How to route all internet traffic from Iphone IPSEC connection
-
I've set up my pfsense ipsec and my iphone can connect but it only routes all lan traffic through VPN because I use tcpdump -i enc0.
I tried to add another network "facebook" to the tunnel but there are parse errors:
Aug 10 22:55:21 racoon: [Testing]: ERROR: /var/etc/racoon.conf:74: "}" duplicated sainfo: loc='192.168.10.0/24', rmt='ANONYMOUS', peer='ANY', id=1 Aug 10 22:55:11 racoon: [Testing]: INFO: unsupported PF_KEY message REGISTER Aug 10 22:55:11 racoon: [Testing]: ERROR: config reload failed Aug 10 22:55:11 racoon: [Testing]: ERROR: fatal parse failure (1 errors) Aug 10 22:55:11 racoon: [Testing]: ERROR: /var/etc/racoon.conf:74: "}" duplicated sainfo: loc='192.168.10.0/24', rmt='ANONYMOUS', peer='ANY', id=1My Config:
# This file is automatically generated. Do not edit path pre_shared_key "/var/etc/psk.txt"; path certificate "/var/etc"; listen { adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660; isakmp 24.23.158.xxx [500]; isakmp_natt 24.23.158.xxx [4500]; } mode_cfg { save_passwd on; auth_source system; group_source system; pool_size 253; network4 192.168.50.2; netmask4 255.255.255.0; split_network include 192.168.10.0/24, 66.220.153.23/24; dns4 192.168.10.1; default_domain "private.local"; } remote anonymous { ph1id 1; exchange_mode aggressive; my_identifier address 24.23.158.xxx; peers_identifier fqdn "private.local"; ike_frag on; generate_policy = unique; initial_contact = off; nat_traversal = on; dpd_delay = 10; dpd_maxfail = 5; support_proxy on; proposal_check claim; proposal { authentication_method xauth_psk_server; encryption_algorithm aes 256; hash_algorithm sha1; dh_group 2; lifetime time 28800 secs; } } sainfo subnet 192.168.10.0/24 any anonymous { remoteid 1; encryption_algorithm aes 256; authentication_algorithm hmac_sha1; lifetime time 3600 secs; compression_algorithm deflate; } sainfo subnet 66.220.153.23/24 any anonymous { remoteid 1; encryption_algorithm aes 256; authentication_algorithm hmac_sha1; lifetime time 3600 secs; compression_algorithm deflate; } -
On the VPN -> IPsec -> Tunnels -> Phase 2 page set local network to none; that will force iPhone to route all traffic thru VPN.
-
Hi Goldserve,
im confused -.- u really got IPSEC connection to work???
I remember some ipsec-tools issues with cisco client -> http://forum.pfsense.org/index.php/topic,23519.0.html
I spend some time on testing but there was only traffic from iPhone to pfsense, the opposite direction never work. :(
Did u some custom Settings on config file ?
Hope u can help :)
ty
cya -
So I got the Iphone on IPSEC to be able to access my local network (pFsense webpage) but when I took out the local network option, I don't see any traffic being passed through the VPN (tcpdump -i enc0).
Here is my racoon file:
# This file is automatically generated. Do not edit path pre_shared_key "/var/etc/psk.txt"; path certificate "/var/etc"; listen { adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660; isakmp 24.23.xxx.xxx [500]; isakmp_natt 24.23.xxx.xxx [4500]; } mode_cfg { save_passwd on; auth_source system; group_source system; pool_size 253; network4 192.168.50.2; netmask4 255.255.255.0; split_network include 0.0.0.0/0; dns4 192.168.10.1; default_domain "private.local"; } remote anonymous { ph1id 1; exchange_mode aggressive; my_identifier address 24.23.xxx.xxx; peers_identifier fqdn "private.local"; ike_frag on; generate_policy = unique; initial_contact = off; nat_traversal = on; dpd_delay = 10; dpd_maxfail = 5; support_proxy on; proposal_check claim; proposal { authentication_method xauth_psk_server; encryption_algorithm aes 256; hash_algorithm sha1; dh_group 2; lifetime time 28800 secs; } } sainfo anonymous { remoteid 1; encryption_algorithm aes 256; authentication_algorithm hmac_sha1; lifetime time 3600 secs; compression_algorithm deflate; } -
Uncheck 'Provide a list of accessible networks to clients' on the mobile clients page and try again.
It will remove the
split_network include 0.0.0.0/0;
from the mode_cfg section. That is the only thing that I see is different between your config file and mine.
-
Thanks, now I can see traffic TRY to pass through IPSEC but it does not succeed. Only traffic to my pfsense box (web interface) is okay.
TCPDUMP when accessing config page:
03:23:08.147383 (authentic,confidential): SPI 0x0e4441f7: IP 192.168.50.2.50036 > lanner_pfsense.home.http: Flags [.], ack 9395, win 32849, options [nop,nop,TS val 840484309 ecr 1910909083], length 0TCPDUMP when traffic is not passed:
03:23:37.874327 (authentic,confidential): SPI 0x0e4441f7: IP 192.168.50.2.50042 > mail.xxxx.com.https: Flags [s], seq 968577356, win 65535, options [mss 1240,nop,wscale 2,nop,nop,TS val 840484605 ecr 0,sackOK,eol], length 0 03:23:38.076497 (authentic,confidential): SPI 0x0e4441f7: IP 192.168.50.2.50041 > pz-in-f109.1e100.net.imaps: Flags [s], seq 1033338215, win 65535, options [mss 1240,sackOK,eol], length 0 03:23:38.077448 (authentic,confidential): SPI 0x0e4441f7: IP 192.168.50.2.50040 > pz-in-f109.1e100.net.imaps: Flags [s], seq 1372681901, win 65535, options [mss 1240,sackOK,eol], length 0[/s][/s][/s] -
Make sure you have firewall rule that allows IPSec traffic to all networks. I would suggest enabling logging on all IPSec rules so you can see when it's being passed. Then run tcpdump on wan and check if traffic from your iPhone leaves with wan ip as source or does it have IPSec ip instead. I had to manually add NAT rule for IPSec traffic when I configured mine because traffic was being sent out to wan with local IPSec ip as source ip.
