IPhone + IPSec

cmb

@kingjedi:

• Also of note there is a bug in this particular snapshot in that racoon's conf file is not generated correctly. The php generation code will insert an erroneous value into pool_size, this can be corrected so the gui works with a workaround of editing vpn.inc and manually setting the pool_size to your correct network value. ie in this case 254.

How is it erroneous? It looks accurate to me, it's the subnet size minus one, which is what the ipsec-tools docs show (i.e. 253 for a /24). I'm not sure of the exact intent as I didn't write that part, but the guy who did is an ipsec-tools committer so he definitely knows his stuff.

kingjedi

@cmb:

@kingjedi:

• Also of note there is a bug in this particular snapshot in that racoon's conf file is not generated correctly. The php generation code will insert an erroneous value into pool_size, this can be corrected so the gui works with a workaround of editing vpn.inc and manually setting the pool_size to your correct network value. ie in this case 254.

How is it erroneous? It looks accurate to me, it's the subnet size minus one, which is what the ipsec-tools docs show (i.e. 253 for a /24). I'm not sure of the exact intent as I didn't write that part, but the guy who did is an ipsec-tools committer so he definitely knows his stuff.

Looked like it was coming from upstream of it, i'll admit i didnt look that hard.. just saw the -4xxxxxxxxx number in it's place so i weed wacked it, i can try again with a fresh install

Also I did trace the dns issue, the split_dns option was missing which is needed for cisco clients so threw that line in and it's working good, like the new interface as well

Edit:

Fresh install done and again it threw up a bogus value.. however i'll say this before digging to deep, dnsmasq failed to install again and nowhere to be found.. i do a manual pkg_add -r dnsmasq and it takes off like normal.. failed install on esx maybe? or is it not part of the base install?

Anyway the value it inserts into the racoon.conf is -4294967043 for pool_size

Edit: After looking further the ip2long function is returning bogus values ???, also your right about the pool_size, i forgot the sign flip when doing it by hand so it is 253

Edit: Just dawned on me what the root cause almost has to be… a 64bit issue with integer types, sorry should have mentioned earlier this is a 64bit install.

azzido

AES 256 bit started working for phase 2 after I disabled glxsb on my Alix board.

I created 2 virtual machines one i386 and one amd64 and they both have same issue - no traffic is sent back to iPhone until i flush SPDs and re-create them.

I can confirm that there is a bug with amd64 builds. The pool size it generates for /24 net is: pool_size -4294967043;  and it looks fine in i386 builds pool_size 253;

I am really running out of ideas. kingjedi - do you have any unusual settings on your machine as far as interface setup or routing goes?

kingjedi

@azzido:

AES 256 bit started working for phase 2 after I disabled glxsb on my Alix board.

I created 2 virtual machines one i386 and one amd64 and they both have same issue - no traffic is sent back to iPhone until i flush SPDs and re-create them.

I can confirm that there is a bug with amd64 builds. The pool size it generates for /24 net is: pool_size -4294967043;  and it looks fine in i386 builds pool_size 253;

I am really running out of ideas. kingjedi - do you have any unusual settings on your machine as far as interface setup or routing goes?

If you can get it working once after a flush then try this… sounds like some kinda phase2 tear down bug maybe? dunno

It's quick and dirty but should work for one user

Add these lines to your racoon.conf and then save the below shell script into the appropriate dir

This file is automatically generated. Do not edit

path pre_shared_key "/var/etc/psk.txt";
path certificate  "/var/etc";
path script "/var/etc/racoon/scripts";

and then in your remote section

remote anonymous
{
        ph1id 1;
….
        script "phase2flush" phase1_down;
}

Shell script: phase2flush

#!/bin/sh

/usr/local/sbin/setkey -F
/usr/local/sbin/setkey -FP

---

Edit: Your right... mine is also hit with that same issue.. i was just avoiding it by not dropping the link so fast and returning sometime later each time, the spds on mine are set to time out in an hour so didnt really notice it until forcing a drop and trying to drive packets.

azzido

Well, no I cannot pass traffic right after I connect. And I only flush and recreate SPDs, not SAs.

There are several other bugs in ipsec-tools so the bottom line is until someone fixes ipsec-tools roadwarrior setup is a no-go.

horsedragon

It seem the bug of ipsec-tools 0.8 ?

azzido

Does look like it. Though I have not tried 0.7.x branch of ipsec-tools so I am not 100% sure

horsedragon

I  know the ipsec-tools 0.8 is a version, but why the pf2.0 choose this version! if the 0.8 have great update than the last release version?

cmb

@horsedragon:

I  know the ipsec-tools 0.8 is a version, but why the pf2.0 choose this version! if the 0.8 have great update than the last release version?

