IPSec established, no Traffic passing.

azzido

No, didn't have to do anything fancy this time. It just works. And SPDs are auto generated. The only problem is if iPhone disconnects from 3g it does not automatically re-establish VPN tunnel so you have to connect manually. I think there is a way to force iPhone to automatically establish tunnel when you try to access certain sites.

eazydor

i dont get it. how could this be possible.. you're sure that traffic is passing through the tunnel?
jimp couldn't get it to work too, at least without flushing spd's..

azzido

Yep, works like a charm actually. I just need Internet connection with faster uplink now

eazydor

you've separated the ipsec-net from the lan-net this time (ip range)?
386 or amd64?
nano or live?
tell us, make us wise, my friend..

what about your network setting's, did you add a new gateway?

azzido

This is IPsec setup on pfSense:

VPN -> IPsec -> Mobile clients

IKE Extensions
        Enable IPsec Mobile Client Support                      yes
    Extended Authentication (Xauth)
        User Authentication                                      system
        Group Authentication                                    system
    Client Configuration (mode-cfg)
        Virtual Address Pool
            Provide a vitual IP address to clients              yes
            Network                                              192.168.103.0 / 24              !!! use subnet that is not currently used
        Network List
            Provide a list of accessible networks to clients    no
        DNS Default Domain
            Provide a default domain name to clients            yes
            Domain                                              domain.lan                      !!! can be same as pfSense domain
        DNS Servers
            Provide a DNS server list to clients                yes
            DNS Servers                                          208.67.222.222                  !!! openDNS
        WINS Servers
            Provide a WINS server list to clients                no
        Phase2 PFS Group
            Provide the Phase2 PFS group to clients              no
        Login Banner
            Provide a login banner to clients                    no

VPN -> IPsec > Tunnels

Enable IPsec                                                yes

VPN -> IPsec -> Tunnels -> Phase 1

General information
        Interface                                                WAN
        Description                                              iPhone
    Phase 1 proposal (Authentication)
        Authentication method                                    Mutual PSK + Xauth
        Negotiation mode                                        aggressive                      !!! as per iPhone documentation
        My identifier                                            My IP address
        Peer identifier                                          Distinguished name              !!! enter name of the group
        Pre-Shared Key                                          *                                !!! 63 random alpha-numeric characters (a-z, A-Z, 0-9) from https://www.grc.com/passwords.htm
        Encryption algorithm                                    AES / 256 bits                   !!! that's the first thing iPhone proposes so that's what we use
        Hash algorithm                                          SHA1                            !!! that's the first thing iPhone proposes so that's what we use
        DH key group                                            2                                !!! as per iPhone documentation
        Lifetime                                                28800                            !!! leave default
    Advanced Options
        NAT Traversal                                            Enable
        Dead Peer Detection
            Enable DPD                                          yes
            Delay between requesting peer acknowledgement.      10
            No of consecutive failures allowed before disconnect 5

VPN -> IPsec -> Tunnels -> Phase 2

Mode                                                        Tunnel
    Local Network
        Type                                                    none
        Address                                                  leave blank
    Phase 2 proposal (SA/Key Exchange)
        Protocol                                                ESP
        Encryption algorithms                                    AES / 256 bits
        Hash algorithms                                          SHA1
        PFS key group                                            off
        Lifetime                                                3600
    Advanced Options
        Automatically ping host                                  -

and here is iPhone setup:

Settings -> General -> Network -> VPN -> Add VPN Configuration -> IPSec

Description                              descriptive name
Server                                    domain name or IP address of pfSense WAN interface
Account                                  user name (on pfSense box)
Password                                  user password
Use Certificate                          off
Group Name                                Peer identifier from pfSense setup
Secret                                    Pre-Shared Key from pfSense setup

• User that you specify in iPhone needs to be created on pfSense under System -> User Manager

• If you use Alix board disable glxsb under System -> Advanced -> Miscellaneous

• Firewall needs to allow incoming UDP connections from WAN on ports 500 and 4500

• Firewall needs to allow IPSec traffic; create allow all rule with loggin while testing

Try this and post your /var/etc/racoon.conf in case it does not work.

Good luck

eazydor

awesome, thanks..
i give it a try right now..

jimp

Are you using that script mentioned in the other thread that flushes the keys? If so, it's just doing what I did by hand, automatically. And it's not a long-term solution for anyone using IPsec for other uses as well as mobile clients.

azzido

No, I am not doing anything this time. It's all configured thru web interface. SPDs are automatically created by Racoon and they work just fine.

pfSense is running on Alix board, iPhone OS is v3.1.3

Version  2.0-BETA1 built on Fri May 14 23:44:07 EDT 2010 FreeBSD 8.0-STABLE
Platform  nanobsd

eazydor

tried latest snapshot (386-live) and still no traffic.
same config as azzido.

azzido

Post your /var/etc/racoon.conf file and I will compare it with mine.

