Cannot connect to IPsec VPN from iOS 10.2
-
I have been having difficulty with this VPN configuration for quite some time, but I have finally got it to the point of (nearly) working. I am able to connect on OS X, but not iOS (which is the main OS that this VPN will be used for). Some starter info, my WAN interface is labelled WAN and LAN is labelled LAN (easy enough), the LAN subnet is 192.168.1.0/24. DHCP runs from 192.168.1.100 to 192.168.1.254, and pfSense's IP is 192.168.1.1. Ideally the clients will be able to connect to all devices on 192.168.1.0/24, in addition to all traffic being forwarded out WAN. My IPsec configuration is as follows:
VPN -> IPsec -> Mobile Clients:
IKE Extensions: Checked User Authentication: Local Database Group Authentication: none Virtual Address Pool: Checked, 192.168.1.50/28 Virtual IPv6 Address Pool: Unchecked Network List: Checked Save Xauth Password: Checked DNS Default Domain: Unchecked Split DNS: Unchecked DNS Servers: Checked Server #1-3: Local DNS server (on LAN, 192.168.1.122), 8.8.8.8, 8.8.4.4 WINS Servers: Unchecked Phase2 PFS Group: Unchecked Login Banner: Unchecked
VPN -> IPsec -> Tunnels -> Phase 1:
Disabled: Unchecked Key Exchange Version: IKEv1 Internet Protocol: IPv4 Interface: WAN Description: Blank Authentication Method: Mutual PSK + Xauth Negotiation mode: Aggressive My identifier: My IP address Peer identifier: vpnusers@domain.tld Pre-shared Key: ***************** Encryption Algorithm: AES 128 bits Hash Algorithm: SHA1 DH Group: 2 (1024 bit) Lifetime (Seconds): 86400 Disable rekey: Unchecked Responder only: Unchecked NAT Traversal: Force Dead Peer Detection: Checked Delay: 10 Max failures: 5
VPN -> IPsec -> Tunnels -> Phase 2:
Disabled: Unchecked Mode: Tunnel IPv4 Local Network: Network 0.0.0.0/0 NAT/BINAT translation: None Description: blank Protocol: ESP Encryption Algorithms: AES 128 bits only Hash Algorithms: SHA1 only PFS key group: off Lifetime: 28800 seconds Automatically ping host: blank
Firewall -> Rules -> IPsec: IPv4 * * * * * * (allow all on any from any to any)
Here is the IPsec log when attempting a connection on iOS (on LTE, not the local network):
Mar 25 18:47:09 charon 12[NET] <13> received packet: from {IOS_CLIENT}[11052] to {IPSEC_SERVER}[500] (780 bytes) Mar 25 18:47:09 charon 12[ENC] <13> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ] Mar 25 18:47:09 charon 12[CFG] <13> looking for an ike config for {IPSEC_SERVER}...{IOS_CLIENT} Mar 25 18:47:09 charon 12[CFG] <13> candidate: %any...%any, prio 24 Mar 25 18:47:09 charon 12[CFG] <13> candidate: {IPSEC_SERVER}...%any, prio 1052 Mar 25 18:47:09 charon 12[CFG] <13> found matching ike config: {IPSEC_SERVER}...%any with prio 1052 Mar 25 18:47:09 charon 12[IKE] <13> received FRAGMENTATION vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received NAT-T (RFC 3947) vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received draft-ietf-ipsec-nat-t-ike vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-08 vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-07 vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-06 vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-05 vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received XAuth vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received Cisco Unity vendor ID Mar 25 18:47:09 charon 12[IKE] <13> received DPD vendor ID Mar 25 18:47:09 charon 12[IKE] <13> {IOS_CLIENT} is initiating a Aggressive Mode IKE_SA Mar 25 18:47:09 charon 12[IKE] <13> IKE_SA (unnamed)[13] state change: CREATED => CONNECTING Mar 25 18:47:09 charon 12[CFG] <13> selecting proposal: Mar 25 18:47:09 charon 