IOS (iphone/ipad) & 2.0-RC1 IPsec.. It almost works.

_igor_

I've tested your hint with outbound NAT which resulted in a complete inaccessibility of LAN and WAN. So i think thats wrong. I can see in the firewall-log only connections to my pfsense, but nothing goes out anymore. So i reviewed my settings regard to IPSEC and found out that at "IPSEC:Mobile clients" disabling the entry "Provide a list of accessible networks to clients" i get connected with LAN accessibility but no WAN.

Reenabling "Provide a list of accessible networks to clients" resulted in full WAN-access via the IPSEC-tunnel.

So no outbound-NAT is necessary. Only the "IPSEC any to any" rule and at WAN-side i have an "ESP to any" rule.

Hope that helps getting a fully working Mobile IPSEC connection.

edit: I have allowed ports 4500 and 500 UDP incoming from WAN, which i forgot to mention. sorry.

eazydor

@_igor_ are you still able to connect to your lan subnet?

@pfsenseuser3 you should set your outbound nat mode to manual.

eazydor

@igor when i set "provide accesible networks" i do lose my default route over the tunnel and the client talk directly to the wan since their default route is set to the lan-gateway. this means no traffic to wan at all is routed trough your tunnel. that your client has established a connection and can talk to outbound doesnt mean directly that the traffic is passing your tunnel interface. apart from that i dont believe that theres right and wrong, rather than suitable or not. would you please take a look a you routing table when connected?

ericab

still waiting on a full HOWTO so it can be stickied…..

eazydor

@ericab can i help you with somewhat? i believe that theres no tutorial because mobile ipsec works perfectly since months now and everything you need to know to get a basic setup up and running you can find here in this forum.. but anyway, a clean and simple tutorial would decrease the amount of questions asked multiple times. that´s right..

ericab

@eazydor:

@ericab can i help you with somewhat? i believe that theres no tutorial because mobile ipsec works perfectly since months now and everything you need to know to get a basic setup up and running you can find here in this forum.. but anyway, a clean and simple tutorial would decrease the amount of questions asked multiple times. that´s right..

Apr 27 13:52:30 	racoon: ERROR: phase1 negotiation failed due to time up. 2b7c6d4c52e83eaa:77011e493f4e7949
Apr 27 13:51:49 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[1880] (1).
Apr 27 13:51:46 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[1880] (1).
Apr 27 13:51:43 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[1880] (1).
Apr 27 13:51:40 	racoon: INFO: Adding xauth VID payload.
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: DPD
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Apr 27 13:51:40 	racoon: INFO: received Vendor ID: RFC 3947
Apr 27 13:51:40 	racoon: INFO: begin Aggressive mode.

this is the holdup now.

eazydor

please provide more information. can't help you like that.

ericab

not sure where to start; what info would you need ?

i bet the problem is with "Proposal Checking"
mines set at default. is that what it should be ?

eazydor

depends on the client you´re using. since the topic is about ios, yes proposal checking for ios-devices can be set to default. if you want you can describe your setup, configs, etc and i will take a look, but otherwise i cant help you.

ericab

hi eazydor

here is how ive got my IPSec server setup:

Overview:

Mobile Clients:

http://dl.dropbox.com/u/66962/IPSec-pfSense/mobile-clients.jpg

Phase 1:

Phase 2:

now;
when i switch the listening interface for the ipsec server to my WIFI interface;
i can connect just fine, but no traffic passes. my wifi network is 192.168.3.0
it assigns me 192.168.4.1, which is right.

when i switch the interface to WAN;
(ive got the firewall rules setup properly to allow UDP 500/4500 on WAN)
(also have * * * * *; pass all on the IPSec firewall tab.)
the syslog shows the log from my previous post;
so not only does it not pass traffic, it wont even connect when listening on the WAN interface.

not sure if it matters, or if this may be the problem, but my wan interface is actually connected to another upstream router. (dont ask)
the pfsense box's WAN IP is on the DMZ of the upstream router, and the upstream router IS set to port forward ports 500, and 4500 UDP to pfsense WAN address; aka 192.168.1.142