Execute this:

/usr/bin/killall racoon && /usr/local/sbin/setkey -FP && /usr/local/sbin/setkey -F && rm /var/log/ipsec.log && touch /var/log/ipsec.log && /usr/sbin/clog -i -s 511488 /var/log/ipsec.log && /etc/rc.d/syslogd restart && /usr/local/sbin/racoon -dd -f /var/etc/racoon.conf

and try to establish tunnel. Then post /var/log/ipsec.log maybe we can find something in the log.

azzido

Also, are you trying to reach host on the internal network or internet? I had to configure outbound NAT for 192.168.103.0/24 before I could reach internet from iPhone.

eazydor

i was trying to reach pfsense's internal lan ip.

racoon.conf:

This file is automatically generated. Do not edit

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp 192.168.1.17 [500];
isakmp_natt 192.168.1.17 [4500];
}

mode_cfg
{
auth_source system;
group_source system;
pool_size 253;
network4 192.168.3.1;
netmask4 255.255.255.0;
dns4 192.168.2.1;
default_domain "workgroup";
}

remote anonymous
{
ph1id 1;
exchange_mode aggressive;
my_identifier address 192.168.1.17;
peers_identifier fqdn "iphone";
ike_frag on;
generate_policy = unique;
initial_contact = off;
nat_traversal = on;

dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;

proposal
{
authentication_method xauth_psk_server;
encryption_algorithm aes 256;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}

sainfo   anonymous
{
remoteid 1;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;

lifetime time 3600 secs;
compression_algorithm deflate;
}

ipsec_log:
May 18 00:56:09 pfSense racoon: INFO: respond new phase 1 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]
May 18 00:56:09 pfSense racoon: INFO: begin Aggressive mode.
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: RFC 3947
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: CISCO-UNITY
May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: DPD
May 18 00:56:09 pfSense racoon: INFO: Selected NAT-T version: RFC 3947
May 18 00:56:09 pfSense racoon: INFO: Adding remote and local NAT-D payloads.
May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.7[500] with algo #2
May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.17[500] with algo #2
May 18 00:56:09 pfSense racoon: INFO: Adding xauth VID payload.
May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.17[500] with algo #2
May 18 00:56:09 pfSense racoon: INFO: NAT-D payload #0 verified
May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.7[500] with algo #2
May 18 00:56:09 pfSense racoon: INFO: NAT-D payload #1 verified
May 18 00:56:09 pfSense racoon: ERROR: notification INITIAL-CONTACT received in aggressive exchange.
May 18 00:56:09 pfSense racoon: INFO: NAT not detected
May 18 00:56:09 pfSense racoon: INFO: Sending Xauth request
May 18 00:56:09 pfSense racoon: INFO: ISAKMP-SA established 192.168.1.17[500]-192.168.1.7[500] spi:c52ad072fefeec7a:e2d97b50d90eed6b
May 18 00:56:13 pfSense racoon: INFO: Using port 0
May 18 00:56:13 pfSense racoon: INFO: login succeeded for user "sydney"
May 18 00:56:13 pfSense racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
May 18 00:56:13 pfSense racoon: WARNING: Ignored attribute 28683
May 18 00:56:13 pfSense racoon: INFO: respond new phase 2 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]
May 18 00:56:13 pfSense racoon: INFO: no policy found, try to generate the policy : 192.168.3.1/32[0] 0.0.0.0/0[0] proto=any dir=in
May 18 00:56:13 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=184685857(0xb021521)
May 18 00:56:13 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=103635710(0x62d5afe)
May 18 00:56:13 pfSense racoon: ERROR: such policy does not already exist: "192.168.3.1/32[0] 0.0.0.0/0[0] proto=any dir=in"
May 18 00:56:13 pfSense racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.3.1/32[0] proto=any dir=out"
May 18 00:56:14 pfSense racoon: INFO: initiate new phase 2 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]
May 18 00:56:14 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=193249986(0xb84c2c2)
May 18 00:56:14 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=108727917(0x67b0e6d)
May 18 00:56:14 pfSense racoon: INFO: generated policy, deleting it.
May 18 00:56:14 pfSense racoon: INFO: purged IPsec-SA proto_id=ESP spi=103635710.

azzido

eazydor, start racoon in debug mode with the command I posted earlier and post log with more info. In your case racoon deletes policies right after they are created so there is something else going on there.

eazydor

yes, it seems like.. log says generating policy & deleting it.. webinterface says bidirectional spd's are created..
anyhow, i'm not a pro when it comes to ipsec..
btw: thanks for your help..
heres the debug-log from before, forgotten to post. the log end's, where the other's post log began..

