7f82f
Mar 22 20:20:08 pfsense racoon: INFO: Using port 0
Mar 22 20:20:08 pfsense racoon: INFO: login succeeded for user "username"
Mar 22 20:20:10 pfsense racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Mar 22 20:20:10 pfsense racoon: WARNING: Ignored attribute 28683
Mar 22 20:20:11 pfsense racoon: INFO: respond new phase 2 negotiation: a.b.c.d[4500]<=>k.l.m.n[17531]
Mar 22 20:20:11 pfsense racoon: INFO: no policy found, try to generate the policy : 192.168.103.1/32[0] 192.168.100.0/24[0] proto=any dir=in
Mar 22 20:20:11 pfsense racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Mar 22 20:20:11 pfsense racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Mar 22 20:20:11 pfsense racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Mar 22 20:20:11 pfsense last message repeated 3 times
Mar 22 20:20:12 pfsense racoon: INFO: IPsec-SA established: ESP a.b.c.d[500]->k.l.m.n[500] spi=267341062(0xfef4d06)
Mar 22 20:20:12 pfsense racoon: INFO: IPsec-SA established: ESP a.b.c.d[500]->k.l.m.n[500] spi=35705435(0x220d25b)
Mar 22 20:20:12 pfsense racoon: ERROR: such policy does not already exist: "192.168.103.1/32[0] 192.168.100.0/24[0] proto=any dir=in"
Mar 22 20:20:12 pfsense racoon: ERROR: such policy does not already exist: "192.168.100.0/24[0] 192.168.103.1/32[0] proto=any dir=out"
CLOG���$ setkey -D
a.b.c.d[4500] k.l.m.n[17531]
esp-udp mode=any spi=35705435(0x0220d25b) reqid=1(0x00000001)
E: 3des-cbc 8e9ec11a 3bb59911 dd07fe15 4c92d410 eef3e449 4470d6c6
A: hmac-sha1 8929b853 29c35dfe 91db6c6e 0508c951 f2593c1a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 22 20:20:12 2010 current: Mar 22 20:20:21 2010
diff: 9(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=51497 refcnt=1
k.l.m.n[17531] a.b.c.d[4500]
esp-udp mode=tunnel spi=267341062(0x0fef4d06) reqid=1(0x00000001)
E: 3des-cbc de063f0f c0f82961 86eae7ff 0f6326a8 6c718478 519873ef
A: hmac-sha1 b529c065 e5141885 a92b3d59 4dd79e9c 77b95276
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 22 20:20:12 2010 current: Mar 22 20:20:21 2010
diff: 9(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=51497 refcnt=1$setkey -DP
192.168.103.1[any] 192.168.100.0/24[any] any
in ipsec
esp/tunnel/k.l.m.n-a.b.c.d/unique:1
created: Mar 22 20:20:12 2010 lastused: Mar 22 20:20:12 2010
lifetime: 3600(s) validtime: 0(s)
spid=67 seq=1 pid=51688
refcnt=1
192.168.100.0/24[any] 192.168.103.1[any] any
out ipsec
esp/tunnel/a.b.c.d-k.l.m.n/unique:1
created: Mar 22 20:20:12 2010 lastused: Mar 22 20:20:12 2010
lifetime: 3600(s) validtime: 0(s)
spid=68 seq=0 pid=51688
refcnt=1$ cat /var/etc/racoon.conf
This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp a.b.c.d [500];
isakmp_natt a.b.c.d [4500];
}mode_cfg
{
auth_source system;
group_source system;
pool_size 254;
network4 192.168.103.1;
netmask4 255.255.255.0;
split_network include 192.168.100.0/24;
dns4 208.67.222.222;
default_domain "local.lan";
}remote anonymous
{
ph1id 2;
exchange_mode aggressive;
my_identifier address a.b.c.d;
peers_identifier fqdn "local.lan";
ike_frag on;
generate_policy = unique;
initial_contact = off;
nat_traversal = on;dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;proposal
{
authentication_method xauth_psk_server;
encryption_algorithm aes 256;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}sainfo subnet 192.168.100.0/24 any anonymous
{
remoteid 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;lifetime time 3600 secs;
compression_algorithm deflate;
} -
azzido, I do the same as you, but not traffic in VPN tunnel!
