IPsec & IPhone again

pfreakh

Hi folks,

i searched the forum and google, but it's hopeless. I set up pfsense 2.0.1 and a IPhone4S with iOS 5.0.1 and i didn't get working. The connection can be established und i'm authenticated, but i can't reach any target neither on the LAN nor outside in the internet.

xx.xx.xx.xx is my WAN ip.
yy.yy.yy.yy is my iphone 3G ip.
10.99.99.0/24 is my virtual address pool for mobile clients
192.168.111.0/24 is the LAN network
i'va also declared a any-any rule on the firewall.

|
########################################################################

$ cat /var/etc/racoon.conf

This file is automatically generated. Do not edit

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp xx.xx.xx.xx [500];
isakmp_natt xx.xx.xx.xx [4500];
}

mode_cfg
{
auth_source system;
group_source system;
pool_size 253;
network4 10.99.99.1;
netmask4 255.255.255.0;
dns4 8.8.8.8;
save_passwd on;
}

remote anonymous
{
ph1id 1;
exchange_mode aggressive;
my_identifier address xx.xx.xx.xx;
peers_identifier fqdn "vpnusers";
ike_frag on;
generate_policy = unique;
initial_contact = off;
nat_traversal = force;

dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check obey;
passive on;

proposal
{
authentication_method xauth_psk_server;
encryption_algorithm aes 128;
hash_algorithm sha1;
dh_group 2;
lifetime time 86400 secs;
}
}

sainfo  anonymous
{
remoteid 1;
encryption_algorithm aes 128;
authentication_algorithm hmac_sha1;

lifetime time 28800 secs;
compression_algorithm deflate;
}

########################################################################

$ setkey -D
xx.xx.xx.xx[4500] yy.yy.yy.yy[62250]
esp-udp mode=any spi=208123248(0x0c67b570) reqid=1(0x00000001)
E: aes-cbc  e22b34a7 9c3f1cb6 98d31f86 b6fea37c db3f4f09 a785ae13 a1c80be1 13418357
A: hmac-sha1  70056e85 c0cbdeff 50e4da2c bd3a9b91 d55d99bb
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jan  5 19:38:17 2012 current: Jan  5 19:39:43 2012
diff: 86(s) hard: 3600(s) soft: 2880(s)
last:                    hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=58908 refcnt=1
yy.yy.yy.yy[62250] xx.xx.xx.xx[4500]
esp-udp mode=tunnel spi=196545923(0x0bb70d83) reqid=1(0x00000001)
E: aes-cbc  ddbfd649 4f78a641 38359365 25ba1e7c 544c4372 969366a2 5b8166e1 d14c89b7
A: hmac-sha1  93e94b10 318cbdd9 6b82be0b a1cdd507 a194048b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jan  5 19:38:17 2012 current: Jan  5 19:39:43 2012
diff: 86(s) hard: 3600(s) soft: 2880(s)
last:                    hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=58908 refcnt=1

########################################################################

$ setkey -DP
192.168.111.0/24[any] 192.168.111.1[any] 255
in none
spid=10 seq=3 pid=60451
refcnt=1
10.99.99.1[any] 0.0.0.0/0[any] 255
in ipsec
esp/tunnel/yy.yy.yy.yy-xx.xx.xx.xx/unique:1
created: Jan  5 19:38:17 2012  lastused: Jan  5 19:38:17 2012
lifetime: 3600(s) validtime: 0(s)
spid=11 seq=2 pid=60451
refcnt=1
192.168.111.1[any] 192.168.111.0/24[any] 255
out none
spid=9 seq=1 pid=60451
refcnt=1
0.0.0.0/0[any] 10.99.99.1[any] 255
out ipsec
esp/tunnel/xx.xx.xx.xx-yy.yy.yy.yy/unique:1
created: Jan  5 19:38:17 2012  lastused: Jan  5 19:38:17 2012
lifetime: 3600(s) validtime: 0(s)
spid=12 seq=0 pid=60451
refcnt=1