May 18 00:53:44 pfSense racoon: DEBUG: ===
May 18 00:53:44 pfSense racoon: DEBUG: 92 bytes message received from 192.168.1.7[500] to 192.168.1.17[500]
May 18 00:53:44 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 8687228d 0000005c f7bbc7d9 1b8ac1c5 ef95e2e7 7088ffe8 24ff2767 e4c1d632 316840cf 5289f3bb b7054faa b9ba4dee e0094fb0 d0c76b9d c7b6cbdd d2873584 28a9f94f 7c2a53f0
May 18 00:53:44 pfSense racoon: DEBUG: receive Information.
May 18 00:53:44 pfSense racoon: DEBUG: compute IV for phase2
May 18 00:53:44 pfSense racoon: DEBUG: phase1 last IV:
May 18 00:53:44 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 8687228d
May 18 00:53:44 pfSense racoon: DEBUG: hash(sha1)
May 18 00:53:44 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:44 pfSense racoon: DEBUG: phase2 IV computed:
May 18 00:53:44 pfSense racoon: DEBUG:  ebb44c15 995f764a fb86e417 e73722ac
May 18 00:53:44 pfSense racoon: DEBUG: begin decryption.
May 18 00:53:44 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:44 pfSense racoon: DEBUG: IV was saved for next processing:
May 18 00:53:44 pfSense racoon: DEBUG:  c7b6cbdd d2873584 28a9f94f 7c2a53f0
May 18 00:53:44 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:44 pfSense racoon: DEBUG: with key:
May 18 00:53:44 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
May 18 00:53:44 pfSense racoon: DEBUG: decrypted payload by IV:
May 18 00:53:44 pfSense racoon: DEBUG:  ebb44c15 995f764a fb86e417 e73722ac
May 18 00:53:44 pfSense racoon: DEBUG: decrypted payload, but not trimed.
May 18 00:53:44 pfSense racoon: DEBUG:  0b000018 0ef1fdb0 4594cff9 7153f598 140e3973 4c2fec77 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fa 00000000 00000008
May 18 00:53:44 pfSense racoon: DEBUG: padding len=9
May 18 00:53:44 pfSense racoon: DEBUG: skip to trim padding.
May 18 00:53:44 pfSense racoon: DEBUG: decrypted.
May 18 00:53:44 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 8687228d 0000005c 0b000018 0ef1fdb0 4594cff9 7153f598 140e3973 4c2fec77 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fa 00000000 00000008
May 18 00:53:44 pfSense racoon: DEBUG: IV freed
May 18 00:53:44 pfSense racoon: DEBUG: HASH with:
May 18 00:53:44 pfSense racoon: DEBUG:  8687228d 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fa
May 18 00:53:44 pfSense racoon: DEBUG: hmac(hmac_sha1)
May 18 00:53:44 pfSense racoon: DEBUG: HASH computed:
May 18 00:53:44 pfSense racoon: DEBUG:  0ef1fdb0 4594cff9 7153f598 140e3973 4c2fec77
May 18 00:53:44 pfSense racoon: DEBUG: hash validated.
May 18 00:53:44 pfSense racoon: DEBUG: begin.
May 18 00:53:44 pfSense racoon: DEBUG: seen nptype=8(hash)
May 18 00:53:44 pfSense racoon: DEBUG: seen nptype=11(notify)
May 18 00:53:44 pfSense racoon: DEBUG: succeed.
May 18 00:53:44 pfSense racoon: DEBUG: DPD R-U-There-Ack received
May 18 00:53:44 pfSense racoon: DEBUG: received an R-U-THERE-ACK
May 18 00:53:54 pfSense racoon: DEBUG: DPD monitoring….
May 18 00:53:54 pfSense racoon: DEBUG: compute IV for phase2
May 18 00:53:54 pfSense racoon: DEBUG: phase1 last IV:
May 18 00:53:54 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 d4f0852d
May 18 00:53:54 pfSense racoon: DEBUG: hash(sha1)
May 18 00:53:54 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:54 pfSense racoon: DEBUG: phase2 IV computed:
May 18 00:53:54 pfSense racoon: DEBUG:  8275876d d53aec3a 20f20372 a86b0ad9
May 18 00:53:54 pfSense racoon: DEBUG: HASH with:
May 18 00:53:54 pfSense racoon: DEBUG:  d4f0852d 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fb
May 18 00:53:54 pfSense racoon: DEBUG: hmac(hmac_sha1)
May 18 00:53:54 pfSense racoon: DEBUG: HASH computed:
May 18 00:53:54 pfSense racoon: DEBUG:  06ecf3cb d1ba85c9 e33ef9a6 6a33169c 101b95d3
May 18 00:53:54 pfSense racoon: DEBUG: begin encryption.
May 18 00:53:54 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:54 pfSense racoon: DEBUG: pad length = 8
May 18 00:53:54 pfSense racoon: DEBUG:  0b000018 06ecf3cb d1ba85c9 e33ef9a6 6a33169c 101b95d3 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fb 809cf693 aeb8fe07
