IOS roadwarrior configuration using IPsec?

iUser

I would like to form an IPsec tunnel between my iOS v4.3 devices and my home firewall and route all traffic during this VPN-session via my home firewall both to the internal network and the internet.

I'm able to get a partial IPsec tunnel up by following the howto here "http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558" and "http://www.huijgen.com/tunnel/" but I don't get any traffic moving anywhere except directly to the internet directly over 3G from my iPad past the whole tunnel. It looks like the tunnel goes up on my pfsense box and comes straight down in a few seconds whereas my iOS devices happily think they have a tunnel active indefinitely.

Below the 10.100.100.0/24 is the vnp-client care-of-IP-address and the 192.168.1.0/24 is the internal home network.

Mar 23 23:00:44	racoon: INFO: purged IPsec-SA proto_id=ESP spi=245982240.
Mar 23 23:00:44	racoon: INFO: deleting a generated policy.
Mar 23 23:00:41	racoon: [Self]: INFO: IPsec-SA established: ESP xxx.aaa.112.226[500]->yyy.bbb.112.226[500] spi=181848391(0xad6c947)
Mar 23 23:00:41	racoon: [Self]: INFO: IPsec-SA established: ESP xxx.aaa.112.226[500]->yyy.bbb.112.226[500] spi=5924082(0x5a64f2)
Mar 23 23:00:41	racoon: [Self]: INFO: initiate new phase 2 negotiation: xxx.aaa.112.226[500]<=>yyy.bbb.112.226[500]
Mar 23 23:00:40	racoon: [Self]: INFO: IPsec-SA established: ESP xxx.aaa.112.226[500]->yyy.bbb.112.226[500] spi=245982240(0xea96420)
Mar 23 23:00:40	racoon: [Self]: INFO: IPsec-SA established: ESP xxx.aaa.112.226[500]->yyy.bbb.112.226[500] spi=46648778(0x2c7cdca)
Mar 23 23:00:40	racoon: INFO: no policy found, try to generate the policy : 10.100.100.1/32[0] 192.168.1.0/24[0] proto=any dir=in
Mar 23 23:00:40	racoon: [Self]: INFO: respond new phase 2 negotiation: xxx.aaa.112.226[500]<=>yyy.bbb.112.226[500]
Mar 23 23:00:40	racoon: WARNING: Ignored attribute 28683
Mar 23 23:00:40	racoon: ERROR: Cannot open "/etc/motd"
Mar 23 23:00:40	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Mar 23 23:00:40	racoon: INFO: login succeeded for user "vpnuser"
Mar 23 23:00:40	racoon: INFO: Using port 0
Mar 23 23:00:39	racoon: [Self]: INFO: ISAKMP-SA established xxx.aaa.112.226[500]-yyy.bbb.112.226[500] spi:7fad2359ca74df42:122af39befaa12bd
Mar 23 23:00:39	racoon: INFO: Sending Xauth request
Mar 23 23:00:39	racoon: INFO: NAT not detected
Mar 23 23:00:39	racoon: [yyy.bbb.112.226] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Mar 23 23:00:39	racoon: INFO: NAT-D payload #1 verified
Mar 23 23:00:39	racoon: [yyy.bbb.112.226] INFO: Hashing yyy.bbb.112.226[500] with algo #2
Mar 23 23:00:39	racoon: INFO: NAT-D payload #0 verified
Mar 23 23:00:39	racoon: [Self]: [xxx.aaa.112.226] INFO: Hashing xxx.aaa.112.226[500] with algo #2
Mar 23 23:00:38	racoon: INFO: Adding xauth VID payload.
Mar 23 23:00:38	racoon: [Self]: [xxx.aaa.112.226] INFO: Hashing xxx.aaa.112.226[500] with algo #2
Mar 23 23:00:38	racoon: [yyy.bbb.112.226] INFO: Hashing yyy.bbb.112.226[500] with algo #2
Mar 23 23:00:38	racoon: INFO: Adding remote and local NAT-D payloads.
Mar 23 23:00:38	racoon: [yyy.bbb.112.226] INFO: Selected NAT-T version: RFC 3947
Mar 23 23:00:38	racoon: INFO: received Vendor ID: DPD
Mar 23 23:00:38	racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Mar 23 23:00:38	racoon: INFO: received Vendor ID: RFC 3947
Mar 23 23:00:38	racoon: INFO: begin Aggressive mode.
Mar 23 23:00:38	racoon: [Self]: INFO: respond new phase 1 negotiation: xxx.aaa.112.226[500]<=>yyy.bbb.112.226[500]

Is anyone writing a howto on configuring something like this for iOS devices?