########################################################################

any idea, what's wrong here?
|

pfreakh

ah… and here is the corresponding logfile (in reverse order)

Jan 5 19:58:27 racoon: [Self]: INFO: IPsec-SA established: ESP xx.xx.xx.xx[500]->yy.yy.yy.yy[500] spi=207831302(0xc634106)
Jan 5 19:58:27 racoon: [Self]: INFO: IPsec-SA established: ESP xx.xx.xx.xx[500]->yy.yy.yy.yy[500] spi=265900516(0xfd951e4)
Jan 5 19:58:27 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Jan 5 19:58:27 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jan 5 19:58:27 racoon: INFO: no policy found, try to generate the policy : 10.99.99.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Jan 5 19:58:27 racoon: [Self]: INFO: respond new phase 2 negotiation: xx.xx.xx.xx[4500]<=>yy.yy.yy.yy[34899]
Jan 5 19:58:27 racoon: WARNING: Ignored attribute 28683
Jan 5 19:58:27 racoon: ERROR: Cannot open "/etc/motd"
Jan 5 19:58:27 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Jan 5 19:58:27 racoon: INFO: login succeeded for user "sd"
Jan 5 19:58:27 racoon: INFO: Using port 0
Jan 5 19:58:27 racoon: [Self]: INFO: ISAKMP-SA established xx.xx.xx.xx[4500]-yy.yy.yy.yy[34899] spi:932af71bd9257a38:7f4869f340ecb4d4
Jan 5 19:58:27 racoon: INFO: Sending Xauth request
Jan 5 19:58:27 racoon: INFO: NAT detected: ME PEER
Jan 5 19:58:27 racoon: [yy.yy.yy.yy] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Jan 5 19:58:27 racoon: INFO: NAT-D payload #1 doesn't match
Jan 5 19:58:27 racoon: INFO: NAT-D payload #0 doesn't match
Jan 5 19:58:27 racoon: [Self]: INFO: NAT-T: ports changed to: yy.yy.yy.yy[34899]<->xx.xx.xx.xx[4500]
Jan 5 19:58:26 racoon: INFO: Adding xauth VID payload.
Jan 5 19:58:26 racoon: [Self]: [xx.xx.xx.xx] INFO: Hashing xx.xx.xx.xx[500] with algo #2 (NAT-T forced)
Jan 5 19:58:26 racoon: [yy.yy.yy.yy] INFO: Hashing yy.yy.yy.yy[500] with algo #2 (NAT-T forced)
Jan 5 19:58:26 racoon: INFO: Adding remote and local NAT-D payloads.
Jan 5 19:58:26 racoon: [yy.yy.yy.yy] INFO: Selected NAT-T version: RFC 3947
Jan 5 19:58:26 racoon: INFO: received Vendor ID: DPD
Jan 5 19:58:26 racoon: INFO: received Vendor ID: CISCO-UNITY
Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Jan 5 19:58:26 racoon: INFO: received Vendor ID: RFC 3947
Jan 5 19:58:26 racoon: INFO: begin Aggressive mode.
Jan 5 19:58:26 racoon: [Self]: INFO: respond new phase 1 negotiation: xx.xx.xx.xx[500]<=>yy.yy.yy.yy[500]

craigduff

Check your firewall rules.

pfreakh

on ipsec interface:

ID Proto Source Port Destination Port Gateway Queue Schedule Description

• • • • • • none   all - all

is there anything else to do?
i've also tried a floating rule… same result.

craigduff

Can you tell me what App your using for the Iphone? I also have the iphone but not tried it. Maybe i could try and mirror what you problem is and give you an update?

MrLurch

Maybe your 3G provider is blocking Ipsec traffic? Most 3g providers use some kind of proxy for web traffic and ports for VPN are most of the time blocked. You can also try to connect with your wifi connection (if you have one) to see if your config is ok.