12[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found Mar 25 18:47:09 charon 12[CFG] <13> selecting proposal: Mar 25 18:47:09 charon 12[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found Mar 25 18:47:09 charon 12[CFG] <13> selecting proposal: Mar 25 18:47:09 charon 12[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found Mar 25 18:47:09 charon 12[CFG] <13> selecting proposal: Mar 25 18:47:09 charon 12[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found Mar 25 18:47:09 charon 12[CFG] <13> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 Mar 25 18:47:09 charon 12[CFG] <13> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Mar 25 18:47:09 charon 12[IKE] <13> no proposal found Mar 25 18:47:09 charon 12[IKE] <13> queueing INFORMATIONAL task Mar 25 18:47:09 charon 12[IKE] <13> activating new tasks Mar 25 18:47:09 charon 12[IKE] <13> activating INFORMATIONAL task Mar 25 18:47:09 charon 12[ENC] <13> generating INFORMATIONAL_V1 request 4149312655 [ N(NO_PROP) ] Mar 25 18:47:09 charon 12[NET] <13> sending packet: from {IPSEC_SERVER}[500] to {IOS_CLIENT}[11052] (56 bytes) Mar 25 18:47:09 charon 12[IKE] <13> IKE_SA (unnamed)[13] state change: CONNECTING => DESTROYING Mar 25 18:47:09 charon 12[NET] <14> received packet: from {IOS_CLIENT}[11052] to {IPSEC_SERVER}[500] (780 bytes) Mar 25 18:47:09 charon 12[ENC] <14> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ] Mar 25 18:47:09 charon 12[CFG] <14> looking for an ike config for {IPSEC_SERVER}...{IOS_CLIENT} Mar 25 18:47:09 charon 12[CFG] <14> candidate: %any...%any, prio 24 Mar 25 18:47:09 charon 12[CFG] <14> candidate: {IPSEC_SERVER}...%any, prio 1052 Mar 25 18:47:09 charon 12[CFG] <14> found matching ike config: {IPSEC_SERVER}...%any with prio 1052 Mar 25 18:47:09 charon 12[IKE] <14> received FRAGMENTATION vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received NAT-T (RFC 3947) vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received draft-ietf-ipsec-nat-t-ike vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-08 vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-07 vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-06 vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-05 vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received XAuth vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received Cisco Unity vendor ID Mar 25 18:47:09 charon 12[IKE] <14> received DPD vendor ID Mar 25 18:47:09 charon 12[IKE] <14> {IOS_CLIENT} is initiating a Aggressive Mode IKE_SA Mar 25 18:47:09 charon 12[IKE] <14> IKE_SA (unnamed)[14] state change: CREATED => CONNECTING Mar 25 18:47:09 charon 12[CFG] <14> selecting proposal: Mar 25 18:47:09 charon 12[CFG] <14> no acceptable ENCRYPTION_ALGORITHM found Mar 25 18:47:09 charon 12[CFG] <14> selecting proposal: Mar 25 18:47:09 charon 12[CFG] <14> no acceptable ENCRYPTION_ALGORITHM found Mar 25 18:47:09 charon 12[CFG] <14> selecting proposal: Mar 25 18:47:09 charon 12[CFG] <14> proposal matches Mar 25 18:47:09 charon 12[CFG] <14> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Mar 25 18:47:09 charon 12[CFG] <14> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Mar 25 18:47:09 charon 12[CFG] <14> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Mar 25 18:47:09 charon 12[CFG] <14> looking for XAuthInitPSK peer configs matching {IPSEC_SERVER}...