IPhone + IPSec
-
Well, no I cannot pass traffic right after I connect. And I only flush and recreate SPDs, not SAs.
There are several other bugs in ipsec-tools so the bottom line is until someone fixes ipsec-tools roadwarrior setup is a no-go.
-
It seem the bug of ipsec-tools 0.8 ?
-
Does look like it. Though I have not tried 0.7.x branch of ipsec-tools so I am not 100% sure
-
I know the ipsec-tools 0.8 is a version, but why the pf2.0 choose this version! if the 0.8 have great update than the last release version?
-
I know the ipsec-tools 0.8 is a version, but why the pf2.0 choose this version! if the 0.8 have great update than the last release version?
As I said earlier in this thread - that's the only version that will work properly with the FreeBSD version we use. 0.7.x has its own issues with the things we've added in 2.0, so even if it could be made to work, you're just trading some problems for other problems.
-
Anyone had success with iPhone > 3.1.2 and IPSec yet? I'd really like to use this over PPTP.
-
Anyone had success with iPhone > 3.1.2 and IPSec yet? I'd really like to use this over PPTP.
Pure IPSec is still not working. As far as i know PPTP should work fine though I have not tried it myself.
-
It does. As the only reasonable VPN-Solution for the iPhone right now.
L2TP is at the moment plain Layer 2 tunneled Traffic without IPSec, just Authentication so far..
OpenVPN on jailbroken iPhone is a hell of itself.
So if you aren´t firm with configuring the IPSec-Part manually, i think have to wait..
But still, 2.0 Beta?!? I mean, wonderful, brilliant..
-
Hi Volks,
VPN-ing is really a mess with a Mobile device. Even if you setup successful a working PPTP-Tunnel over WiFi, it must not work over 3G (UMTS): here in Germany Vodafone uses a proxy somehow to minifize Images, and the User can not turn it off in any way. The Vodafone Mac-Tam is working on the VPN-Problem since the iPad is rolled out, but still with no success (after 4 Month).
IPSec on Apples Mobile devices is made from Cisco.
If we would have CISCO-Routers, we wont read in this pfSense Forum :-/
After no Success with our pfSense we tried some alternates, and found a solution wich we had to compile into our Gentoo.
Strongswan allows in its compileable Version to set a Cisco-Parameter, and we where able to set a IPSec-Tunnel wich is working over 3G and EDGE too. Just by following the instructions.Even if it is a bit off-topic (because the solution is not in pfsense), this Info could probably help to enhance the 2.x pfsense to be able to do this job too. (what I would prefer)
-
Have you tried a recent 2.0 beta?
Lots of things have changed in there since the last post in this thread. -
Yeah iOS devices and mobile IPsec work great now. One last fix for DNS specific to Cisco clients went in several days ago, though it worked at least a couple weeks prior to that aside from DNS.
-
i keep getting a login failure even though i've followed the instructions on this post.
any idea why? i take it you just add a user (with no privelidges) and enter a preshared key under that user?Dec 30 16:51:31 racoon: [Mobile Clients]: ERROR: unknown Informational exchange received.
Dec 30 16:51:31 racoon: [Mobile Clients]: ERROR: mode config 6 from XXX.XXX.XXX.XXX[58036], but we have no ISAKMP-SA.
Dec 30 16:51:31 racoon: [Mobile Clients]: ERROR: Attempt to release an unallocated address (port 0)
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: login failed for user "vpnuser"
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Released port 0
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Using port 0
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[4500]-XXX.XXX.XXX.XXX[58036] spi:92cbc9035936dcda:6839598826f513a5
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Sending Xauth request
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: NAT detected: PEER
Dec 30 16:51:31 racoon: [Mobile Clients]: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: NAT-D payload #1 doesn't match
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Hashing XXX.XXX.XXX.XXX[58036] with algo #2
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: NAT-D payload #0 verified
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: Hashing XXX.XXX.XXX.XXX[4500] with algo #2
Dec 30 16:51:31 racoon: [Mobile Clients]: INFO: NAT-T: ports changed to: XXX.XXX.XXX.XXX[58036]<->XXX.XXX.XXX.XXX[4500]
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Adding xauth VID payload.
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Hashing XXX.XXX.XXX.XXX[500] with algo #2
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Hashing XXX.XXX.XXX.XXX[58034] with algo #2
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Adding remote and local NAT-D payloads.
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: Selected NAT-T version: RFC 3947
Dec 30 16:51:30 racoon: [Mobile Clients]: WARNING: No ID match.
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: DPD
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: CISCO-UNITY
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: received Vendor ID: RFC 3947
Dec 30 16:51:30 racoon: [Mobile Clients]: INFO: begin Aggressive mode. -
The constant login failed is the EXACT same problem I'm having…
Can anybody help? :(
-
See this thread http://forum.pfsense.org/index.php/topic,32319.0.html
-
I had this working in a dev environment but the configuration got lost during a rebuild for a different test. Following the various posts in here I am able to login and get an IP assigned from the local mobile pool but I can't get traffic in either direction.
Internal Network: 10.0.0.0/16
Mobile IP Network 10.0.35.5/29Can provide any additional information as needed. Using pfsense 2.0 Beta5 Feb 7 21:37 snapshot.
Thank!
-
I can't get traffic in either direction.
Internal Network: 10.0.0.0/16
Mobile IP Network 10.0.35.5/29Your mobile IP network lies within your internal network, thus traffic never gets routed out because there's no need to.
Address: 10.0.0.0
Netmask: 255.255.0.0 = 16
=>
Network: 10.0.0.0/16
Broadcast: 10.0.255.255
HostMin: 10.0.0.1
HostMax: 10.0.255.254
Hosts/Net: 65534 (Private Internet) -
Thanks. I honestly thought that I had tried 10.1.35.0/24 before I did a post but maybe it was before I resolved a FW rule and didn't go back to it. Things seem to be working now. Thanks for making me look at it again!
