IPhone to pfsense 2.3 not working
-
Hi everyone,
sorry I am a complete newbie at pfsense and am unable to establish a IPSEC VPN from my iphone on 9.3.1 to my new pfsense installation (2.3.r.20160409.2309_1) on a APU2c4.
I followed the instruction from here: https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To , but some of the settings mentioned there are no longer available in 2.3 and sadly following as close as possible to these instructions just wasn't working.
Has anyone had success with the latest iOS (I note that Diffie-Hellman group 14 is now supported in iOS and perhaps some other stuff was dropped ???). It could be the new 2.3 version of pfsense too of course or it most likely just me.
Any help / instructions would be appreciated.
I enclose my log entries below. I replaced my pfsense machine IP address with 'MYIP' below. The remote access was using the data services from my phone.
Thanks
Apr 10 16:04:47 charon 05[IKE] <2> IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
Apr 10 16:04:47 charon 05[NET] <2> sending packet: from MYIP [500] to 85.255.233.207[50694] (56 bytes)
Apr 10 16:04:47 charon 05[ENC] <2> generating INFORMATIONAL_V1 request 1932288567 [ N(AUTH_FAILED) ]
Apr 10 16:04:47 charon 05[IKE] <2> activating INFORMATIONAL task
Apr 10 16:04:47 charon 05[IKE] <2> activating new tasks
Apr 10 16:04:47 charon 05[IKE] <2> queueing INFORMATIONAL task
Apr 10 16:04:47 charon 05[IKE] <2> Aggressive Mode PSK disabled for security reasons
Apr 10 16:04:47 charon 05[CFG] <2> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 10 16:04:47 charon 05[CFG] <2> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 10 16:04:47 charon 05[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Apr 10 16:04:47 charon 05[CFG] <2> proposal matches
Apr 10 16:04:47 charon 05[CFG] <2> selecting proposal:
Apr 10 16:04:47 charon 05[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found
Apr 10 16:04:47 charon 05[CFG] <2> selecting proposal:
Apr 10 16:04:47 charon 05[CFG] <2> no acceptable ENCRYPTION_ALGORITHM found
Apr 10 16:04:47 charon 05[CFG] <2> selecting proposal:
Apr 10 16:04:47 charon 05[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Apr 10 16:04:47 charon 05[IKE] <2> 85.255.233.207 is initiating a Aggressive Mode IKE_SA
Apr 10 16:04:47 charon 05[IKE] <2> received DPD vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received Cisco Unity vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received XAuth vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received draft-ietf-ipsec-nat-t-ike vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received NAT-T (RFC 3947) vendor ID
Apr 10 16:04:47 charon 05[IKE] <2> received FRAGMENTATION vendor ID
Apr 10 16:04:47 charon 05[CFG] <2> found matching ike config: MYIP…%any with prio 1048
Apr 10 16:04:47 charon 05[CFG] <2> candidate: MYIP…%any, prio 1048
Apr 10 16:04:47 charon 05[CFG] <2> looking for an ike config for MYIP…85.255.233.207
Apr 10 16:04:47 charon 05[ENC] <2> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Apr 10 16:04:47 charon 05[NET] <2> received packet: from 85.255.233.207[50694] to MYIP[500] (786 bytes)
Apr 10 16:04:47 charon 05[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
Apr 10 16:04:47 charon 05[NET] <1> sending packet: from MYIP [500] to 85.255.233.207[50694] (56 bytes)
Apr 10 16:04:47 charon 05[ENC] <1> generating INFORMATIONAL_V1 request 4190151276 [ N(NO_PROP) ]
Apr 10 16:04:47 charon 05[IKE] <1> activating INFORMATIONAL task
Apr 10 16:04:47 charon 05[IKE] <1> activating new tasks
Apr 10 16:04:47 charon 05[IKE] <1> queueing INFORMATIONAL task
Apr 10 16:04:47 charon 05[IKE] <1> no proposal found
Apr 10 16:04:47 charon 05[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 10 16:04:47 charon 05[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Apr 10 16:04:47 charon 05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Apr 10 16:04:47 charon 05[CFG] <1> selecting proposal:
Apr 10 16:04:47 charon 05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Apr 10 16:04:47 charon 05[CFG] <1> selecting proposal:
Apr 10 16:04:47 charon 05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Apr 10 16:04:47 charon 05[CFG] <1> selecting proposal:
Apr 10 16:04:47 charon 05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Apr 10 16:04:47 charon 05[CFG] <1> selecting proposal:
Apr 10 16:04:47 charon 05[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Apr 10 16:04:47 charon 05[IKE] <1> 85.255.233.207 is initiating a Aggressive Mode IKE_SA
Apr 10 16:04:47 charon 05[IKE] <1> received DPD vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received Cisco Unity vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received XAuth vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received draft-ietf-ipsec-nat-t-ike vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received NAT-T (RFC 3947) vendor ID
Apr 10 16:04:47 charon 05[IKE] <1> received FRAGMENTATION vendor ID
Apr 10 16:04:47 charon 05[CFG] <1> found matching ike config: MYIP…%any with prio 1048
Apr 10 16:04:47 charon 05[CFG] <1> candidate: MYIP…%any, prio 1048
Apr 10 16:04:47 charon 05[CFG] <1> looking for an ike config for MYIP…85.255.233.207
Apr 10 16:04:47 charon 05[ENC] <1> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Apr 10 16:04:47 charon 05[NET] <1> received packet: from 85.255.233.207[50694] to MYIP [500] (786 bytes) -
I would suggest deploying with 2.2.6. 2.3 is RC and if this is your first go at try that first. Also post screenshots masking private info of course
-
Apr 10 16:04:47 charon 05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Apr 10 16:04:47 charon 05[CFG] <1> selecting proposal:
Apr 10 16:04:47 charon 05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Apr 10 16:04:47 charon 05[CFG] <1> selecting proposal:
Apr 10 16:04:47 charon 05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Apr 10 16:04:47 charon 05[CFG] <1> selecting proposal:
Apr 10 16:04:47 charon 05[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Apr 10 16:04:47 charon 05[CFG] <1> selecting proposal:
Apr 10 16:04:47 charon 05[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Apr 10 16:04:47 charon 05[IKE] <1> 85.255.233.207 is initiating a Aggressive Mode IKE_SAThis is your problem, possibly a phase 2 issue? See here for further information https://doc.pfsense.org/index.php/IPsec_Troubleshooting.
-
For 2.3 I would use this….
I have this working on 2.2.6 in many environments and it works perfect!
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
-
Thanks to both of you, I'll go back to 2.2.6 and start from there. I was hoping I could avoid the certificate route, but if it works - that would be great!
-
I like the cert route as it adds another layer of security. It means without the cert you cannot connect via vpn. Unless the person is highly technical they are not going to know how to export a copy of the cert to provide someone else with access from another device.
-
I'll go back to 2.2.6 and start from there.
No point, your config doesn't match and isn't going to match on any other versions. That works fine in 2.3.
Check the "received proposals" and "configured proposals" log lines, you have nothing in common between the client and server. The client wants AES 256, and you only have AES 128 configured. Switch it to AES 256.
-
Follow the instructions provided by kavara with IKEv2 via EAP-MSCHAPv2. IKEv2 is not only more secure than IKEv1 but much quicker in establishing a connection. Just send the certificate you downloaded from pfSense via E-Mail to your iPhone and click on it in the E-Mail to install, that`s all.