{IOS_CLIENT}[vpnusers@barker.ddns.net] Mar 25 18:47:09 charon 12[CFG] <14> candidate "bypasslan", match: 1/1/24 (me/other/ike) Mar 25 18:47:09 charon 12[CFG] <14> candidate "con1", match: 1/1/1052 (me/other/ike) Mar 25 18:47:09 charon 12[CFG] <14> selected peer config "con1" Mar 25 18:47:09 charon 12[IKE] <con1|14> sending XAuth vendor ID Mar 25 18:47:09 charon 12[IKE] <con1|14> sending DPD vendor ID Mar 25 18:47:09 charon 12[IKE] <con1|14> sending FRAGMENTATION vendor ID Mar 25 18:47:09 charon 12[IKE] <con1|14> sending NAT-T (RFC 3947) vendor ID Mar 25 18:47:09 charon 12[ENC] <con1|14> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ] Mar 25 18:47:09 charon 12[NET] <con1|14> sending packet: from {IPSEC_SERVER}[500] to {IOS_CLIENT}[11052] (412 bytes) Mar 25 18:47:09 charon 12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (92 bytes) Mar 25 18:47:09 charon 12[IKE] <con1|14> queueing INFORMATIONAL_V1 request as tasks still active Mar 25 18:47:09 charon 10[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (100 bytes) Mar 25 18:47:09 charon 10[ENC] <con1|14> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ] Mar 25 18:47:09 charon 10[IKE] <con1|14> queueing XAUTH task Mar 25 18:47:09 charon 10[IKE] <con1|14> remote host is behind NAT Mar 25 18:47:09 charon 10[ENC] <con1|14> parsed INFORMATIONAL_V1 request 3237568392 [ HASH N(INITIAL_CONTACT) ] Mar 25 18:47:09 charon 10[IKE] <con1|14> activating new tasks Mar 25 18:47:09 charon 10[IKE] <con1|14> activating XAUTH task Mar 25 18:47:09 charon 10[ENC] <con1|14> generating TRANSACTION request 3475687874 [ HASH CPRQ(X_USER X_PWD) ] Mar 25 18:47:09 charon 10[NET] <con1|14> sending packet: from {IPSEC_SERVER}[4500] to {IOS_CLIENT}[29543] (76 bytes) Mar 25 18:47:09 charon 12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (92 bytes) Mar 25 18:47:09 charon 12[ENC] <con1|14> parsed TRANSACTION response 3475687874 [ HASH CPRP(X_USER X_PWD) ] Mar 25 18:47:10 charon user '{USERNAME}' authenticated Mar 25 18:47:10 charon 12[IKE] <con1|14> XAuth-SCRIPT succeeded for user '{USERNAME}'. Mar 25 18:47:10 charon 12[IKE] <con1|14> XAuth authentication of '{USERNAME}' successful Mar 25 18:47:10 charon 12[IKE] <con1|14> reinitiating already active tasks Mar 25 18:47:10 charon 12[IKE] <con1|14> XAUTH task Mar 25 18:47:10 charon 12[ENC] <con1|14> generating TRANSACTION request 989377680 [ HASH CPS(X_STATUS) ] Mar 25 18:47:10 charon 12[NET] <con1|14> sending packet: from {IPSEC_SERVER}[4500] to {IOS_CLIENT}[29543] (76 bytes) Mar 25 18:47:10 charon 12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (76 bytes) Mar 25 18:47:10 charon 12[ENC] <con1|14> parsed TRANSACTION response 989377680 [ HASH CPA(X_STATUS) ] Mar 25 18:47:10 charon 12[IKE] <con1|14> IKE_SA con1[14] established between {IPSEC_SERVER}[{IPSEC_SERVER}]...{IOS_CLIENT}[vpnusers@barker.ddns.net] Mar 25 18:47:10 charon 12[IKE] <con1|14> IKE_SA con1[14] state change: CONNECTING => ESTABLISHED Mar 25 18:47:10 charon 12[IKE] <con1|14> scheduling reauthentication in 85442s Mar 25 18:47:10 charon 12[IKE] <con1|14> maximum IKE_SA lifetime 85982s Mar 25 18:47:10 charon 12[IKE] <con1|14> activating new tasks Mar 25 18:47:10 charon 12[IKE] <con1|14> nothing to initiate Mar 25 18:47:10 charon 09[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (172 bytes) Mar 25 18:47:10 charon 09[ENC] <con1|14> unknown attribute type (28683) Mar 25 18:47:10 charon 09[ENC] <con1|14> parsed TRANSACTION request 848382079 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ] Mar 25 18:47:10 charon 09[IKE] <con1|14> processing INTERNAL_IP4_ADDRESS attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing INTERNAL_IP4_NETMASK attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing INTERNAL_IP4_DNS attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing INTERNAL_IP4_NBNS attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing INTERNAL_ADDRESS_EXPIRY attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing