IPSEC moblie clients - iphone

emkowale

Hello,

I use pfsense version 2.2.5.  I have sucessfully setup site to site IPsec VPNs.  I can't for the life of me get my iphone to connect useing IPsec mobile clients.  I've googled the heck out of it for months and can't figure it out.  Has anyone been able to make this work?  I get "User authentication failed" on the iphone and in the IPsec log I see this:

Dec 21 22:45:41 charon: 16[IKE] <con20|504>destroying IKE_SA after failed XAuth authentication
Dec 21 22:45:41 charon: 16[ENC] <con20|504>parsed TRANSACTION response 421160361 [ HASH CPA(X_STATUS) ]
Dec 21 22:45:41 charon: 16[NET] <con20|504>received packet: from 70.194.10.235[10131] to XXX.XXX.XXX.XXX[4500] (76 bytes)
Dec 21 22:45:41 charon: 16[NET] <con19000|501>sending packet: from XXX.XXX.XXX.XXX[500] to 50.33.83.26[500] (365 bytes)
Dec 21 22:45:41 charon: 16[IKE] <con19000|501>sending retransmit 1 of response message ID 0, seq 1
Dec 21 22:45:41 charon: 11[NET] <con20|504>sending packet: from XXX.XXX.XXX.XXX[4500] to 70.194.10.235[10131] (76 bytes)
Dec 21 22:45:41 charon: 11[ENC] <con20|504>generating TRANSACTION request 421160361 [ HASH CPS(X_STATUS) ]
Dec 21 22:45:41 charon: 11[IKE] <con20|504>XAuth authentication of 'myuser' failed
Dec 21 22:45:41 charon: 11[IKE] <con20|504>Could not authenticate with XAuth secrets for '66.188.51.46' - 'myuser'
Dec 21 22:45:41 charon: 11[IKE] <con20|504>XAuth-SCRIPT failed for user 'myuser' with return status: -1.
Dec 21 22:45:41 charon: user 'myuser' could not authenticate.
Dec 21 22:45:41 charon: user 'myuser' cannot authenticate through IPsec since the required privileges are missing.
Dec 21 22:45:40 charon: 11[ENC] <con20|504>parsed TRANSACTION response 493555002 [ HASH CPRP(X_USER X_PWD) ]
Dec 21 22:45:40 charon: 11[NET] <con20|504>received packet: from 70.194.10.235[10131] to XXX.XXX.XXX.XXX[4500] (92 bytes)
Dec 21 22:45:40 charon: 11[NET] <con20|504>sending packet: from XXX.XXX.XXX.XXX[4500] to 70.194.10.235[10131] (76 bytes)
Dec 21 22:45:40 charon: 11[ENC] <con20|504>generating TRANSACTION request 493555002 [ HASH CPRQ(X_USER X_PWD) ]
Dec 21 22:45:40 charon: 11[IKE] <con20|504>remote host is behind NAT
Dec 21 22:45:40 charon: 11[ENC] <con20|504>parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D N(INITIAL_CONTACT) ]
Dec 21 22:45:40 charon: 11[NET] <con20|504>received packet: from 70.194.10.235[10131] to XXX.XXX.XXX.XXX[4500] (140 bytes)
Dec 21 22:45:40 charon: 11[IKE] <con18000|503>INFORMATIONAL_V1 request with message ID 4112890446 processing failed
Dec 21 22:45:40 charon: 11[IKE] <con18000|503>ignore malformed INFORMATIONAL request
Dec 21 22:45:40 charon: 11[IKE] <con18000|503>message parsing failed
Dec 21 22:45:40 charon: 11[ENC] <con18000|503>could not decrypt payloads
Dec 21 22:45:40 charon: 11[ENC] <con18000|503>invalid HASH_V1 payload length, decryption failed?
Dec 21 22:45:40 charon: 11[NET] <con18000|503>received packet: from 75.12.81.114[500] to XXX.XXX.XXX.XXX[500] (68 bytes)
Dec 21 22:45:40 charon: 11[NET] <con20|504>sending packet: from XXX.XXX.XXX.XXX[500] to 70.194.10.235[10135] (440 bytes)
Dec 21 22:45:40 charon: 11[ENC] <con20|504>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
Dec 21 22:45:40 charon: 11[CFG] <504> selected peer config "con20"
Dec 21 22:45:40 charon: 11[CFG] <504> looking for XAuthInitPSK peer configs matching XXX.XXX.XXX.XXX…70.194.10.235[mydomain.com]
Dec 21 22:45:40 charon: 11[IKE] <504> 70.194.10.235 is initiating a Aggressive Mode IKE_SA

Any tips would be great.  Thanks,
    emkowale</con20|504></con20|504></con18000|503></con18000|503></con18000|503></con18000|503></con18000|503></con18000|503></con20|504></con20|504></con20|504></con20|504></con20|504></con20|504></con20|504></con20|504></con20|504></con20|504></con20|504></con20|504></con19000|501></con19000|501></con20|504></con20|504></con20|504>