-
- Also of note there is a bug in this particular snapshot in that racoon's conf file is not generated correctly. The php generation code will insert an erroneous value into pool_size, this can be corrected so the gui works with a workaround of editing vpn.inc and manually setting the pool_size to your correct network value. ie in this case 254.
How is it erroneous? It looks accurate to me, it's the subnet size minus one, which is what the ipsec-tools docs show (i.e. 253 for a /24). I'm not sure of the exact intent as I didn't write that part, but the guy who did is an ipsec-tools committer so he definitely knows his stuff.
-
@cmb:
- Also of note there is a bug in this particular snapshot in that racoon's conf file is not generated correctly. The php generation code will insert an erroneous value into pool_size, this can be corrected so the gui works with a workaround of editing vpn.inc and manually setting the pool_size to your correct network value. ie in this case 254.
How is it erroneous? It looks accurate to me, it's the subnet size minus one, which is what the ipsec-tools docs show (i.e. 253 for a /24). I'm not sure of the exact intent as I didn't write that part, but the guy who did is an ipsec-tools committer so he definitely knows his stuff.
Looked like it was coming from upstream of it, i'll admit i didnt look that hard.. just saw the -4xxxxxxxxx number in it's place so i weed wacked it, i can try again with a fresh install
Also I did trace the dns issue, the split_dns option was missing which is needed for cisco clients so threw that line in and it's working good, like the new interface as well
Edit:
Fresh install done and again it threw up a bogus value.. however i'll say this before digging to deep, dnsmasq failed to install again and nowhere to be found.. i do a manual pkg_add -r dnsmasq and it takes off like normal.. failed install on esx maybe? or is it not part of the base install?
Anyway the value it inserts into the racoon.conf is -4294967043 for pool_size
Edit: After looking further the ip2long function is returning bogus values ???, also your right about the pool_size, i forgot the sign flip when doing it by hand so it is 253
Edit: Just dawned on me what the root cause almost has to be… a 64bit issue with integer types, sorry should have mentioned earlier this is a 64bit install.
-
AES 256 bit started working for phase 2 after I disabled glxsb on my Alix board.
I created 2 virtual machines one i386 and one amd64 and they both have same issue - no traffic is sent back to iPhone until i flush SPDs and re-create them.
I can confirm that there is a bug with amd64 builds. The pool size it generates for /24 net is: pool_size -4294967043; and it looks fine in i386 builds pool_size 253;
I am really running out of ideas. kingjedi - do you have any unusual settings on your machine as far as interface setup or routing goes?
-
AES 256 bit started working for phase 2 after I disabled glxsb on my Alix board.
I created 2 virtual machines one i386 and one amd64 and they both have same issue - no traffic is sent back to iPhone until i flush SPDs and re-create them.
I can confirm that there is a bug with amd64 builds. The pool size it generates for /24 net is: pool_size -4294967043; and it looks fine in i386 builds pool_size 253;
I am really running out of ideas. kingjedi - do you have any unusual settings on your machine as far as interface setup or routing goes?
If you can get it working once after a flush then try this… sounds like some kinda phase2 tear down bug maybe? dunno
It's quick and dirty but should work for one user
Add these lines to your racoon.conf and then save the below shell script into the appropriate dir
This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
path script "/var/etc/racoon/scripts";and then in your remote section
remote anonymous
{
ph1id 1;
….
script "phase2flush" phase1_down;
}Shell script: phase2flush
#!/bin/sh
/usr/local/sbin/setkey -F
/usr/local/sbin/setkey -FP
Edit: Your right... mine is also hit with that same issue.. i was just avoiding it by not dropping the link so fast and returning sometime later each time, the spds on mine are set to time out in an hour so didnt really notice it until forcing a drop and trying to drive packets.
-
Well, no I cannot pass traffic right after I connect. And I only flush and recreate SPDs, not SAs.
There are several other bugs in ipsec-tools so the bottom line is until someone fixes ipsec-tools roadwarrior setup is a no-go.
-
It seem the bug of ipsec-tools 0.8 ?