May 18 00:53:54 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:54 pfSense racoon: DEBUG: with key:
May 18 00:53:54 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
May 18 00:53:54 pfSense racoon: DEBUG: encrypted payload by IV:
May 18 00:53:54 pfSense racoon: DEBUG:  8275876d d53aec3a 20f20372 a86b0ad9
May 18 00:53:54 pfSense racoon: DEBUG: save IV for next:
May 18 00:53:54 pfSense racoon: DEBUG:  33907334 562172df 5ef9df74 52ea5936
May 18 00:53:54 pfSense racoon: DEBUG: encrypted.
May 18 00:53:54 pfSense racoon: DEBUG: 92 bytes from 192.168.1.17[500] to 192.168.1.7[500]
May 18 00:53:54 pfSense racoon: DEBUG: sockname 192.168.1.17[500]
May 18 00:53:54 pfSense racoon: DEBUG: send packet from 192.168.1.17[500]
May 18 00:53:54 pfSense racoon: DEBUG: send packet to 192.168.1.7[500]
May 18 00:53:54 pfSense racoon: DEBUG: 1 times of 92 bytes message will be sent to 192.168.1.7[500]
May 18 00:53:54 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 d4f0852d 0000005c b60b7b2a a0045fe7 68612a04 eb0b46ba 7b47d633 63be9cd8 9d88bcd1 5eed3243 693f0866 6595fc38 1f57a013 fb3da34f 33907334 562172df 5ef9df74 52ea5936
May 18 00:53:54 pfSense racoon: DEBUG: sendto Information notify.
May 18 00:53:54 pfSense racoon: DEBUG: IV freed
May 18 00:53:54 pfSense racoon: DEBUG: DPD R-U-There sent (0)
May 18 00:53:54 pfSense racoon: DEBUG: rescheduling send_r_u (5).
May 18 00:53:55 pfSense racoon: DEBUG: ===
May 18 00:53:55 pfSense racoon: DEBUG: 92 bytes message received from 192.168.1.7[500] to 192.168.1.17[500]
May 18 00:53:55 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 8a92b90d 0000005c f0c46d19 5cb6c703 81c1b21f df953996 209e50b2 7f760ab9 544b924e b46339c4 16685840 4b164e74 5c968790 89847014 0c9a6b97 9af19916 5ebc4d94 2a00fe3d
May 18 00:53:55 pfSense racoon: DEBUG: receive Information.
May 18 00:53:55 pfSense racoon: DEBUG: compute IV for phase2
May 18 00:53:55 pfSense racoon: DEBUG: phase1 last IV:
May 18 00:53:55 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 8a92b90d
May 18 00:53:55 pfSense racoon: DEBUG: hash(sha1)
May 18 00:53:55 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:55 pfSense racoon: DEBUG: phase2 IV computed:
May 18 00:53:55 pfSense racoon: DEBUG:  49138853 ee0d92e8 ca7f9bd7 c7f8a69d
May 18 00:53:55 pfSense racoon: DEBUG: begin decryption.
May 18 00:53:55 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:55 pfSense racoon: DEBUG: IV was saved for next processing:
May 18 00:53:55 pfSense racoon: DEBUG:  0c9a6b97 9af19916 5ebc4d94 2a00fe3d
May 18 00:53:55 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:55 pfSense racoon: DEBUG: with key:
May 18 00:53:55 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
May 18 00:53:55 pfSense racoon: DEBUG: decrypted payload by IV:
May 18 00:53:55 pfSense racoon: DEBUG:  49138853 ee0d92e8 ca7f9bd7 c7f8a69d
May 18 00:53:55 pfSense racoon: DEBUG: decrypted payload, but not trimed.
May 18 00:53:55 pfSense racoon: DEBUG:  0b000018 ab5e2b9b 8d954f99 45ca9503 55050216 652192cb 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fb 00000000 00000008
May 18 00:53:55 pfSense racoon: DEBUG: padding len=9
May 18 00:53:55 pfSense racoon: DEBUG: skip to trim padding.
May 18 00:53:55 pfSense racoon: DEBUG: decrypted.
May 18 00:53:55 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 8a92b90d 0000005c 0b000018 ab5e2b9b 8d954f99 45ca9503 55050216 652192cb 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fb 00000000 00000008
May 18 00:53:55 pfSense racoon: DEBUG: IV freed
May 18 00:53:55 pfSense racoon: DEBUG: HASH with:
May 18 00:53:55 pfSense racoon: DEBUG:  8a92b90d 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fb
May 18 00:53:55 pfSense racoon: DEBUG: hmac(hmac_sha1)
May 18 00:53:55 pfSense racoon: DEBUG: HASH computed:
May 18 00:53:55 pfSense racoon: DEBUG:  ab5e2b9b 8d954f99 45ca9503 55050216 652192cb
May 18 00:53:55 pfSense racoon: DEBUG: hash validated.
