IPsec and iPhone, log ok, status not

pfsenseuser3

Hi everyone, i have a problem

here is the IPsec log

Apr 15 12:03:01 	racoon: [Self]: INFO: respond new phase 1 negotiation: 93.111.xxx.xxx[500]<=>90.152.xxx.xxx[500]
Apr 15 12:03:01 	racoon: INFO: begin Aggressive mode.
Apr 15 12:03:01 	racoon: INFO: received Vendor ID: RFC 3947
Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 15 12:03:01 	racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 15 12:03:01 	racoon: INFO: received Vendor ID: DPD
Apr 15 12:03:01 	racoon: [90.152.xxx.xxx] INFO: Selected NAT-T version: RFC 3947
Apr 15 12:03:01 	racoon: INFO: Adding remote and local NAT-D payloads.
Apr 15 12:03:01 	racoon: [90.152.xxx.xxx] INFO: Hashing 90.152.xxx.xxx[500] with algo #2
Apr 15 12:03:01 	racoon: [Self]: [93.111.xxx.xxx] INFO: Hashing 93.111.xxx.xxx[500] with algo #2
Apr 15 12:03:01 	racoon: INFO: Adding xauth VID payload.
Apr 15 12:03:01 	racoon: [Self]: [93.111.xxx.xxx] INFO: Hashing 93.111.xxx.xxx[500] with algo #2
Apr 15 12:03:01 	racoon: INFO: NAT-D payload #0 verified
Apr 15 12:03:01 	racoon: [90.152.xxx.xxx] INFO: Hashing 90.152.xxx.xxx[500] with algo #2
Apr 15 12:03:01 	racoon: INFO: NAT-D payload #1 verified
Apr 15 12:03:01 	racoon: [90.152.xxx.xxx] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Apr 15 12:03:01 	racoon: INFO: NAT not detected
Apr 15 12:03:01 	racoon: INFO: Sending Xauth request
Apr 15 12:03:01 	racoon: [Self]: INFO: ISAKMP-SA established 93.111.xxx.xxx[500]-90.152.xxx.xxx[500] spi:e25f606eb0f84cea:b3df85f0e64d0817
Apr 15 12:03:01 	racoon: INFO: Using port 0
Apr 15 12:03:01 	racoon: INFO: login succeeded for user "iphone"
Apr 15 12:03:02 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Apr 15 12:03:02 	racoon: WARNING: Ignored attribute 28683
Apr 15 12:03:02 	racoon: [Self]: INFO: respond new phase 2 negotiation: 93.111.xxx.xxx[500]<=>90.152.xxx.xxx[500]
Apr 15 12:03:02 	racoon: INFO: no policy found, try to generate the policy : 192.168.103.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Apr 15 12:03:02 	racoon: [Self]: INFO: IPsec-SA established: ESP 93.111.xxx.xxx[500]->90.152.xxx.xxx[500] spi=74895336(0x476cfe8)
Apr 15 12:03:02 	racoon: [Self]: INFO: IPsec-SA established: ESP 93.111.xxx.xxx[500]->90.152.xxx.xxx[500] spi=48561409(0x2e4fd01)

The only error i can see is "Apr 15 12:03:01 racoon: [90.152.xxx.xxx] ERROR: notification INITIAL-CONTACT received in aggressive exchange." The VPN connection on the iPhone is also working. I am able to connect to the pfsense webgui with the phone. Everything is working, only the symbol is not green. Maybe a bug?

Pfsense version is the current 2.0 release

Thanks for any help!

pfsenseuser3

no answer? ???

p0ddie

@pfsenseuser3:

no answer? ???

STF ;-)

http://forum.pfsense.org/index.php/topic,35621.0.html (links to other relevant threads in this one)

Many many threads about iOS ipsec not working, we're all trying to figure out how to get it to work. Wanna jump in and help with the effort?

pfsenseuser3

but for me it´s working. as i wrote in my last post i can connect to the pfsense webgui and also ping the pfsense device. The only thing which is not working is the status symbol on the "ipsec status page". It should be green if the vpn connection is open. it´s not critical, but it would be nice if this would work.

ericab

your already a ways ahead of most of us.

pfsenseuser3

@ericab: with one device it´s also not working for me… and i found out that it has something to do with my provider. The iphones where it is working are using T-Mobile Austria Business as provider. The other device is using A1 (Austrian provider, private contract). A few minutes ago i made a support question to A1 if they are blocking the ESP-UDP protocol.. so let´s se what they answer.

eazydor

there is no such thing like a esp/udp-protocol. either your isp is blocking esp traffic (most likely), or some udp ports. that´s why mankind invented nat-traversal, which i.e for ipsec encasuplates the Encapsulating Security Payload in udp-"datagrams", so that we can avoid this problem.

pfsenseuser3

ok, but pfsense shows me in the protocol section "ESP-UDP".. nat-traversal is enabled.

edit: ah, NAT-T forced is the right solution for me ;)

eazydor

like i said, many providers and home routers are blocking esp-traffic, therefore nat-traversal could be a solution. since many networks like hotels, etc.. doesnt allow any traffic appart from http(s) via a proxy, even nat-t would fail. i know of a company which does ipsec over https, like you could do openvpn over https, encapsulating the payload in a ssl-header for avoiding these problems, but how this works exactly, i have no idea..
Glad that's running for you..