IOS (iphone/ipad) & 2.0-RC1 IPsec.. It almost works.

ericab

yeah i think i'm going to opt in for that approach too;

did you by chance use a how-to available online that i could reference also to help setting it up on my debian box ?

TheLost

yeah i think i'm going to opt in for that approach too;

did you by chance use a how-to available online that i could reference also to help setting it up on my debian box ?

Here is a quick little write up i did for a friend.. PM me if you need any help.
http://www.lostbyte.com/projects/l2tpipsec-vpn-for-ios/

Ladtkow

@TheLost:

After spending a few days on this I've given up :-[ (for now)..[url=http://www.ebelow.com/ipad-2-case-iPad2case-iPad-2-cases.html]ipad 2 cases
ipad2 cases leather
iPad2 case
I ended up building a VM using Debian & Openswan to create a L2TP/IPsec vpn server i can use with my iPhone/iPad. I may try again once 2.0 goes final or somebody actually posts a working solution… but for now i have a working VPN.

did you by chance use a how-to available online that i could reference also to help setting it up on my debian box ?

eazydor

@szop try to make a nat rule for outbound traffic from your ipsec-ip-pool on your wan interface.

pfsenseuser3

also working for me with this guide -> http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

iphone 4
iOS: 4.3.2
LAN SUBNET: 192.168.1.0/24

i can hit everything at the LAN side. Only the internet (www.google.at as example) is not working, but i think this is a feature for security.. So nobody could go throug your internet connection in your vpn.

eazydor

@pfsenseuser3 do you have a nat rule for outbound traffic from your ipsec-ip-pool on your wan interface? Without this Rule, you IPSec-Client will try to connect to outbound (i.e. internet) with their local ipsec-pool-adresses and doesn't get translated to the wan interfaces address. This means almost every outbound request you send will be dropped by servers configured not to accept traffic from local networks. By adding this Rule, every outbound traffic wlll be translated to your wan interfaces address, this should solve your problem accessing i.e. the internet.

pfsenseuser3

@eazydor: thx for your tip ;)

here is a screen from the rule which i have enabled.. i think there is something wrong ???

Uploaded with ImageShack.us

@ALL: read this post from me -> http://forum.pfsense.org/index.php/topic,35783.msg186413.html#msg186413 (maybe a solution for VPN and iOS devices ;) )

_igor_

I've tested your hint with outbound NAT which resulted in a complete inaccessibility of LAN and WAN. So i think thats wrong. I can see in the firewall-log only connections to my pfsense, but nothing goes out anymore. So i reviewed my settings regard to IPSEC and found out that at "IPSEC:Mobile clients" disabling the entry "Provide a list of accessible networks to clients" i get connected with LAN accessibility but no WAN.

Reenabling "Provide a list of accessible networks to clients" resulted in full WAN-access via the IPSEC-tunnel.

So no outbound-NAT is necessary. Only the "IPSEC any to any" rule and at WAN-side i have an "ESP to any" rule.

Hope that helps getting a fully working Mobile IPSEC connection.

edit: I have allowed ports 4500 and 500 UDP incoming from WAN, which i forgot to mention. sorry.

eazydor

@_igor_ are you still able to connect to your lan subnet?

@pfsenseuser3 you should set your outbound nat mode to manual.

eazydor

@igor when i set "provide accesible networks" i do lose my default route over the tunnel and the client talk directly to the wan since their default route is set to the lan-gateway. this means no traffic to wan at all is routed trough your tunnel. that your client has established a connection and can talk to outbound doesnt mean directly that the traffic is passing your tunnel interface. apart from that i dont believe that theres right and wrong, rather than suitable or not. would you please take a look a you routing table when connected?

ericab

still waiting on a full HOWTO so it can be stickied…..

eazydor

@ericab can i help you with somewhat? i believe that theres no tutorial because mobile ipsec works perfectly since months now and everything you need to know to get a basic setup up and running you can find here in this forum.. but anyway, a clean and simple tutorial would decrease the amount of questions asked multiple times. that´s right..

ericab

@eazydor:

@ericab can i help you with somewhat? i believe that theres no tutorial because mobile ipsec works perfectly since months now and everything you need to know to get a basic setup up and running you can find here in this forum.. but anyway, a clean and simple tutorial would decrease the amount of questions asked multiple times. that´s right..

