Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile IPSec (Android 4.2.1 => pfSense 2.0.2) with multiple Phase 2 not working

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ITJunk
      last edited by

      Hi There!

      Today at work I tried to implement a VPN solution using pfSense 2.0.2. First of all, please apologize I have not the config dump here right now, but will provide if needed later.

      Setup is:
      WAN: public IP
      LAN subnet: 10.10.10.0/24
      One other subnet: 10.20.20.0/24 routed through 10.10.10.89 (route added to pfsense, working fine!)
      IPSec and LAN firewall rules are currently open any to any bidirectional.

      I created a mobile IPSec Mutual PSK + XAuth aggressive Phase 1. Added one Phase 2 for 10.10.10.0/24. Traffic is NATed to LAN interface address to get inside (Reason: I do not need to add routes from our infrastructue to get back to the VPN Client subnet). Connection from mobile devices works perfectly, tested with an iPad and an Android 4.2.1 Nexus 4 using their bundled VPN settings (no extra VPN clients …). Only 10.10.10.0/24 route is being pushed to the devices flowing through tun0, "route -nr" on devices confirmed! Yes, this is a split tunnel scenario. No discussion please - it's mandatory ;)

      Since we have one more subnet, I added a second Phase 2 for 10.20.20.0/24 (copied the initial Phase 2 and just changed the network). Reconnecting from iPad shows both routes are being pushed and working - only traffic going to these subnets are being routed into the VPN, NATed perfectly on the LAN interface, and is being routed to the destination internally perfectly.

      Android however is connecting, Phase 1 works, both Phase 2 go green, routes are set on the device - VPN stays connected. As soon as I start sending traffic to one of the two subnets, I get an error in the racoon debug saying Phase 2 not found matching 0.0.0.0/0 and complete VPN is dropped.

      Currently bothering me: Is this something I can get working by adjusting settings on pfSense or is it an Android problem not being able to announce the correct Phase 2 proposals when using multiple ones?  ???

      Thanks
      Tom

      1 Reply Last reply Reply Quote 0
      • M
        mbrossar
        last edited by

        Did you ever find a solution to your problem?  I have a similar problem.  My Mobile Device IPSec settings work great for OSx and iOS.  My Android device succeeds on the Phase 1 connection, but as soon as I try to connect to anything Phase 2 fails and the tunnel drops.  I have multiple Phase 2s.  My current hypothesis is that Android can't handle more than one Phase 2.  I'm trying to get my hands on a test pfSense to test this hypothesis.  Would love to hear if anyone has a solution.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.