IPSec established, no Traffic passing.
-
IPSec established, no Traffic passing.
Hi everyone, i´m pretty new to PFSense and IPSec in specific.
i have a OSX 10.6 (integrated Cisco IPSec-Client) with established IPSec-Connection to pfSense-2.0-BETA1-20100430-1645.
Tunnel: AES256/SHA1/ESP/XAuth&PSK
Like mentioned, the Connection itself establishes, but neither client nor pfsense could sent/receive traffic or ping to each other.
Rules for LAN & WAN and IPSec are set, did even try to disable filtering at all without success.
Setup: WAN -> 192.168.1.32 /24
LAN -> 192.168.2.1 /24
IPSec: Client Pool -> 192.168.3.0 /24 \ 192.168.2.0 /24 –- tried both, without success.
Local Subnet: LAN Subnet \ Network: 192.168.2.0 /24 --- tried both, without luck.
Provide Domain & DNS & avail. Network listI searched the Forum (2.0-Section&Virtualization), Bugtracker, etc.. without success.
There´s one post (http://forum.pfsense.org/index.php/topic,12403.0.html) with same issue and hint from scott ullrich regarding changing few sysctl´s (net.enc.OUT/IN.ipsec_BPF/FILTER_mask=0x0000001/2), but no affect to my install.
What did i forget/wrong?!?
If someone needs more information, please ask..
Thanks in advance..
Sydney.
-
It seems that the Client doesn´t receive a IP from pfSense, since the connection is shown up under Status/Overview, SAD&SPD are set, but the remote IP-field stays empty.
The Client however says, he received an IP from the given Pool..I´ve tried different Clients (OSX-Cisco-IPSec; Shrewsoft VPN, IPSecuritas, etc..)..
I did tried to some hint´s out of related topics, changing sysctl´s, changing mtu, …Is this mal-configuration by me or a bug in the beta?
??? ::) ???
Thankful for any advice..
Sydney
-
mobile IPsec doesn't work at the moment.
-
OK, thanks cmb..
Is it a routing or filtering problem then?
Nothing i can do about it? -
Most likely it's an ipsec tools issue. See this thread for more details http://forum.pfsense.org/index.php/topic,23519.0.html
-
anyone try the newer snap-version, the newer version can work fine? thank U!
-
I tried May 14th snapshot and was able to successfully establish pure IPSec VPN connection between iPhone and pfSense and access internal network. Thanks for fixing it guys
-
hey azzido, with which settings?!?
-
If you setup a site-to-site type tunnel, IPsec work. If you setup a mobile style tunnel, it does not work. I confirmed this again last week, but I was on the May 12th snapshot. I should update and try it again today.
I'm not sure what azzido did, but I'd also be interesting in knowing what method was used.
I know how to make it work by hand after the connection is established, but it is completely impractical and only useful for verifying tests. (See my post on the ipsec-tools-devel list here: http://sourceforge.net/mailarchive/message.php?msg_name=4BEDB60C.2080501%40pingle.org )
-
I just tried a mobile tunnel again on today's snapshot and I still can't pass traffic when it connects.
-
after all, what was/is the problem with roadwarrior support?
wrong security policies (SPD's)?!?
I'm would love to know, how azzido got it working, with or without little snitches.. -
When the mobile client connects, it makes SPDs but doesn't properly tie them to the tunnel somehow.
Flushing the SPDs and adding them back by hand makes it work - though the output of setkey before and after appears identical.
-
I will post my setup once I get back home. It's basically the same setup that I posted in my previous thread that was not working before. Typing this while on the bus connected via VPN :)
-
no way, man. congrats to the first benefits of your first class tunnel…
but you didn't had to flush & re-add the policies by hand? (i guess not, in a bus...)
i tried with the same config you've posted in another thread, iphone& ipsec i guess, on a 14May/22:45-i386-livecd-snapshot, but without luck..would be great if you could help..
-
No, didn't have to do anything fancy this time. It just works. And SPDs are auto generated. The only problem is if iPhone disconnects from 3g it does not automatically re-establish VPN tunnel so you have to connect manually. I think there is a way to force iPhone to automatically establish tunnel when you try to access certain sites.
-
i dont get it. how could this be possible.. you're sure that traffic is passing through the tunnel?
jimp couldn't get it to work too, at least without flushing spd's.. -
Yep, works like a charm actually. I just need Internet connection with faster uplink now
-
you've separated the ipsec-net from the lan-net this time (ip range)?
386 or amd64?
nano or live?
tell us, make us wise, my friend..what about your network setting's, did you add a new gateway?
-
This is IPsec setup on pfSense:
VPN -> IPsec -> Mobile clients
IKE Extensions
Enable IPsec Mobile Client Support yes
Extended Authentication (Xauth)
User Authentication system
Group Authentication system
Client Configuration (mode-cfg)
Virtual Address Pool
Provide a vitual IP address to clients yes
Network 192.168.103.0 / 24 !!! use subnet that is not currently used
Network List
Provide a list of accessible networks to clients no
DNS Default Domain
Provide a default domain name to clients yes
Domain domain.lan !!! can be same as pfSense domain
DNS Servers
Provide a DNS server list to clients yes
DNS Servers 208.67.222.222 !!! openDNS
WINS Servers
Provide a WINS server list to clients no
Phase2 PFS Group
Provide the Phase2 PFS group to clients no
Login Banner
Provide a login banner to clients noVPN -> IPsec > Tunnels
Enable IPsec yes
VPN -> IPsec -> Tunnels -> Phase 1
General information
Interface WAN
Description iPhone
Phase 1 proposal (Authentication)
Authentication method Mutual PSK + Xauth
Negotiation mode aggressive !!! as per iPhone documentation
My identifier My IP address
Peer identifier Distinguished name !!! enter name of the group
Pre-Shared Key * !!! 63 random alpha-numeric characters (a-z, A-Z, 0-9) from https://www.grc.com/passwords.htm
Encryption algorithm AES / 256 bits !!! that's the first thing iPhone proposes so that's what we use
Hash algorithm SHA1 !!! that's the first thing iPhone proposes so that's what we use
DH key group 2 !!! as per iPhone documentation
Lifetime 28800 !!! leave default
Advanced Options
NAT Traversal Enable
Dead Peer Detection
Enable DPD yes
Delay between requesting peer acknowledgement. 10
No of consecutive failures allowed before disconnect 5VPN -> IPsec -> Tunnels -> Phase 2
Mode Tunnel
Local Network
Type none
Address leave blank
Phase 2 proposal (SA/Key Exchange)
Protocol ESP
Encryption algorithms AES / 256 bits
Hash algorithms SHA1
PFS key group off
Lifetime 3600
Advanced Options
Automatically ping host -and here is iPhone setup:
Settings -> General -> Network -> VPN -> Add VPN Configuration -> IPSec
Description descriptive name
Server domain name or IP address of pfSense WAN interface
Account user name (on pfSense box)
Password user password
Use Certificate off
Group Name Peer identifier from pfSense setup
Secret Pre-Shared Key from pfSense setup-
User that you specify in iPhone needs to be created on pfSense under System -> User Manager
-
If you use Alix board disable glxsb under System -> Advanced -> Miscellaneous
-
Firewall needs to allow incoming UDP connections from WAN on ports 500 and 4500
-
Firewall needs to allow IPSec traffic; create allow all rule with loggin while testing
Try this and post your /var/etc/racoon.conf in case it does not work.
Good luck
-
-
awesome, thanks..
i give it a try right now..
