Why can't my iPhone connect using IPsec? (re: "User authentication failed.")
-
Tried this:
Shell access granted on pfSense: Full access with iphone to my lan with IPsec.
Shell access disabled on pfSense: Same. Full access to my lan.So shell access is not necessary. Snap is i386) built on Fri Jan 21 06:52:27 EST 2011
-
Was that user a member of any groups?
-
I only created a user. Didn't assign any group nor effective rights. At my first tests i enabled shell-access to that user, but then disabled the granted rights.
entry of /etc/passwd:
funzkerl:*:2001:65534:na wer wohl?:/home/funzkerl:/sbin/nologinedit:
no, after reboot of iphone no more connect to the IPsec. So i think the iphone caches in some way that userinfo. Holy crap!
So my report was not at all the right thing. (Is it a windows-box??? ;)Conclusion: Shell-access has to be granted for connection via IPsec.
-
sofakng,
Can you provide a quick re-cap of the settings you used to successfully get your iPhone to connect? I've followed some of the tutorials I've found here in the forums and elsewhere … although I haven't found one specific to iDevices. I've mostly been able to get it to work, except for that pesky "User authentication failed" at the very end. And, the user I'm testing with is in the admin group with shell access. So close, yet so far away ...
Any details and clues would be greatly appreciated.
Thanks in advance.
-
+1 here for a comprehensive short but thorough guide on how to get iOS devices to work with IPSEC. Have been trying the scattered how-to's on the forum, but no luck so far. Maybe a decent, "official" faq article would be in order, with screenshots and everything? Thanks! :-)
-
Here is a really good entry: http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558
-
I'd be happy to write up a tutorial if someone were to give me an iPad/iPad 2. Sadly, I can't document something I don't have access to… :-)
-
jimp,
I can't provide an iPad, but I'd be happy to contribute to a "bounty." Alternatively, I would consider contributing an iPod Touch. I know that's not as fun as an iPad, but for all intents and purposes when it comes to iDevice testing and documentation, it should work just fine.
-
A guide might not be all it takes. I might be wrong, hopefully I am, but it might be worth looking into this before handing out ipods.
http://forum.pfsense.org/index.php/topic,34135.0.htmlIt all depends where the other thread takes us. If it's only me having that problem I will put some more time into figuring it out (settings seems to work, it "just" randomly fails). If it turns out to be a configuration issue and if a guide is all it takes I'd be happy to write it (without the donation) when I get it to work.
-
I got it working … finally. I made some mods based on igor's link. I'll write it all up and post it. Maybe it can be added to the wiki.
fredriks: I don't think it's as simple matter of "handing out iPods." I know jimp and a bunch of other contributors are spending a lot of time working on pfSense -- free for everyone -- and if a iPod = creating good documentation of an issue I (and others) couldn't solve myself, then I think an iPod is a small amount to contribute. As it is, I've solved it and will contribute the documentation myself in a few days instead of an iDevice. Again, for free to the pfSense community. :)
-
I was half kidding about the donation bit. :-)
Chris has an iPhone, as do some other devs, and I think one of them may at least have access to an iPad, but it's one thing to have it and another thing to document it.
I currently don't have any iOS devices, but that may change in time. Perhaps we'll hold the 2.0 release hostage until we all get iPad 2's. ;-)
/kidding
//I think
///2 for 2! -
hey, any updates on this ?
id love for an ipsec HOWTO. (im a bit lost here)
tommorow i am buying an ipad2 ;D
-
I was wondering, why there are no privileges that can be assigned for IPSec dialin in the user-manager…
would make things easyer in this case, right ? -
yes, we need to make a permission for IPsec VPN yet. It doesn't exist now, but it will before 2.0 is released.
-
hey, any updates on this ?
id love for an ipsec HOWTO. (im a bit lost here)
tommorow i am buying an ipad2 ;D
bump.
-
bump ???
-
ericab:
https://portal.pfsense.org/index.php/support-subscription
or wait until they have time to implement this feature.
Roy…
-
I followed the detailed tutorial linked -igor- in previous page. I nearly got it to work, but it fails with this error (in pfSense logs):
racoon: ERROR: phase1 negotiation failed due to time up [some long hash here]
I'm going to try with same setup but OS X 10.6.6 as the VPN client. I've been waiting for quite some time to get reliable secure VPN from OS X back to pfSense. I've gotten PPTP to work some times, but not reliably and I've heard the security is weak.
-
For what it's worth, I've had good luck with OpenVPN and 10.6.6, using Viscosity as the client. Not sure if OpenVPN is considered secure enough for you, but it's been relibale and effective for me.
–Rook
-
I need to try it more, but I think it will work fine, this setup, with OS X even if not iPhone. I tested it today and it brought up the connection but immediately Snort blocked the IP I was on. I'll report back once I adjust the Snort rule tuning and can test it again. I've never tried Viscosity, only Tunnelblick which I wasn't crazy about.