As I said earlier in this thread - that's the only version that will work properly with the FreeBSD version we use. 0.7.x has its own issues with the things we've added in 2.0, so even if it could be made to work, you're just trading some problems for other problems.

pashdown

Anyone had success with iPhone > 3.1.2 and IPSec yet?  I'd really like to use this over PPTP.

azzido

@pashdown:

Anyone had success with iPhone > 3.1.2 and IPSec yet?  I'd really like to use this over PPTP.

Pure IPSec is still not working. As far as i know PPTP should work fine though I have not tried it myself.

eazydor

It does. As the only reasonable VPN-Solution for the iPhone right now.

L2TP is at the moment plain Layer 2 tunneled Traffic without IPSec, just Authentication so far..

OpenVPN on jailbroken iPhone is a hell of itself.

So if you aren´t firm with configuring the IPSec-Part manually, i think have to wait..

But still, 2.0 Beta?!? I mean, wonderful, brilliant..

crnet

Hi Volks,

VPN-ing is really a mess with a Mobile device. Even if you setup successful a working PPTP-Tunnel over WiFi, it must not work over 3G (UMTS): here in Germany Vodafone uses a proxy somehow to minifize Images, and the User can not turn it off in any way. The Vodafone Mac-Tam is working on the VPN-Problem since the iPad is rolled out, but still with no success (after 4 Month).

IPSec on Apples Mobile devices is made from Cisco.
If we would have CISCO-Routers, we wont read in this pfSense Forum :-/
After no Success with our pfSense we tried some alternates, and found a solution wich we had to compile into our Gentoo.
Strongswan allows in its compileable Version to set a Cisco-Parameter, and we where able to set a IPSec-Tunnel wich is working over 3G and EDGE too. Just by following the instructions.

Even if it is a bit off-topic (because the solution is not in pfsense), this Info could probably help to enhance the 2.x pfsense to be able to do this job too. (what I would prefer)

jahonix

Have you tried a recent 2.0 beta?
Lots of things have changed in there since the last post in this thread.

cmb

Yeah iOS devices and mobile IPsec work great now. One last fix for DNS specific to Cisco clients went in several days ago, though it worked at least a couple weeks prior to that aside from DNS.

louis-m

i keep getting a login failure even though i've followed the instructions on this post.
any idea why? i take it you just add a user (with no privelidges) and enter a preshared key under that user?

Dec 30 16:51:31 racoon: [Mobile Clients]: ERROR: unknown Informational exchange received.
Dec 30 16:51:31 racoon: [Mobile Clients]: ERROR: mode config 6 from XXX.XXX.XXX.XXX[58036], but we have no ISAKMP-SA.
Dec 30 16:51:31 racoon: [Mobile Clients]: ERROR: Attempt to release an unallocated address (port 0)
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: login failed for user "vpnuser"
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Released port 0
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Using port 0
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[4500]-XXX.XXX.XXX.XXX[58036] spi:92cbc9035936dcda:6839598826f513a5
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Sending Xauth request
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: NAT detected: PEER
Dec 30 16:51:31 racoon: [Mobile Clients]: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: NAT-D payload #1 doesn't match
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Hashing XXX.XXX.XXX.XXX[58036] with algo #2
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: NAT-D payload #0 verified
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Hashing XXX.XXX.XXX.XXX[4500] with algo #2
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: NAT-T: ports changed to: XXX.XXX.XXX.XXX[58036]<->XXX.XXX.XXX.XXX[4500]
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Adding xauth VID payload.
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Hashing XXX.XXX.XXX.XXX[500] with algo #2
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Hashing XXX.XXX.XXX.XXX[58034] with algo #2
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Adding remote and local NAT-D payloads.
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Selected NAT-T version: RFC 3947
Dec 30 16:51:30 racoon: [Mobile Clients]: WARNING: No ID match.
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: DPD
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: CISCO-UNITY
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: RFC 3947
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: begin Aggressive mode.

sofakng

The constant login failed is the EXACT same problem I'm having…

Can anybody help?  :(

azzido

See this thread http://forum.pfsense.org/index.php/topic,32319.0.html

oggsct

I had this working in a dev environment but the configuration got lost during a rebuild for a different test. Following the various posts in here I am able to login and get an IP assigned from the local mobile pool but I can't get traffic in either direction.

Internal Network: 10.0.0.0/16
Mobile IP Network 10.0.35.5/29

Can provide any additional information as needed. Using pfsense 2.0 Beta5 Feb 7 21:37 snapshot.

Thank!

jahonix

@oggsct:

I can't get traffic in either direction.
Internal Network: 10.0.0.0/16
Mobile IP Network 10.0.35.5/29

Your mobile IP network lies within your internal network, thus traffic never gets routed out because there's no need to.

Address:    10.0.0.0
Netmask:  255.255.0.0 = 16
=>
Network:    10.0.0.0/16
Broadcast: 10.0.255.255
HostMin:    10.0.0.1
HostMax:  10.0.255.254
Hosts/Net: 65534            (Private Internet)