Apr 27 13:52:30 	racoon: ERROR: phase1 negotiation failed due to time up. 2b7c6d4c52e83eaa:77011e493f4e7949
Apr 27 13:51:49 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[1880] (1).
Apr 27 13:51:46 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[1880] (1).
Apr 27 13:51:43 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[1880] (1).
Apr 27 13:51:40 	racoon: INFO: Adding xauth VID payload.
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: DPD
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: RFC 3947
Apr 27 13:51:40 	racoon: INFO: begin Aggressive mode.

this is the holdup now.

eazydor

please provide more information. can't help you like that.

ericab

not sure where to start; what info would you need ?

i bet the problem is with "Proposal Checking"
mines set at default. is that what it should be ?

eazydor

depends on the client you´re using. since the topic is about ios, yes proposal checking for ios-devices can be set to default. if you want you can describe your setup, configs, etc and i will take a look, but otherwise i cant help you.

ericab

hi eazydor

here is how ive got my IPSec server setup:

Overview:

Mobile Clients:

http://dl.dropbox.com/u/66962/IPSec-pfSense/mobile-clients.jpg

Phase 1:

Phase 2:

now;
when i switch the listening interface for the ipsec server to my WIFI interface;
i can connect just fine, but no traffic passes. my wifi network is 192.168.3.0
it assigns me 192.168.4.1, which is right.

when i switch the interface to WAN;
(ive got the firewall rules setup properly to allow UDP 500/4500 on WAN)
(also have * * * * *; pass all on the IPSec firewall tab.)
the syslog shows the log from my previous post;
so not only does it not pass traffic, it wont even connect when listening on the WAN interface.

not sure if it matters, or if this may be the problem, but my wan interface is actually connected to another upstream router. (dont ask)
the pfsense box's WAN IP is on the DMZ of the upstream router, and the upstream router IS set to port forward ports 500, and 4500 UDP to pfsense WAN address; aka 192.168.1.142

Internet –-----> Cable Modem -------> Router (its local LAN is 192.168.1.1/24)--------> (wan address is 192.168.1.142) pfSense --------> my local LAN (192.168.2.0/24)

eazydor

@ericab try this:

disable provide network list
enable nat traversal

under firewall - nat - outbound

set to manual
create new rule
if wan
proto any
src network 192.168.3.0/24 (assuming your wifi is your local network)
src port blank
dst not enable inverse option
dst type any
dst port blank
trans addr if adress
save & apply

ericab

eazydor;

well something has changed, im not sure if its progress… here is the new log after applying your settings:

Apr 27 19:49:19 	racoon: ERROR: phase1 negotiation failed due to time up. feabee14d99e6364:991e2e9cbef177e2
Apr 27 19:49:09 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:59 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:49 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:39 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:38 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:38 	racoon: NOTIFY: the packet is retransmitted by 192.168.1.142[500] (1).
Apr 27 19:48:35 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:35 	racoon: NOTIFY: the packet is retransmitted by 192.168.1.142[500] (1).
Apr 27 19:48:32 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:32 	racoon: NOTIFY: the packet is retransmitted by 192.168.1.142[500] (1).
Apr 27 19:48:29 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:29 	racoon: INFO: Adding xauth VID payload.
Apr 27 19:48:29 	racoon: [Self]: [192.168.1.142] INFO: Hashing 192.168.1.142[500] with algo #2
Apr 27 19:48:29 	racoon: [Self]: [192.168.1.142] INFO: Hashing 192.168.1.142[500] with algo #2
Apr 27 19:48:29 	racoon: INFO: Adding remote and local NAT-D payloads.
Apr 27 19:48:29 	racoon: [Self]: [192.168.1.142] INFO: Selected NAT-T version: RFC 3947
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: DPD
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: RFC 3947
Apr 27 19:48:29 	racoon: INFO: begin Aggressive mode.
Apr 27 19:48:29 	racoon: [Self]: INFO: respond new phase 1 negotiation: 192.168.1.142[500]<=>192.168.1.142[500]

192.168.1.142 is my WAN address.

but whats this : ERROR: ignore the packet, received unexpecting payload type 1.

eazydor

i have tested your setup with my recommendations and it works flawlessly, at least for me and many people in this forum who have reported the same about this config. furthermore can't i see theoretically why it shouldn't work. so i think i can't help you further than that..