Internet –-----> Cable Modem -------> Router (its local LAN is 192.168.1.1/24)--------> (wan address is 192.168.1.142) pfSense --------> my local LAN (192.168.2.0/24)

eazydor

@ericab try this:

disable provide network list
enable nat traversal

under firewall - nat - outbound

set to manual
create new rule
if wan
proto any
src network 192.168.3.0/24 (assuming your wifi is your local network)
src port blank
dst not enable inverse option
dst type any
dst port blank
trans addr if adress
save & apply

ericab

eazydor;

well something has changed, im not sure if its progress… here is the new log after applying your settings:

Apr 27 19:49:19 	racoon: ERROR: phase1 negotiation failed due to time up. feabee14d99e6364:991e2e9cbef177e2
Apr 27 19:49:09 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:59 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:49 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:39 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:38 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:38 	racoon: NOTIFY: the packet is retransmitted by 192.168.1.142[500] (1).
Apr 27 19:48:35 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:35 	racoon: NOTIFY: the packet is retransmitted by 192.168.1.142[500] (1).
Apr 27 19:48:32 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:32 	racoon: NOTIFY: the packet is retransmitted by 192.168.1.142[500] (1).
Apr 27 19:48:29 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
Apr 27 19:48:29 	racoon: INFO: Adding xauth VID payload.
Apr 27 19:48:29 	racoon: [Self]: [192.168.1.142] INFO: Hashing 192.168.1.142[500] with algo #2
Apr 27 19:48:29 	racoon: [Self]: [192.168.1.142] INFO: Hashing 192.168.1.142[500] with algo #2
Apr 27 19:48:29 	racoon: INFO: Adding remote and local NAT-D payloads.
Apr 27 19:48:29 	racoon: [Self]: [192.168.1.142] INFO: Selected NAT-T version: RFC 3947
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: DPD
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Apr 27 19:48:29 	racoon: INFO: received Vendor ID: RFC 3947
Apr 27 19:48:29 	racoon: INFO: begin Aggressive mode.
Apr 27 19:48:29 	racoon: [Self]: INFO: respond new phase 1 negotiation: 192.168.1.142[500]<=>192.168.1.142[500]

192.168.1.142 is my WAN address.

but whats this :  ERROR: ignore the packet, received unexpecting payload type 1.

eazydor

i have tested your setup with my recommendations and it works flawlessly, at least for me and many people in this forum who have reported the same about this config. furthermore can't i see theoretically why it shouldn't work. so i think i can't help you further than that..

eazydor

eventually you could try to force nat traversal.. see if that helps.. what ios version are you on?

ericab

eazydor;

ill try forcing nat-t

ios v 4.3.0;  ipad2.

possibly i should just give up and hope for a jailbreak so i can get openvpn on it. argg

eazydor

i know. ipsec can be hurt so bad. while openvpn is flying so light.. but these money making morons at cupertino will never let us run this natively.

_igor_

eazydor: your right, with network list enable it routes dircty to wan. shit. No traffic to wan via the tunnel. Outbound nat doesn't work here too. I loose all connect, including the lan access is dead.
without the outbound nat entry:
What i see is that all traffic ends at the pfsense-lan. DNS is seen at the firewall-log, but no answer is getting back to the phone. hmmm
A traceroute from phone via the tunnel ends without any answer.
ping is the same. i can ping all lan-clients, but wan is inaccessible.

eazydor

the problem, why i added this nat rule, was that ipsec-clients where talking to wan with their local ipsec-pool addresses. the servers obviously dropped the request since the origin was a private ip. this meant that every outbound traffic wasn't translated to the wan address and the server you´re connecting to doesnt know where to send the packet back. try doing a tcpdump on your wan interface/address and you should see clients doing request with their local ipsec-ip's and not getting replys. after you set the rule correctly you should see the same but clients doing request with the address of your wan interface and getting replys. if you can see the replys, the address translation is working and everything should be fine.

_igor_

clearly no. When i set up the nat forwarding, i instantly loose completely all access to the pfsense. I don't know why but tested that 3 times with same end. I'll try to setup the whole pfsense newly and try again.