APPLICATION_VERSION attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing UNITY_BANNER attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing UNITY_DEF_DOMAIN attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing UNITY_SPLITDNS_NAME attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing UNITY_SPLIT_INCLUDE attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing UNITY_LOCAL_LAN attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing UNITY_PFS attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing UNITY_SAVE_PASSWD attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing UNITY_FW_TYPE attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing UNITY_BACKUP_SERVERS attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> processing (28683) attribute Mar 25 18:47:10 charon 09[IKE] <con1|14> peer requested virtual IP %any Mar 25 18:47:10 charon 09[CFG] <con1|14> reassigning offline lease to '{USERNAME}' Mar 25 18:47:10 charon 09[IKE] <con1|14> assigning virtual IP 192.168.1.50 to peer '{USERNAME}' Mar 25 18:47:10 charon 09[ENC] <con1|14> generating TRANSACTION response 848382079 [ HASH CPRP(ADDR DNS DNS DNS SUBNET U_SPLITINC U_SAVEPWD) ] Mar 25 18:47:10 charon 09[NET] <con1|14> sending packet: from {IPSEC_SERVER}[4500] to {IOS_CLIENT}[29543] (124 bytes) Mar 25 18:47:20 charon 12[IKE] <con1|14> sending DPD request Mar 25 18:47:20 charon 12[IKE] <con1|14> queueing ISAKMP_DPD task Mar 25 18:47:20 charon 12[IKE] <con1|14> activating new tasks Mar 25 18:47:20 charon 12[IKE] <con1|14> activating ISAKMP_DPD task Mar 25 18:47:20 charon 12[ENC] <con1|14> generating INFORMATIONAL_V1 request 2909798410 [ HASH N(DPD) ] Mar 25 18:47:20 charon 12[NET] <con1|14> sending packet: from {IPSEC_SERVER}[4500] to {IOS_CLIENT}[29543] (92 bytes) Mar 25 18:47:20 charon 12[IKE] <con1|14> activating new tasks Mar 25 18:47:20 charon 12[IKE] <con1|14> nothing to initiate Mar 25 18:47:20 charon 12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (92 bytes) Mar 25 18:47:20 charon 12[ENC] <con1|14> parsed INFORMATIONAL_V1 request 518142421 [ HASH N(DPD_ACK) ] Mar 25 18:47:20 charon 12[IKE] <con1|14> activating new tasks Mar 25 18:47:20 charon 12[IKE] <con1|14> nothing to initiate Mar 25 18:47:26 charon 12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (92 bytes) Mar 25 18:47:26 charon 12[ENC] <con1|14> parsed INFORMATIONAL_V1 request 912504045 [ HASH D ] Mar 25 18:47:26 charon 12[IKE] <con1|14> received DELETE for IKE_SA con1[14] Mar 25 18:47:26 charon 12[IKE] <con1|14> deleting IKE_SA con1[14] between {IPSEC_SERVER}[{IPSEC_SERVER}]...{IOS_CLIENT}[vpnusers@barker.ddns.net] Mar 25 18:47:26 charon 12[IKE] <con1|14> IKE_SA con1[14] state change: ESTABLISHED => DELETING Mar 25 18:47:26 charon 12[IKE] <con1|14> IKE_SA con1[14] state change: DELETING => DELETING Mar 25 18:47:26 charon 12[IKE] <con1|14> IKE_SA con1[14] state change: DELETING => DESTROYING Mar 25 18:47:26 charon 12[CFG] <con1|14> lease 192.168.1.50 by '{USERNAME}' went offline</con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14>
Initializing a functioning connection from OS X:
Mar 25 19:25:34 charon 13[CFG] vici client 1 connected Mar 25 19:25:34 charon 14[CFG] vici client 1 registered for: list-sa Mar 25 19:25:34 charon 14[CFG] vici client 1 requests: list-sas Mar 25 19:25:34 charon 14[CFG] vici client 1 disconnected Mar 25 19:25:39 charon 14[CFG] vici client 2 connected Mar 25 19:25:39 charon 14[CFG] vici client 2 registered for: list-sa Mar 25 19:25:39 charon 14[CFG] vici client 2 requests: list-sas Mar 25 19:25:39 charon 15[CFG] vici client 2 disconnected Mar 25 19:25:44 charon 14[CFG] vici client 3 connected Mar 25 19:25:44 charon 14[CFG] vici client 3 registered for: list-sa Mar 25 19:25:44 charon 11[CFG] vici client 3 requests: list-sas Mar 25 19:25:44 charon 14[CFG] vici client 3 disconnected Mar 25 19:26:01 charon 14[NET] <16> received packet: from {OSX_CLIENT}[500] to {IPSEC_SERVER}[500] (780 bytes) Mar 25 19:26:01 charon 14[ENC] <16> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ] Mar 25 19:26:01 charon 14[CFG] <16> looking for an ike config for {IPSEC_SERVER}...{OSX_CLIENT} Mar 25 19:26:01 charon 14[CFG] <16> candidate: %any...%any, prio 24 Mar 25 19:26:01 charon 14[CFG] <16> candidate: {IPSEC_SERVER}...%any, prio 1052 Mar 25 19:26:01 charon 14[CFG] <16> found matching ike config: {IPSEC_SERVER}...%any with prio 1052 Mar 25 19:26:01 charon 14[IKE] <16> received FRAGMENTATION vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received NAT-T (RFC 3947) vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received draft-ietf-ipsec-nat-t-ike vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-08 vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-07 vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-06 vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-05 vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received XAuth vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received Cisco Unity vendor ID Mar 25 19:26:01 charon 14[IKE] <16> received DPD vendor ID Mar 25 19:26:01 charon 14[IKE] <16> {OSX_CLIENT} is initiating a Aggressive Mode IKE_SA Mar 25 19:26:01 charon 14[IKE] <16> IKE_SA (unnamed)[16] state change: CREATED => CONNECTING Mar 25 19:26:01 charon 14[CFG] <16> selecting proposal: Mar 25 19:26:01 charon 14[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Mar 25 19:26:01 charon 14[CFG] <16> selecting proposal: Mar 25 19:26:01 charon 14[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Mar 25 19:26:01 charon 14[CFG] <16> selecting proposal: Mar 25 19:26:01 charon 14[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Mar 25 19:26:01 charon 14[CFG] <16> selecting proposal: Mar 25 19:26:01 charon 14[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found Mar 25 19:26:01 charon 14[CFG] <16> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 Mar 25 19:26:01 charon 14[CFG] <16> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Mar 25 19:26:01 charon 14[IKE] <16> no proposal found Mar 25 19:26:01 charon 14[IKE] <16> queueing INFORMATIONAL task Mar 25 19:26:01 charon 14[IKE] <16> activating new tasks Mar 25 19:26:01 charon 14[IKE] <16> activating INFORMATIONAL task Mar 25 19:26:01 charon 14[ENC] <16> generating INFORMATIONAL_V1 request 1842137378 [ N(NO_PROP) ] Mar 25 19:26:01 charon 14[NET] <16> sending packet: from {IPSEC_SERVER}[500] to {OSX_CLIENT}[500] (56 bytes) Mar 25 19:26:01 charon 14[IKE] <16> IKE_SA (unnamed)[16] state change: CONNECTING => DESTROYING Mar 25 19:26:01 charon 14[NET] <17> received packet: from {OSX_CLIENT}[500] to {IPSEC_SERVER}[500] (780 bytes) Mar 25 19:26:01 charon 14[ENC] <17> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ] Mar 25 19:26:01 charon 14[CFG] <17> looking for an ike config for {IPSEC_SERVER}...{OSX_CLIENT} Mar 25 19:26:01 charon 14[CFG] <17> candidate: %any...%any, prio 24 Mar 25 19:26:01 charon 14[CFG] <17> candidate: {IPSEC_SERVER}...%any, prio 1052 Mar 25 19:26:01 charon 14[CFG] <17> found matching ike config: {IPSEC_SERVER}...