May 18 00:53:55 pfSense racoon: DEBUG: begin.
May 18 00:53:55 pfSense racoon: DEBUG: seen nptype=8(hash)
May 18 00:53:55 pfSense racoon: DEBUG: seen nptype=11(notify)
May 18 00:53:55 pfSense racoon: DEBUG: succeed.
May 18 00:53:55 pfSense racoon: DEBUG: DPD R-U-There-Ack received
May 18 00:53:55 pfSense racoon: DEBUG: received an R-U-THERE-ACK
May 18 00:53:58 pfSense racoon: DEBUG: ===
May 18 00:53:58 pfSense racoon: DEBUG: 92 bytes message received from 192.168.1.7[500] to 192.168.1.17[500]
May 18 00:53:58 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 f8f5ad12 0000005c 0c4a69d5 3456047f f697c87b b5fe2433 c0ab868c a0eb3671 fd56381f d57759a3 11bcb4b3 dd19935a 6e2472c9 64050207 5899857c 6e2f1278 0b15e6dc 2e49fe18
May 18 00:53:58 pfSense racoon: DEBUG: receive Information.
May 18 00:53:58 pfSense racoon: DEBUG: compute IV for phase2
May 18 00:53:58 pfSense racoon: DEBUG: phase1 last IV:
May 18 00:53:58 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 f8f5ad12
May 18 00:53:58 pfSense racoon: DEBUG: hash(sha1)
May 18 00:53:58 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:58 pfSense racoon: DEBUG: phase2 IV computed:
May 18 00:53:58 pfSense racoon: DEBUG:  3d2b1859 6e879b36 6f4c3d51 5e8423f0
May 18 00:53:58 pfSense racoon: DEBUG: begin decryption.
May 18 00:53:58 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:58 pfSense racoon: DEBUG: IV was saved for next processing:
May 18 00:53:58 pfSense racoon: DEBUG:  5899857c 6e2f1278 0b15e6dc 2e49fe18
May 18 00:53:58 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:58 pfSense racoon: DEBUG: with key:
May 18 00:53:58 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
May 18 00:53:58 pfSense racoon: DEBUG: decrypted payload by IV:
May 18 00:53:58 pfSense racoon: DEBUG:  3d2b1859 6e879b36 6f4c3d51 5e8423f0
May 18 00:53:58 pfSense racoon: DEBUG: decrypted payload, but not trimed.
May 18 00:53:58 pfSense racoon: DEBUG:  0b000018 773820b3 b096d012 25d26b6d d8f140e4 3de296d3 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 00000d70 00000000 00000008
May 18 00:53:58 pfSense racoon: DEBUG: padding len=9
May 18 00:53:58 pfSense racoon: DEBUG: skip to trim padding.
May 18 00:53:58 pfSense racoon: DEBUG: decrypted.
May 18 00:53:58 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 f8f5ad12 0000005c 0b000018 773820b3 b096d012 25d26b6d d8f140e4 3de296d3 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 00000d70 00000000 00000008
May 18 00:53:58 pfSense racoon: DEBUG: IV freed
May 18 00:53:58 pfSense racoon: DEBUG: HASH with:
May 18 00:53:58 pfSense racoon: DEBUG:  f8f5ad12 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 00000d70
May 18 00:53:58 pfSense racoon: DEBUG: hmac(hmac_sha1)
May 18 00:53:58 pfSense racoon: DEBUG: HASH computed:
May 18 00:53:58 pfSense racoon: DEBUG:  773820b3 b096d012 25d26b6d d8f140e4 3de296d3
May 18 00:53:58 pfSense racoon: DEBUG: hash validated.
May 18 00:53:58 pfSense racoon: DEBUG: begin.
May 18 00:53:58 pfSense racoon: DEBUG: seen nptype=8(hash)
May 18 00:53:58 pfSense racoon: DEBUG: seen nptype=11(notify)
May 18 00:53:58 pfSense racoon: DEBUG: succeed.
May 18 00:53:58 pfSense racoon: DEBUG: DPD R-U-There received
May 18 00:53:58 pfSense racoon: DEBUG: compute IV for phase2
May 18 00:53:58 pfSense racoon: DEBUG: phase1 last IV:
May 18 00:53:58 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 806b0404
May 18 00:53:58 pfSense racoon: DEBUG: hash(sha1)
May 18 00:53:58 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:58 pfSense racoon: DEBUG: phase2 IV computed:
May 18 00:53:58 pfSense racoon: DEBUG:  5a253a10 cb6ea9df 6c7b522c 50d0beca
May 18 00:53:58 pfSense racoon: DEBUG: HASH with:
May 18 00:53:58 pfSense racoon: DEBUG:  806b0404 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 00000d70
May 18 00:53:58 pfSense racoon: DEBUG: hmac(hmac_sha1)
May 18 00:53:58 pfSense racoon: DEBUG: HASH computed:
May 18 00:53:58 pfSense racoon: DEBUG:  ec630f5f cd50249e 6bf469d8 eac01234 3d9c50b7
May 18 00:53:58 pfSense racoon: DEBUG: begin encryption.
