Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsecVPN iPhone no DNS?

    IPsec
    3
    3
    3.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      szop
      last edited by

      Hello everyone,

      I've setup a IPsec VPN connection via iPhone. I can browse our LAN but can't establish any connections outside of our LAN like www.google.com. I've set up the VPN like in this thread: http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

      Maybe a firewall rule missing?

      IPsec Log:

      Apr 11 13:21:27 racoon: INFO: unsupported PF_KEY message REGISTER
      Apr 11 13:21:19 racoon: INFO: Released port 0
      Apr 11 13:21:19 racoon: [Self]: INFO: ISAKMP-SA deleted 87.139.282.198[4500]-85.159.250.65[7810] spi:ec9da39e19489101:b0f0a48ba2cdd55b
      Apr 11 13:21:19 racoon: INFO: purged ISAKMP-SA spi=ec9da39e19489101:b0f0a48ba2cdd55b:0000940e.
      Apr 11 13:21:19 racoon: INFO: purged IPsec-SA spi=157112552.
      Apr 11 13:21:19 racoon: INFO: purging ISAKMP-SA spi=ec9da39e19489101:b0f0a48ba2cdd55b:0000940e.
      Apr 11 13:21:19 racoon: INFO: purged IPsec-SA proto_id=ESP spi=162785590.
      Apr 11 13:21:19 racoon: INFO: deleting a generated policy.
      Apr 11 13:20:11 racoon: [Self]: INFO: IPsec-SA established: ESP 87.139.282.198[500]->85.159.250.65[500] spi=162785590(0x9b3e936)
      Apr 11 13:20:11 racoon: [Self]: INFO: IPsec-SA established: ESP 87.139.282.198[500]->85.159.250.65[500] spi=157112552(0x95d58e8)
      Apr 11 13:20:11 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
      Apr 11 13:20:11 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
      Apr 11 13:20:11 racoon: INFO: no policy found, try to generate the policy : 192.168.1.1/32[0] 0.0.0.0/0[0] proto=any dir=in
      Apr 11 13:20:11 racoon: [Self]: INFO: respond new phase 2 negotiation: 87.139.282.198[4500]<=>85.159.250.65[7810]
      Apr 11 13:20:10 racoon: WARNING: Ignored attribute 28683
      Apr 11 13:20:10 racoon: ERROR: Cannot open "/etc/motd"
      Apr 11 13:20:10 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
      Apr 11 13:20:09 racoon: INFO: login succeeded for user "petre"
      Apr 11 13:20:09 racoon: INFO: Using port 0
      Apr 11 13:20:02 racoon: [Self]: INFO: ISAKMP-SA established 87.139.282.198[4500]-85.159.250.65[7810] spi:ec9da39e19489101:b0f0a48ba2cdd55b
      Apr 11 13:20:02 racoon: INFO: Sending Xauth request
      Apr 11 13:20:02 racoon: INFO: NAT detected: PEER
      Apr 11 13:20:02 racoon: [85.159.250.65] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
      Apr 11 13:20:02 racoon: INFO: NAT-D payload #1 doesn't match
      Apr 11 13:20:02 racoon: [85.159.250.65] INFO: Hashing 85.159.250.65[7810] with algo #2
      Apr 11 13:20:02 racoon: INFO: NAT-D payload #0 verified
      Apr 11 13:20:02 racoon: [Self]: [87.139.282.198] INFO: Hashing 87.139.282.198[4500] with algo #2
      Apr 11 13:20:02 racoon: [Self]: INFO: NAT-T: ports changed to: 85.159.250.65[7810]<->87.139.282.198[4500]
      Apr 11 13:20:02 racoon: INFO: Adding xauth VID payload.
      Apr 11 13:20:02 racoon: [Self]: [87.139.282.198] INFO: Hashing 87.139.282.198[500] with algo #2
      Apr 11 13:20:02 racoon: [85.159.250.65] INFO: Hashing 85.159.250.65[8863] with algo #2
      Apr 11 13:20:02 racoon: INFO: Adding remote and local NAT-D payloads.
      Apr 11 13:20:02 racoon: [85.159.250.65] INFO: Selected NAT-T version: RFC 3947
      Apr 11 13:20:02 racoon: INFO: received Vendor ID: DPD
      Apr 11 13:20:02 racoon: INFO: received Vendor ID: CISCO-UNITY
      Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
      Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
      Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
      Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
      Apr 11 13:20:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
      Apr 11 13:20:02 racoon: INFO: received Vendor ID: RFC 3947
      Apr 11 13:20:02 racoon: INFO: begin Aggressive mode.
      Apr 11 13:20:02 racoon: [Self]: INFO: respond new phase 1 negotiation: 87.139.282.198[500]<=>85.159.250.65[8863]

      Hope someone can give me a hint.

      Cheers,
      David
      Dashboard.png
      Dashboard.png_thumb
      FW.png
      FW.png_thumb
      FW2.png
      FW2.png_thumb

      1 Reply Last reply Reply Quote 0
      • _
        _igor_
        last edited by

        Change your IPSEC rule to any, not only TCP. DNS runs via UDP.
        Do you have enabled "Provide a list of accessible networks to clients" and given a DNS-server at your "Mobile clients" section?

        1 Reply Last reply Reply Quote 0
        • E
          eazydor
          last edited by

          @szop please be aware that by enabling "Provide a list of accessible networks to clients" you do lose your default route trough your tunnel and all of your traffic apart from the traffic eventually defined in the phase 2 local subnet will NOT be sent trough your tunnel.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.