%any with prio 1052 Mar 25 19:26:01 charon 14[IKE] <17> received FRAGMENTATION vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received NAT-T (RFC 3947) vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-08 vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-07 vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-06 vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-05 vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received XAuth vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received Cisco Unity vendor ID Mar 25 19:26:01 charon 14[IKE] <17> received DPD vendor ID Mar 25 19:26:01 charon 14[IKE] <17> {OSX_CLIENT} is initiating a Aggressive Mode IKE_SA Mar 25 19:26:01 charon 14[IKE] <17> IKE_SA (unnamed)[17] state change: CREATED => CONNECTING Mar 25 19:26:01 charon 14[CFG] <17> selecting proposal: Mar 25 19:26:01 charon 14[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Mar 25 19:26:01 charon 14[CFG] <17> selecting proposal: Mar 25 19:26:01 charon 14[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found Mar 25 19:26:01 charon 14[CFG] <17> selecting proposal: Mar 25 19:26:01 charon 14[CFG] <17> proposal matches Mar 25 19:26:01 charon 14[CFG] <17> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Mar 25 19:26:01 charon 14[CFG] <17> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Mar 25 19:26:01 charon 14[CFG] <17> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Mar 25 19:26:01 charon 14[CFG] <17> looking for XAuthInitPSK peer configs matching {IPSEC_SERVER}...{OSX_CLIENT}[vpnusers@barker.ddns.net] Mar 25 19:26:01 charon 14[CFG] <17> candidate "bypasslan", match: 1/1/24 (me/other/ike) Mar 25 19:26:01 charon 14[CFG] <17> candidate "con1", match: 1/1/1052 (me/other/ike) Mar 25 19:26:01 charon 14[CFG] <17> selected peer config "con1" Mar 25 19:26:01 charon 14[IKE] <con1|17> sending XAuth vendor ID Mar 25 19:26:01 charon 14[IKE] <con1|17> sending DPD vendor ID Mar 25 19:26:01 charon 14[IKE] <con1|17> sending FRAGMENTATION vendor ID Mar 25 19:26:01 charon 14[IKE] <con1|17> sending NAT-T (RFC 3947) vendor ID Mar 25 19:26:01 charon 14[ENC] <con1|17> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ] Mar 25 19:26:01 charon 14[NET] <con1|17> sending packet: from {IPSEC_SERVER}[500] to {OSX_CLIENT}[500] (412 bytes) Mar 25 19:26:01 charon 14[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (100 bytes) Mar 25 19:26:01 charon 14[ENC] <con1|17> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ] Mar 25 19:26:01 charon 14[IKE] <con1|17> queueing XAUTH task Mar 25 19:26:01 charon 14[IKE] <con1|17> faking NAT situation to enforce UDP encapsulation Mar 25 19:26:01 charon 14[IKE] <con1|17> activating new tasks Mar 25 19:26:01 charon 14[IKE] <con1|17> activating XAUTH task Mar 25 19:26:01 charon 14[ENC] <con1|17> generating TRANSACTION request 2079721641 [ HASH CPRQ(X_USER X_PWD) ] Mar 25 19:26:01 charon 14[NET] <con1|17> sending packet: from {IPSEC_SERVER}[4500] to {OSX_CLIENT}[4500] (76 bytes) Mar 25 19:26:01 charon 14[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (92 bytes) Mar 25 19:26:01 charon 14[ENC] <con1|17> parsed INFORMATIONAL_V1 request 2511949227 [ HASH N(INITIAL_CONTACT) ] Mar 25 19:26:01 charon 04[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (92 bytes) Mar 25 19:26:01 charon 04[ENC] <con1|17> parsed TRANSACTION response 2079721641 [ HASH CPRP(X_USER X_PWD) ] Mar 25 19:26:01 charon user '{USERNAME}' authenticated Mar 25 19:26:01 charon 04[IKE] <con1|17> XAuth-SCRIPT succeeded for user '{USERNAME}'. Mar 25 19:26:01 charon 04[IKE] <con1|17> XAuth authentication of '{USERNAME}' successful Mar 25 19:26:01 charon 04[IKE] <con1|17> reinitiating already active tasks Mar 25 19:26:01 charon 04[IKE] <con1|17> XAUTH task Mar 25 19:26:01 charon 04[ENC] <con1|17> generating TRANSACTION request 1395159188 [ HASH CPS(X_STATUS) ] Mar 25 19:26:01 charon 04[NET] <con1|17> sending packet: from {IPSEC_SERVER}[4500] to {OSX_CLIENT}[4500] (76 bytes) Mar 25 19:26:01 charon 14[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (76 bytes) Mar 25 19:26:01 charon 14[ENC] <con1|17> parsed TRANSACTION response 1395159188 [ HASH CPA(X_STATUS) ] Mar 25 19:26:01 charon 14[IKE] <con1|17> IKE_SA con1[17] established between {IPSEC_SERVER}[{IPSEC_SERVER}]...