May 18 00:53:58 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:58 pfSense racoon: DEBUG: pad length = 8
May 18 00:53:58 pfSense racoon: DEBUG:  0b000018 ec630f5f cd50249e 6bf469d8 eac01234 3d9c50b7 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 00000d70 98ff92b3 8ec19b07
May 18 00:53:58 pfSense racoon: DEBUG: encryption(aes)
May 18 00:53:58 pfSense racoon: DEBUG: with key:
May 18 00:53:58 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
May 18 00:53:58 pfSense racoon: DEBUG: encrypted payload by IV:
May 18 00:53:58 pfSense racoon: DEBUG:  5a253a10 cb6ea9df 6c7b522c 50d0beca
May 18 00:53:58 pfSense racoon: DEBUG: save IV for next:
May 18 00:53:58 pfSense racoon: DEBUG:  e72dc322 c3f7acb9 e7dbd3bc 52f8557b
May 18 00:53:58 pfSense racoon: DEBUG: encrypted.
May 18 00:53:58 pfSense racoon: DEBUG: 92 bytes from 192.168.1.17[500] to 192.168.1.7[500]
May 18 00:53:58 pfSense racoon: DEBUG: sockname 192.168.1.17[500]
May 18 00:53:58 pfSense racoon: DEBUG: send packet from 192.168.1.17[500]
May 18 00:53:58 pfSense racoon: DEBUG: send packet to 192.168.1.7[500]
May 18 00:53:58 pfSense racoon: DEBUG: 1 times of 92 bytes message will be sent to 192.168.1.7[500]
May 18 00:53:58 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 806b0404 0000005c 6ba8cc84 74b1b7dc 40fd50f5 ad0b7147 4d9d5c82 d06ced8b dd38b5f7 8b3d04fe d52d5505 35f7f2bb 18ce3982 75c46c2e e72dc322 c3f7acb9 e7dbd3bc 52f8557b
May 18 00:53:58 pfSense racoon: DEBUG: sendto Information notify.
May 18 00:53:58 pfSense racoon: DEBUG: IV freed
May 18 00:53:58 pfSense racoon: DEBUG: received a valid R-U-THERE, ACK sent
May 18 00:54:05 pfSense racoon: DEBUG: DPD monitoring….
May 18 00:54:05 pfSense racoon: DEBUG: compute IV for phase2
May 18 00:54:05 pfSense racoon: DEBUG: phase1 last IV:
May 18 00:54:05 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 9239ec5f
May 18 00:54:05 pfSense racoon: DEBUG: hash(sha1)
May 18 00:54:05 pfSense racoon: DEBUG: encryption(aes)
May 18 00:54:05 pfSense racoon: DEBUG: phase2 IV computed:
May 18 00:54:05 pfSense racoon: DEBUG:  e98c7c0c 819eb286 42aecd96 56ec3226
May 18 00:54:05 pfSense racoon: DEBUG: HASH with:
May 18 00:54:05 pfSense racoon: DEBUG:  9239ec5f 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fc
May 18 00:54:05 pfSense racoon: DEBUG: hmac(hmac_sha1)
May 18 00:54:05 pfSense racoon: DEBUG: HASH computed:
May 18 00:54:05 pfSense racoon: DEBUG:  01b5957d ad75245c 47bfcb19 8c29fdb8 df455b04
May 18 00:54:05 pfSense racoon: DEBUG: begin encryption.
May 18 00:54:05 pfSense racoon: DEBUG: encryption(aes)
May 18 00:54:05 pfSense racoon: DEBUG: pad length = 8
May 18 00:54:05 pfSense racoon: DEBUG:  0b000018 01b5957d ad75245c 47bfcb19 8c29fdb8 df455b04 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fc f5b1a39c 859dc607
May 18 00:54:05 pfSense racoon: DEBUG: encryption(aes)
May 18 00:54:05 pfSense racoon: DEBUG: with key:
May 18 00:54:05 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
May 18 00:54:05 pfSense racoon: DEBUG: encrypted payload by IV:
May 18 00:54:05 pfSense racoon: DEBUG:  e98c7c0c 819eb286 42aecd96 56ec3226
May 18 00:54:05 pfSense racoon: DEBUG: save IV for next:
May 18 00:54:05 pfSense racoon: DEBUG:  0e60760b ff98e10a 2b0cadba 5f0f82ad
May 18 00:54:05 pfSense racoon: DEBUG: encrypted.
May 18 00:54:05 pfSense racoon: DEBUG: 92 bytes from 192.168.1.17[500] to 192.168.1.7[500]
May 18 00:54:05 pfSense racoon: DEBUG: sockname 192.168.1.17[500]
May 18 00:54:05 pfSense racoon: DEBUG: send packet from 192.168.1.17[500]
May 18 00:54:05 pfSense racoon: DEBUG: send packet to 192.168.1.7[500]
May 18 00:54:05 pfSense racoon: DEBUG: 1 times of 92 bytes message will be sent to 192.168.1.7[500]
May 18 00:54:05 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 9239ec5f 0000005c 96fae9c6 33acdc4f aee486cb b2adc42c 9c1133f5 27db3bb6 a7899e8b 66c19dc0 38b2e53c b0f060b7 dd921690 68d2271b 0e60760b ff98e10a 2b0cadba 5f0f82ad
May 18 00:54:05 pfSense racoon: DEBUG: sendto Information notify.