I've searched the forums, google and bing extensively and came out fairly empty handed - only the article above and comments along the lines of "search for roadwarrior and iphone" which comes more or less empty back btw.

Any ideas what could be wrong?

p0ddie

A lot of these questions on the formus here. This thread http://forum.pfsense.org/index.php/topic,32319.msg181260.html#msg181260 seems the most promising one. One user claims to be working on a manual with screenshots, let's hope he will have it done soon :-)

getrav

I used the following guide to get me thru the initial setup:
http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

I got it working and I can connect to pfsense internal ip address (SSH & HTTPS) but nothing else.

I have set the firewall rules to allow 500 & 4500 on WAN
I have set the firewall rules to allow * on ipsec

here is my racoon.conf

# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
        adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
        isakmp 173.56.67.22 [500];
        isakmp_natt 173.56.67.22 [4500];
}

mode_cfg
{
        auth_source system;
        group_source system;
        pool_size 253;
        network4 192.168.10.1;
        netmask4 255.255.255.0;
        dns4 4.4.4.4;
        dns4 8.8.8.8;
        wins4 192.168.1.230;
        default_domain "silkcrafts.local";
        split_dns "silkcrafts.local";
        save_passwd on;
}

remote anonymous
{
        ph1id 1;
        exchange_mode aggressive;
        my_identifier address 173.56.67.22;
        peers_identifier fqdn "iOStunnel";
        ike_frag on;
        generate_policy = unique;
        initial_contact = off;
        nat_traversal = on;

        dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check claim;

        proposal
        {
                authentication_method xauth_psk_server;
                encryption_algorithm aes 256;
                hash_algorithm sha1;
                dh_group 2;
                lifetime time 28800 secs;
        }
}

sainfo   anonymous
{
        remoteid 1;
        encryption_algorithm aes 256, 3des;
        authentication_algorithm hmac_sha1;