{OSX_CLIENT}[vpnusers@barker.ddns.net] Mar 25 19:26:01 charon 14[IKE] <con1|17> IKE_SA con1[17] state change: CONNECTING => ESTABLISHED Mar 25 19:26:01 charon 14[IKE] <con1|17> scheduling reauthentication in 85777s Mar 25 19:26:01 charon 14[IKE] <con1|17> maximum IKE_SA lifetime 86317s Mar 25 19:26:01 charon 14[IKE] <con1|17> activating new tasks Mar 25 19:26:01 charon 14[IKE] <con1|17> nothing to initiate Mar 25 19:26:01 charon 04[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (172 bytes) Mar 25 19:26:01 charon 04[ENC] <con1|17> unknown attribute type (28683) Mar 25 19:26:01 charon 04[ENC] <con1|17> parsed TRANSACTION request 3617415040 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ] Mar 25 19:26:01 charon 04[IKE] <con1|17> processing INTERNAL_IP4_ADDRESS attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing INTERNAL_IP4_NETMASK attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing INTERNAL_IP4_DNS attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing INTERNAL_IP4_NBNS attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing INTERNAL_ADDRESS_EXPIRY attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing APPLICATION_VERSION attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing UNITY_BANNER attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing UNITY_DEF_DOMAIN attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing UNITY_SPLITDNS_NAME attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing UNITY_SPLIT_INCLUDE attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing UNITY_LOCAL_LAN attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing UNITY_PFS attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing UNITY_SAVE_PASSWD attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing UNITY_FW_TYPE attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing UNITY_BACKUP_SERVERS attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> processing (28683) attribute Mar 25 19:26:01 charon 04[IKE] <con1|17> peer requested virtual IP %any Mar 25 19:26:01 charon 04[CFG] <con1|17> reassigning offline lease to '{USERNAME}' Mar 25 19:26:01 charon 04[IKE] <con1|17> assigning virtual IP 192.168.1.50 to peer '{USERNAME}' Mar 25 19:26:01 charon 04[ENC] <con1|17> generating TRANSACTION response 3617415040 [ HASH CPRP(ADDR DNS DNS DNS SUBNET U_SPLITINC U_SAVEPWD) ] Mar 25 19:26:01 charon 04[NET] <con1|17> sending packet: from {IPSEC_SERVER}[4500] to {OSX_CLIENT}[4500] (124 bytes) Mar 25 19:26:05 charon 14[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (300 bytes) Mar 25 19:26:05 charon 14[ENC] <con1|17> parsed QUICK_MODE request 3434504322 [ HASH SA No ID ID ] Mar 25 19:26:05 charon 14[CFG] <con1|17> looking for a child config for 0.0.0.0/0|/0 === 192.168.1.50/32|/0 Mar 25 19:26:05 charon 14[CFG] <con1|17> proposing traffic selectors for us: Mar 25 19:26:05 charon 14[CFG] <con1|17> 0.0.0.0/0|/0 Mar 25 19:26:05 charon 14[CFG] <con1|17> proposing traffic selectors for other: Mar 25 19:26:05 charon 14[CFG] <con1|17> 192.168.1.50/32|/0 Mar 25 19:26:05 charon 14[CFG] <con1|17> candidate "con1" with prio 5+5 Mar 25 19:26:05 charon 14[CFG] <con1|17> found matching child config "con1" with prio 10 Mar 25 19:26:05 charon 14[CFG] <con1|17> selecting traffic selectors for other: Mar 25 