May 18 00:54:05 pfSense racoon: DEBUG: IV freed
May 18 00:54:05 pfSense racoon: DEBUG: DPD R-U-There sent (0)
May 18 00:54:05 pfSense racoon: DEBUG: rescheduling send_r_u (5).
May 18 00:54:06 pfSense racoon: DEBUG: ===
May 18 00:54:06 pfSense racoon: DEBUG: 92 bytes message received from 192.168.1.7[500] to 192.168.1.17[500]
May 18 00:54:06 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 f778304f 0000005c 06ac5e88 bc38acf5 27eaab3c 7751ff04 08f7e2f4 c216c470 13ab5255 a0586764 ebfda43d 4a460ace 73df710b 084a9d19 2970b257 14190e96 94b0b513 7b6f5878
May 18 00:54:06 pfSense racoon: DEBUG: receive Information.
May 18 00:54:06 pfSense racoon: DEBUG: compute IV for phase2
May 18 00:54:06 pfSense racoon: DEBUG: phase1 last IV:
May 18 00:54:06 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 f778304f
May 18 00:54:06 pfSense racoon: DEBUG: hash(sha1)
May 18 00:54:06 pfSense racoon: DEBUG: encryption(aes)
May 18 00:54:06 pfSense racoon: DEBUG: phase2 IV computed:
May 18 00:54:06 pfSense racoon: DEBUG:  35ba9547 45d4ac75 5a61f5e2 c865503d
May 18 00:54:06 pfSense racoon: DEBUG: begin decryption.
May 18 00:54:06 pfSense racoon: DEBUG: encryption(aes)
May 18 00:54:06 pfSense racoon: DEBUG: IV was saved for next processing:
May 18 00:54:06 pfSense racoon: DEBUG:  2970b257 14190e96 94b0b513 7b6f5878
May 18 00:54:06 pfSense racoon: DEBUG: encryption(aes)
May 18 00:54:06 pfSense racoon: DEBUG: with key:
May 18 00:54:06 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
May 18 00:54:06 pfSense racoon: DEBUG: decrypted payload by IV:
May 18 00:54:06 pfSense racoon: DEBUG:  35ba9547 45d4ac75 5a61f5e2 c865503d
May 18 00:54:06 pfSense racoon: DEBUG: decrypted payload, but not trimed.
May 18 00:54:06 pfSense racoon: DEBUG:  0b000018 6cfb3ec8 d36490bc d0ac7d66 f1a207b3 6c6748fa 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fc 00000000 00000008
May 18 00:54:06 pfSense racoon: DEBUG: padding len=9
May 18 00:54:06 pfSense racoon: DEBUG: skip to trim padding.
May 18 00:54:06 pfSense racoon: DEBUG: decrypted.
May 18 00:54:06 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 f778304f 0000005c 0b000018 6cfb3ec8 d36490bc d0ac7d66 f1a207b3 6c6748fa 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fc 00000000 00000008
May 18 00:54:06 pfSense racoon: DEBUG: IV freed
May 18 00:54:06 pfSense racoon: DEBUG: HASH with:
May 18 00:54:06 pfSense racoon: DEBUG:  f778304f 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fc
May 18 00:54:06 pfSense racoon: DEBUG: hmac(hmac_sha1)
May 18 00:54:06 pfSense racoon: DEBUG: HASH computed:
May 18 00:54:06 pfSense racoon: DEBUG:  6cfb3ec8 d36490bc d0ac7d66 f1a207b3 6c6748fa
May 18 00:54:06 pfSense racoon: DEBUG: hash validated.
May 18 00:54:06 pfSense racoon: DEBUG: begin.
May 18 00:54:06 pfSense racoon: DEBUG: seen nptype=8(hash)
May 18 00:54:06 pfSense racoon: DEBUG: seen nptype=11(notify)
May 18 00:54:06 pfSense racoon: DEBUG: succeed.
May 18 00:54:06 pfSense racoon: DEBUG: DPD R-U-There-Ack received
May 18 00:54:06 pfSense racoon: DEBUG: received an R-U-THERE-ACK
May 18 00:54:16 pfSense racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
May 18 00:54:16 pfSense racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
May 18 00:54:16 pfSense racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
May 18 00:54:16 pfSense racoon: INFO: Resize address pool from 0 to 253
May 18 00:54:16 pfSense racoon: INFO: 192.168.1.17[4500] used for NAT-T
May 18 00:54:16 pfSense racoon: INFO: 192.168.1.17[4500] used as isakmp port (fd=14)
May 18 00:54:16 pfSense racoon: INFO: 192.168.1.17[500] used for NAT-T
May 18 00:54:16 pfSense racoon: INFO: 192.168.1.17[500] used as isakmp port (fd=15)
May 18 00:54:16 pfSense racoon: INFO: unsupported PF_KEY message REGISTER
May 18 00:54:18 pfSense racoon: ERROR: unknown Informational exchange received.
May 18 00:54:38 pfSense last message repeated 4 times
May 18 00:56:09 pfSense racoon: INFO: respond new phase 1 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]