-
Does look like it. Though I have not tried 0.7.x branch of ipsec-tools so I am not 100% sure
-
I know the ipsec-tools 0.8 is a version, but why the pf2.0 choose this version! if the 0.8 have great update than the last release version?
-
I know the ipsec-tools 0.8 is a version, but why the pf2.0 choose this version! if the 0.8 have great update than the last release version?
As I said earlier in this thread - that's the only version that will work properly with the FreeBSD version we use. 0.7.x has its own issues with the things we've added in 2.0, so even if it could be made to work, you're just trading some problems for other problems.
-
Anyone had success with iPhone > 3.1.2 and IPSec yet? I'd really like to use this over PPTP.
-
Anyone had success with iPhone > 3.1.2 and IPSec yet? I'd really like to use this over PPTP.
Pure IPSec is still not working. As far as i know PPTP should work fine though I have not tried it myself.
-
It does. As the only reasonable VPN-Solution for the iPhone right now.
L2TP is at the moment plain Layer 2 tunneled Traffic without IPSec, just Authentication so far..
OpenVPN on jailbroken iPhone is a hell of itself.
So if you aren´t firm with configuring the IPSec-Part manually, i think have to wait..
But still, 2.0 Beta?!? I mean, wonderful, brilliant..
-
Hi Volks,
VPN-ing is really a mess with a Mobile device. Even if you setup successful a working PPTP-Tunnel over WiFi, it must not work over 3G (UMTS): here in Germany Vodafone uses a proxy somehow to minifize Images, and the User can not turn it off in any way. The Vodafone Mac-Tam is working on the VPN-Problem since the iPad is rolled out, but still with no success (after 4 Month).
IPSec on Apples Mobile devices is made from Cisco.
If we would have CISCO-Routers, we wont read in this pfSense Forum :-/
After no Success with our pfSense we tried some alternates, and found a solution wich we had to compile into our Gentoo.
Strongswan allows in its compileable Version to set a Cisco-Parameter, and we where able to set a IPSec-Tunnel wich is working over 3G and EDGE too. Just by following the instructions.Even if it is a bit off-topic (because the solution is not in pfsense), this Info could probably help to enhance the 2.x pfsense to be able to do this job too. (what I would prefer)
-
Have you tried a recent 2.0 beta?
Lots of things have changed in there since the last post in this thread. -
Yeah iOS devices and mobile IPsec work great now. One last fix for DNS specific to Cisco clients went in several days ago, though it worked at least a couple weeks prior to that aside from DNS.
-
i keep getting a login failure even though i've followed the instructions on this post.
any idea why? i take it you just add a user (with no privelidges) and enter a preshared key under that user?Dec 30 16:51:31 racoon: [Mobile Clients]: ERROR: unknown Informational exchange received.
Dec 30 16:51:31 racoon: [Mobile Clients]: ERROR: mode config 6 from XXX.XXX.XXX.XXX[58036], but we have no ISAKMP-SA.
Dec 30 16:51:31 racoon: [Mobile Clients]: ERROR: Attempt to release an unallocated address (port 0)
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: login failed for user "vpnuser"
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Released port 0
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Using port 0
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[4500]-XXX.XXX.XXX.XXX[58036] spi:92cbc9035936dcda:6839598826f513a5
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Sending Xauth request
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: NAT detected: PEER
Dec 30 16:51:31 racoon: [Mobile Clients]: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: NAT-D payload #1 doesn't match
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Hashing XXX.XXX.XXX.XXX[58036] with algo #2
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: NAT-D payload #0 verified
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Hashing XXX.XXX.XXX.XXX[4500] with algo #2
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: NAT-T: ports changed to: XXX.XXX.XXX.XXX[58036]<->XXX.XXX.XXX.XXX[4500]
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Adding xauth VID payload.
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Hashing XXX.XXX.XXX.XXX[500] with algo #2
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Hashing XXX.XXX.XXX.XXX[58034] with algo #2
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Adding remote and local NAT-D payloads.
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Selected NAT-T version: RFC 3947
Dec 30 16:51:30 racoon: [Mobile Clients]: WARNING: No ID match.
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: DPD
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: CISCO-UNITY
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: RFC 3947
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: begin Aggressive mode.