19:26:05 charon 14[CFG] <con1|17> config: 192.168.1.50/32|/0, received: 192.168.1.50/32|/0 => match: 192.168.1.50/32|/0 Mar 25 19:26:05 charon 14[CFG] <con1|17> selecting traffic selectors for us: Mar 25 19:26:05 charon 14[CFG] <con1|17> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0 Mar 25 19:26:05 charon 14[CFG] <con1|17> selecting proposal: Mar 25 19:26:05 charon 14[CFG] <con1|17> no acceptable ENCRYPTION_ALGORITHM found Mar 25 19:26:05 charon 14[CFG] <con1|17> selecting proposal: Mar 25 19:26:05 charon 14[CFG] <con1|17> no acceptable ENCRYPTION_ALGORITHM found Mar 25 19:26:05 charon 14[CFG] <con1|17> selecting proposal: Mar 25 19:26:05 charon 14[CFG] <con1|17> proposal matches Mar 25 19:26:05 charon 14[CFG] <con1|17> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ Mar 25 19:26:05 charon 14[CFG] <con1|17> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Mar 25 19:26:05 charon 14[CFG] <con1|17> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Mar 25 19:26:05 charon 14[IKE] <con1|17> received 3600s lifetime, configured 28800s Mar 25 19:26:05 charon 14[ENC] <con1|17> generating QUICK_MODE response 3434504322 [ HASH SA No ID ID ] Mar 25 19:26:05 charon 14[NET] <con1|17> sending packet: from {IPSEC_SERVER}[4500] to {OSX_CLIENT}[4500] (172 bytes) Mar 25 19:26:05 charon 04[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (60 bytes) Mar 25 19:26:05 charon 04[ENC] <con1|17> parsed QUICK_MODE request 3434504322 [ HASH ] Mar 25 19:26:05 charon 04[CHD] <con1|17> using AES_CBC for encryption Mar 25 19:26:05 charon 04[CHD] <con1|17> using HMAC_SHA1_96 for integrity Mar 25 19:26:05 charon 04[CHD] <con1|17> adding inbound ESP SA Mar 25 19:26:05 charon 04[CHD] <con1|17> SPI 0xc7f4c871, src {OSX_CLIENT} dst {IPSEC_SERVER} Mar 25 19:26:05 charon 04[CHD] <con1|17> adding outbound ESP SA Mar 25 19:26:05 charon 04[CHD] <con1|17> SPI 0x09ad8b82, src {IPSEC_SERVER} dst {OSX_CLIENT} Mar 25 19:26:05 charon 04[IKE] <con1|17> CHILD_SA con1{3} established with SPIs c7f4c871_i 09ad8b82_o and TS 0.0.0.0/0|/0 === 192.168.1.50/32|/0</con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17>
Are there any configuration options I can change to allow iOS clients to connect?
Edit: Forgot to mention, I'm running the latest pfSense (2.3.3-RELEASE-p1).
-
I'm having the same problem. Android/Windows/Linux works, only iOS doesn't.
In the logs I see
Apr 19 00:20:37 pfSense charon: 16[IKE] <con1|2>IKE_SA con1[2] state change: ESTABLISHED => DELETING Apr 19 00:20:37 pfSense charon: 16[IKE] <con1|2>IKE_SA con1[2] state change: DELETING => DELETING Apr 19 00:20:37 pfSense charon: 16[IKE] <con1|2>IKE_SA con1[2] state change: DELETING => DESTROYING Apr 19 00:20:37 pfSense charon: 16[CFG] <con1|2>lease 192.168.2.1 by 'iphone' went offline</con1|2></con1|2></con1|2></con1|2>
before the iPhone giving me an error.
-
Out of interest. Why are you not using OpenVPN for the iOS?
OpenVPN and Export Client includes option for exporting to iOS device, Andrioid and works like a dream.
Roofus
-
I managed to make it work without "Provide a list of accessible networks to clients".
-
Hi
Same problem here worked perfectly before upgrade to 2.3.3-RELEASE-p1.
May I ask how you solved it big_bum?
Thanks in advance.
-
I used this guide to setup VPN: https://www.thegeekpub.com/5855/pfsense-road-warrior-ipsec-config-works/, but on VPN -> IPsec -> Mobile Clients I didn't uncheck "Provide a list of accessible networks to clients".
With "Provide a list of accessible networks to clients" checked, the connection failed. Without "Provide a list of accessible networks to clients" enabled, it works.
-
@roofus Actually is the best option