single very interesting lines of log: view attachment

sorry for the ridiculous long posts…

debug.txt

azzido

Dont really see anything in those logs that would stand-out right away. Try to connect from iPhone several times in a row after it fails; it happened few times to me where I was able to login only from third or fourth attempt.

I setup a 32 bit virtual machine with full pfSense install (20100517-1144) and was able to successfully establish tunnel to VM from iPhone via 3G and access hosts on internal network so I think this must be working now.

eazydor

install, setup lan&wan interfaces, config fw-rules, setup ipsec like yours, add user and go..

i386-live on virtual machine, tunnel established, no traffic..

did i forget something?

FisherKing

I was also able to get mobile IPSEC working, no tweaking necessary.  I attached a windows 7 machine via the shrewsoft ipsec client and was able to access both the firewall and machines on the lan.

Used the 20100514-2225 iso on an old Pentium III.

azzido

eazydor, are you trying to connect to pfsense from the same machine that is hosting vm? If that is the case you might need a static route for road warrior traffic to be sent back to vm and not to your default gateway. What interfaces do you have on vm and how are they attached to your net? When you say that tunnel is established how do you know that? From the log that you posted earlier it seems that tunnel is deleted right after it is established.

eazydor

Yes and no.
I tried from the vm-host & iphone to connect.
VMHosts spd's are getting deleted, but the ones from the iphone stays and seems to be correct..
So, i tried to access pfsense's lan ip from the iphone connected to the same network than vmhost, which has 2 bridged interfaces on 1 physical interface. Since bridging is happening on layer2, i don't see the interference..
But still, the routing tip is correct, i din't mentioned that on a mac, you have to priorise connections in order to have automated routing (interface with higher prio gets the lower weight in the routing table).
After all, you are right about the vmhost routing problem, cause my mac keeps trying to connect via lan and not ipsec.
But still, i don't get why my phone can't pass traffic..
I believe to client is connected, because client and pfsense's log says, that iphone established the connection, recieved an ip and spd's are were created..
Btw, thanks for your patience..

azzido

It's seems to me that your setup is quite complex and it's very likely that you might have missed something somewhere. I would suggest you to setup a bit simpler environment to eliminate some of the complexity.

This is how I test with VM: VM is running on my desktop and has 2 interfaces. First interface shares hosts LAN access (VM has it's own IP on physical network so you can say it's attached to my physical pfSense box LAN). Second interface is host-only so traffic is being passed only between my desktop and VM. I then forward ports 500 and 4500 from WAN on my physical pfSense box (gateway) to virtual machine and try to connect to VPN from iPhone using 3G. Once tunnel is up and running I can access VM and my desktop pc from iPhone. The only thing I need to do is setup a static route on my desktop to pass all traffic coming from iPhone back to VM via host-only network.

You can try to troubleshoot this by running tcpdump on various machines/interfaces and see where traffic is being blocked. You should see ESP traffic coming into VM and TCP traffic leaving VM, then TCP traffic coming and leaving your mac and finally TCP traffic from mac coming into VM and leaving as ESP traffic to your iPhone.