IPSEC & SIP registering through VPN on iPhone
-
After successfully creating and configuring my IPSEC vpn and was able to connect to my local LAN, i'm having some issues with IPSEC VPN on iPhone as it sometimes work and other times it doesn't.
When I first connect i get the following :
Sep 5 09:39:42 racoon: [Self]: INFO: respond new phase 1 negotiation: 92.x.95.x[500]<=>188.58.2.94[15639]
Sep 5 09:39:42 racoon: INFO: begin Aggressive mode.
Sep 5 09:39:42 racoon: INFO: received Vendor ID: RFC 3947
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Sep 5 09:39:42 racoon: INFO: received Vendor ID: CISCO-UNITY
Sep 5 09:39:42 racoon: INFO: received Vendor ID: DPD
Sep 5 09:39:42 racoon: [188.58.2.94] INFO: Selected NAT-T version: RFC 3947
Sep 5 09:39:42 racoon: INFO: Adding remote and local NAT-D payloads.
Sep 5 09:39:42 racoon: [188.58.2.94] INFO: Hashing 188.58.2.94[15639] with algo #2 (NAT-T forced)
Sep 5 09:39:42 racoon: [Self]: [92.x.95.x] INFO: Hashing 92.x.95.x[500] with algo #2 (NAT-T forced)
Sep 5 09:39:42 racoon: INFO: Adding xauth VID payload.
Sep 5 09:39:43 racoon: [Self]: INFO: NAT-T: ports changed to: 188.58.2.94[15604]<->92.x.95.x[4500]
Sep 5 09:39:43 racoon: INFO: NAT-D payload #0 doesn't match
Sep 5 09:39:43 racoon: INFO: NAT-D payload #1 doesn't match
Sep 5 09:39:43 racoon: [188.58.2.94] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Sep 5 09:39:43 racoon: INFO: NAT detected: ME PEER
Sep 5 09:39:43 racoon: INFO: Sending Xauth request
Sep 5 09:39:43 racoon: [Self]: INFO: ISAKMP-SA established 92.x.95.x[4500]-188.58.2.94[15604] spi:565009b806b53ba5:15884ff281fe3f4f
Sep 5 09:39:43 racoon: INFO: Using port 0
Sep 5 09:39:43 racoon: INFO: login succeeded for user "ipsec"
Sep 5 09:39:44 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Sep 5 09:39:44 racoon: ERROR: Cannot open "/etc/motd"
Sep 5 09:39:44 racoon: WARNING: Ignored attribute 28683
Sep 5 09:39:46 racoon: [Self]: INFO: respond new phase 2 negotiation: 92.x.95.x[4500]<=>188.58.2.94[15604]
Sep 5 09:39:46 racoon: INFO: no policy found, try to generate the policy : 172.16.254.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Sep 5 09:39:46 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Sep 5 09:39:46 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Sep 5 09:39:46 racoon: [Self]: INFO: IPsec-SA established: ESP 92.x.95.x[500]->188.58.2.94[500] spi=11382647(0xadaf77)
Sep 5 09:39:46 racoon: [Self]: INFO: IPsec-SA established: ESP 92.x.95.x[500]->188.58.2.94[500] spi=163623664(0x9c0b2f0)Then it takes around 2 minutes until it tries to connect (using Bria on iPhone for SIP Register) and it starts connecting.
Later on if I leave my iPhone for a while (5mins) and get back to bria app, the phone can't register and the same issue happens but this time it won't work at all until I restart the Racoon service on Pfsense.
Is there anyway to find out what's causing this issue?
here's my Phase1 configuration.
Authentication method Mutual PSK + Xauth
Negotiation mode Aggressive
My identifier My IP address
Peer identifier Distinguished Name : NamePre-Shared Key
Policy Generation default
Proposal Checking default
Encryption algorithm AES 128bits
Hash algorithm SHA1
DH key group = 2
Lifetime 28800 seconds
Advanced Options
NAT Traversal ForceDead Peer Detection Enabled
10 seconds
Delay between requesting peer acknowledgement.5 retries
Number of consecutive failures allowed before disconnect.here's my Phase2 configuration.
Mode tunnel
Local Network Type:= Network
Address 192.168.1.0/24Phase 2 proposal (SA/Key Exchange)
Protocol ESP
ESP is encryption, AH is authentication only
Encryption algorithms
AES 128bitsHash algorithms SHA1
PFS key group = off
3600
Lifetime seconds–
My Mobile Clients configuration.Extended Authentication (Xauth)
User Authentication Source: System
Group Authentication Source: System
Client Configuration (mode-cfg)
Virtual Address Pool
Provide a virtual IP address to clients
Network: / 172.16.254.0/24
Network List Unticked
Save Xauth Password TickedDNS Default Domain
192.168.1.5 <my internal="" dns<br="">DNS Servers
Provide a DNS server list to clients
Server #1: external DNS
Nothing else selected below</my> -
I got it solved ;D ;D ;D in phase 1 in advanced option I switched NAT Traversal from forced to Enabled.
then disabled Dead Peer Detection.I have also used 3DES for Encryption algorithm now my mobile is connected to VPN 24/7 and is not DC at all.