        lifetime time 3600 secs;
        compression_algorithm deflate;
}

Here is my ipsec.log

Apr  6 23:24:29 pfSense racoon: INFO: respond new phase 1 negotiation: 173.56.67.22[500]<=>71.167.40.48[500]
Apr  6 23:24:29 pfSense racoon: INFO: begin Aggressive mode.
Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: RFC 3947
Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: CISCO-UNITY
Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: DPD
Apr  6 23:24:29 pfSense racoon: [71.167.40.48] INFO: Selected NAT-T version: RFC 3947
Apr  6 23:24:29 pfSense racoon: INFO: Adding remote and local NAT-D payloads.
Apr  6 23:24:29 pfSense racoon: [71.167.40.48] INFO: Hashing 71.167.40.48[500] with algo #2
Apr  6 23:24:29 pfSense racoon: [173.56.67.22] INFO: Hashing 173.56.67.22[500] with algo #2
Apr  6 23:24:29 pfSense racoon: INFO: Adding xauth VID payload.
Apr  6 23:24:29 pfSense racoon: INFO: NAT-T: ports changed to: 71.167.40.48[4500]<->173.56.67.22[4500]
Apr  6 23:24:29 pfSense racoon: [173.56.67.22] INFO: Hashing 173.56.67.22[4500] with algo #2
Apr  6 23:24:29 pfSense racoon: INFO: NAT-D payload #0 verified
Apr  6 23:24:29 pfSense racoon: [71.167.40.48] INFO: Hashing 71.167.40.48[4500] with algo #2
Apr  6 23:24:29 pfSense racoon: INFO: NAT-D payload #1 doesn't match
Apr  6 23:24:29 pfSense racoon: [71.167.40.48] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Apr  6 23:24:29 pfSense racoon: INFO: NAT detected: PEER
Apr  6 23:24:29 pfSense racoon: INFO: Sending Xauth request
Apr  6 23:24:29 pfSense racoon: INFO: ISAKMP-SA established 173.56.67.22[4500]-71.167.40.48[4500] spi:69ee848a8b67814d:038f56bf8a1989a8
Apr  6 23:24:29 pfSense racoon: INFO: Using port 0
Apr  6 23:24:29 pfSense racoon: INFO: login succeeded for user "rshah"
Apr  6 23:24:30 pfSense racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Apr  6 23:24:30 pfSense racoon: ERROR: Cannot open "/etc/motd"
Apr  6 23:24:30 pfSense racoon: WARNING: Ignored attribute 28683
Apr  6 23:24:30 pfSense racoon: INFO: respond new phase 2 negotiation: 173.56.67.22[4500]<=>71.167.40.48[4500]
Apr  6 23:24:30 pfSense racoon: INFO: no policy found, try to generate the policy : 192.168.10.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Apr  6 23:24:30 pfSense racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Apr  6 23:24:30 pfSense racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Apr  6 23:24:30 pfSense racoon: INFO: IPsec-SA established: ESP 173.56.67.22[500]->71.167.40.48[500] spi=10475519(0x9fd7ff)
Apr  6 23:24:30 pfSense racoon: INFO: IPsec-SA established: ESP 173.56.67.22[500]->71.167.40.48[500] spi=170260883(0xa25f993)
Apr  6 23:24:30 pfSense racoon: ERROR: such policy does not already exist: "192.168.10.1/32[0] 0.0.0.0/0[0] proto=any dir=in"
Apr  6 23:24:30 pfSense racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.10.1/32[0] proto=any dir=out"

mayhem

Hey mate,

Any luck getting this up and running with full tunnelling capabilities?
If I wish to attempt this I need to upgrade to version 2? Currently running 1.2-RELEASE

Cheers!

p0ddie

If I wish to attempt this I need to upgrade to version 2?

2.x is a must as 1.2 does not support mobile ipsec with nat-t and all (as far as I understand).

jimp

You might try the config that works for Android phones (search the doc wiki for android vpn)

iUser

Thanks for suggestions - result still nil  :'(

I tried to adapt the Android wiki entries for the iPhone with no different results - I seem to be connected on the phone, there are SAD's and SPD's thou the IPsec connection does not show an IP address for the Destination in incoming (or it shows 0.0.0.0/0) and the same for Source in outgoing.

Don't get traffic going anywhere and the iPhone seems to route traffic locally past the VPN-tunnel too since google is accessible even thou the tunnel reports 0 bytes of data.

I'm giving up on this until someone comes up with a coherent howto on how to achieve a sane, complete road warrior IPsec configuration with routes both to the internal LAN as well as the Internet via the IPsec tunnel server from my mobile.

ninja76

iUser,

It took me a lot of trying this and that but I finally got it working with iPads and iPhones.  If you are connecting but not passing traffic then it is more then likely a phase 2 policy problem.  Check out my phase 2 settings for mobile users ( see attached screenshot).  The Local Network part is where I found the problem to be. It helps to verify with a pc client (I use Shrew).  Also be sure that all setting match up!

p0ddie

After a few days of testing I can say I have it running reliably now, too. I can connect with my iPad, iPhone and with the built in Cisco IPSec client in OS X with the setup found in the previously mentioned post (http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558)

As my effort to contribute for this to become a wiki entry, here are the two screenshots of the firewall rules I needed to get traffic flowing after I succeeded in connectiong via IPSec:

The first screenshot is a floating rule, passing all traffic from the ipsec interface to my lan interface (which happens to be a bridge of two interfaces, so it is called LANBRIDGE, but you might wanna just use your default "LAN" interface).

The second screenshot is the firewall rule in the ipsec tab of the firewall. I think it gets created by default, but if not, then set it up as I did, it works :)