-
Hi all,
seems like they go back to iptools 7.3 in new pfsense 2.0 snapshots. Its first time i see iphone vpn working.
Cisco Client on iPhone works, Cisco VPN Client on PC dont work :(
If u try with ipsec client from PC u got same error like iphone without split network option. see below:
@Goldserve and azzido
Uncheck 'Provide a list of accessible networks to clients' on the mobile clients page and try again.
seems u need to provide networks otherwise connection on iphone cant establish.
Without this option there are some phase 2 errors:
Wan 10.128.70.0/24
Lan 192.168.56.0/24
VPN Pool 192.168.80.0/24
IPSEC allow all * *2010-08-12 16:01:53: DEBUG: anonymous configuration selected for 10.128.70.32. 2010-08-12 16:01:53: DEBUG: getsainfo params: loc='0.0.0.0/0', rmt='192.168.80.1', peer='<key-id>', id=1 2010-08-12 16:01:53: DEBUG: getsainfo pass #1 2010-08-12 16:01:53: DEBUG: evaluating sainfo: loc='192.168.56.0/24', rmt='ANONYMOUS', peer='ANY', id=1 2010-08-12 16:01:53: DEBUG: getsainfo pass #2 2010-08-12 16:01:53: DEBUG: evaluating sainfo: loc='192.168.56.0/24', rmt='ANONYMOUS', peer='ANY', id=1 2010-08-12 16:01:53: DEBUG: check and compare ids : value mismatch (IPv4_subnet) 2010-08-12 16:01:53: DEBUG: cmpid target: '0.0.0.0/0' 2010-08-12 16:01:53: DEBUG: cmpid source: '192.168.56.0/24' 2010-08-12 16:01:53: ERROR: failed to get sainfo. 2010-08-12 16:01:53: ERROR: failed to get sainfo. 2010-08-12 16:01:53: ERROR: failed to pre-process packet. 2010-08-12 16:01:53: DEBUG: IV freed</key-id>cya
-
Spirit, post your racoon.conf file. You must have configured something wrong if it cannot find sainfo.
-
Thanks for the NAT clue. I had enabled manual outbound nat because I wanted static ports so I added a new rule to NAT my IPSEC connections and all is working.
I now have the issue where the IPSEC tunnel will stop passing traffic after some time (last time I checked, I was connected for 1 hour). I will test again and see when things go south.
-
Yes, the tunnel expires after 3600 seconds and it does not refresh it automatically. I think this is a known issue.
-
Is there a bug number for me to track this? I'm just happy I got this much working :)
Thanks for ALL your help!
-
Hi azzido,
i got it to work too. thx for hints.
I try the same with cisco vpn client on win xp and it works if u route all traffic into tunnel.
If u set Phase 2 local network to Lan and check option "provide network to Clients" the connection dont work on xp ( iPhone still work).
racoon.conf
# This file is automatically generated. Do not edit path pre_shared_key "/var/etc/psk.txt"; path certificate "/var/etc"; listen { adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660; isakmp 10.128.70.249 [500]; isakmp_natt 10.128.70.249 [4500]; } mode_cfg { auth_source system; group_source system; pool_size 253; network4 192.168.80.1; netmask4 255.255.255.0; split_network include 192.168.50.0/24; default_domain "test.local"; banner "/var/etc/racoon.motd"; } remote anonymous { ph1id 1; exchange_mode aggressive; my_identifier address 10.128.70.249; peers_identifier fqdn "private.local"; ike_frag on; generate_policy = unique; initial_contact = off; nat_traversal = on; dpd_delay = 10; dpd_maxfail = 5; support_proxy on; proposal_check claim; proposal { authentication_method xauth_psk_server; encryption_algorithm aes 256; hash_algorithm sha1; dh_group 2; lifetime time 28800 secs; } } sainfo subnet 192.168.50.0/24 any anonymous { remoteid 1; encryption_algorithm aes 256; authentication_algorithm hmac_sha1; lifetime time 3600 secs; compression_algorithm deflate; }can u help me plz?
ty
cya
-
Spirit, your config file looks fine and if you say that iPhone works fine with this configuration, but Cisco client does not I would think that there is something wrong with Cisco client and/or routing on the xp box.
Take a look at item number 4 in the 'Connect with the VPN Client' on this page: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml You should see '192.168.50.0/24' displayed on your Cisco client.
You can also try Shrew Soft VPN client (http://www.shrew.net) instead of Cisco client to see if that works.
-
Thanks, shrew client works very well! I set up my ipsec vpn all from china and now i'm using the shrew client on my win 7 laptop and bypassing all this great firewall of china crap. No twitter to follow sullrich, blah.
Cheers!