IPSec VPN and iPhone

jimp

Committed, thanks!
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/4178a1ddf67da87a1a86c5df9c3367aea6d3ae07

Note that I did change the wording slightly and added your caveat about iPhone client deployment.

azzido

Thanks Jim, I tested it with the new snap and it's working fine.

fredriksimon

I will also try the latest snapshot one day…

/Fredrik

somm15

I don't know if it's the correct place to write this.

Based on racoon.conf from a MacOSX server, I managed to configure an IPSec VPN with an IPad (and Macbook):
Mobile Clients
Nothing special

Phase 1
Auth Method: Mutual PSK + XAuth
Negociation method: agressive
My identifier: my_dyndns_address
Peer identifier: my_e_mail_address
Pre-shared key: put something
Proposal checking: claim
Encryption alg: AES 256
Hash alg: SHA1
DH Key group: 2
The rest is default

Phase 2
Mode: Tunnel
Local Network: LAN Subnet
Protocol: ESP
Encryption alg: everything but DES
Hash alg: both
PFS key group: off

2.0-BETA5 (i386)
built on Wed Jan 5 05:23:35 EST 2011

Add an accept all, any protocol, any… in the IPSec tab of the Firewall.

So far I'm connected I just can't ping anything (neither the pfSense, nor the other hosts)
But I'll find out...

spiritbreaker

Hi,

u need to provide more information like ipsec logs and Mac logs.

plz post u racoon.conf.

cya

somm15

Ok, no problem, I'll send everything tomorrow.
If you tell me where I can write it, I can write an "How to create a mobile client IPSec VPN for iPad/iPhone/iPodTouch" because… it's perfectly working...

My only issue is that the VPN subnet cannot overal at all with the local subnet.

My local subnet was "10.15.0.0/16" and I used "10.15.25.0/24" for the VPN clients… This is not working, apparently the VPN subnet cannot be included in the LAN one.

So now I used "10.15.16.0/24" for IPSec client and...it's perfect.

Hum, not really, it's pre-shared keys, Xauth based, no radius, no certificate... not state of the art security level.
However, I think that's what most user will configure. Easy to setup, no CA needed, no radius needed, ready in 10 minutes and still secure with a long pre-shared secret and complex user passwords.

somm15

Another VERY IMPORTANT paramter!

The user has to have the "User - System - Shell account access" effective privilege.
I just realize that if I create a user without this parameter, there is no way to connect it to the VPN.

louis-m

aha….. for the first time i have a connection thanks to that last bit of info.
i can't ping anything though. where is the subnet set? i see 2 places ie under mobile clients & phase 2
do they both have to match, be different and which one needs to be different to what subnets are on the router for lan/vlan?
i've tried a few combinations buut to no avail.

CeKMTL

First of all, let me greet everyone here, and I hope I can get some help from you on the same subject that you all had success, and that I sadly, can't seem to get it right… :( :'(

The usual suspects: Iphone 4.2.1 wants to connect via ipsec (cisco) to pfsense 2.0Beta5 (latest I could get this month).
First I did my tests from outside side WAN, then tried internal LAN, just to rule out any kind of weird problems with the DSL router.

My question, is if there's some kind of guide, step by step (coz iphone is very picky with the exact settings), on how to accomplish this feat?, and then once PSK works, I would like to move to the "big leagues" of the certs and have the iphone automagically connect and all that unspeakable black magic ;)

I've searched the forum, google and the usual suspects, but the info is lacking, or isn't exactly what I am searching for, that this topic seems to cover spot on.
Thank you for reading this, and I hope someone can help out this poor soul make his way (I've already pulled a lot of hair on this one...).

Carlos.

somm15

I'll post screenshots when I'll be backgammon home. Too hard to do on iPad.

CeKMTL

Wow, that was an unbeleivably fast reply, thank you!  :o

In the mean time I will be trying again with the info in http://forum.pfsense.org/index.php/topic,23519.0.html … if I manage I will post here asap the results.

--- EDIT ---

Managed finally to get the PSK part working somehow, still have to test from outside to inside WAN->LAN and see if everything is working as it should, and then, I will slap myself a couple of times, and move on to your info about CERT, and make iphone open vpn automatically, etc...
THANKS!

--- EDIT2 ---

Slapped myself once, as it is working lovely from WAN side (actually nasty 3G), but I can only ping pfsense from the iphone, and for some odd reason, the traffic in the iphone is not going through the VPN tunnel... have to investigate more...

somm15

Here are some screenshots.

To provide you with a complete information:

• my local network is using 10.15.1.1 –> 10.15.5.255
• you have to do the ssh thing as I already mentionned

What I still have to fix:

• local netwok names are not resolved within the VPN

Hope it'll help
(rename the attachment to .zip)

pfSense.txt

CeKMTL

Thank you very much for your help and time!!

The problem is that I can't manage to open the txt -> zip file in winrar… decompression errors... I can see there are 4 PDF files but can't extract them.
Also, do you know how to do the CERT part, where U issue a certificate to the iphone, so it connects automatically?.

somm15

The archive was created on a mac. Just send me a private message with your e-mail and I'll send you the pdf's.

For the cert part, I have no idea for the moment.
I didn't find yet a cert mgmt tool good for me (home usage only, very simple, with a gui if possible).
So for the moment I didn't try. But I'm sure I will

_igor_

could you post your screens as gif or jpeg here? Would be easier than sending them one by one to all people asking…

somm15

I'll do it tomorrow but size limits are rather strict one the forum…