Cannot connect to IPsec VPN from iOS 10.2



  • I have been having difficulty with this VPN configuration for quite some time, but I have finally got it to the point of (nearly) working. I am able to connect on OS X, but not iOS (which is the main OS that this VPN will be used for). Some starter info, my WAN interface is labelled WAN and LAN is labelled LAN (easy enough), the LAN subnet is 192.168.1.0/24. DHCP runs from 192.168.1.100 to 192.168.1.254, and pfSense's IP is 192.168.1.1. Ideally the clients will be able to connect to all devices on 192.168.1.0/24, in addition to all traffic being forwarded out WAN. My IPsec configuration is as follows:

    VPN -> IPsec -> Mobile Clients:

    IKE Extensions: Checked
    User Authentication: Local Database
    Group Authentication: none
    Virtual Address Pool: Checked, 192.168.1.50/28
    Virtual IPv6 Address Pool: Unchecked
    Network List: Checked
    Save Xauth Password: Checked
    DNS Default Domain: Unchecked
    Split DNS: Unchecked
    DNS Servers: Checked
    Server #1-3: Local DNS server (on LAN, 192.168.1.122), 8.8.8.8, 8.8.4.4
    WINS Servers: Unchecked
    Phase2 PFS Group: Unchecked
    Login Banner: Unchecked
    

    VPN -> IPsec -> Tunnels -> Phase 1:

    Disabled: Unchecked
    Key Exchange Version: IKEv1
    Internet Protocol: IPv4
    Interface: WAN
    Description: Blank
    Authentication Method: Mutual PSK + Xauth
    Negotiation mode: Aggressive
    My identifier: My IP address
    Peer identifier: vpnusers@domain.tld
    Pre-shared Key: *****************
    Encryption Algorithm: AES 128 bits
    Hash Algorithm: SHA1
    DH Group: 2 (1024 bit)
    Lifetime (Seconds): 86400
    Disable rekey: Unchecked
    Responder only: Unchecked
    NAT Traversal: Force
    Dead Peer Detection: Checked
    Delay: 10
    Max failures: 5
    

    VPN -> IPsec -> Tunnels -> Phase 2:

    Disabled: Unchecked
    Mode: Tunnel IPv4
    Local Network: Network 0.0.0.0/0
    NAT/BINAT translation: None
    Description: blank
    Protocol: ESP
    Encryption Algorithms: AES 128 bits only
    Hash Algorithms: SHA1 only
    PFS key group: off
    Lifetime: 28800 seconds
    Automatically ping host: blank
    

    Firewall -> Rules -> IPsec: IPv4 * * * * * * (allow all on any from any to any)

    Here is the IPsec log when attempting a connection on iOS (on LTE, not the local network):

    Mar 25 18:47:09	charon		12[NET] <13> received packet: from {IOS_CLIENT}[11052] to {IPSEC_SERVER}[500] (780 bytes)
    Mar 25 18:47:09	charon		12[ENC] <13> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Mar 25 18:47:09	charon		12[CFG] <13> looking for an ike config for {IPSEC_SERVER}...{IOS_CLIENT}
    Mar 25 18:47:09	charon		12[CFG] <13> candidate: %any...%any, prio 24
    Mar 25 18:47:09	charon		12[CFG] <13> candidate: {IPSEC_SERVER}...%any, prio 1052
    Mar 25 18:47:09	charon		12[CFG] <13> found matching ike config: {IPSEC_SERVER}...%any with prio 1052
    Mar 25 18:47:09	charon		12[IKE] <13> received FRAGMENTATION vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received NAT-T (RFC 3947) vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received XAuth vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received Cisco Unity vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> received DPD vendor ID
    Mar 25 18:47:09	charon		12[IKE] <13> {IOS_CLIENT} is initiating a Aggressive Mode IKE_SA
    Mar 25 18:47:09	charon		12[IKE] <13> IKE_SA (unnamed)[13] state change: CREATED => CONNECTING
    Mar 25 18:47:09	charon		12[CFG] <13> selecting proposal:
    Mar 25 18:47:09	charon		12[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 18:47:09	charon		12[CFG] <13> selecting proposal:
    Mar 25 18:47:09	charon		12[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 18:47:09	charon		12[CFG] <13> selecting proposal:
    Mar 25 18:47:09	charon		12[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 18:47:09	charon		12[CFG] <13> selecting proposal:
    Mar 25 18:47:09	charon		12[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 18:47:09	charon		12[CFG] <13> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Mar 25 18:47:09	charon		12[CFG] <13> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 25 18:47:09	charon		12[IKE] <13> no proposal found
    Mar 25 18:47:09	charon		12[IKE] <13> queueing INFORMATIONAL task
    Mar 25 18:47:09	charon		12[IKE] <13> activating new tasks
    Mar 25 18:47:09	charon		12[IKE] <13> activating INFORMATIONAL task
    Mar 25 18:47:09	charon		12[ENC] <13> generating INFORMATIONAL_V1 request 4149312655 [ N(NO_PROP) ]
    Mar 25 18:47:09	charon		12[NET] <13> sending packet: from {IPSEC_SERVER}[500] to {IOS_CLIENT}[11052] (56 bytes)
    Mar 25 18:47:09	charon		12[IKE] <13> IKE_SA (unnamed)[13] state change: CONNECTING => DESTROYING
    Mar 25 18:47:09	charon		12[NET] <14> received packet: from {IOS_CLIENT}[11052] to {IPSEC_SERVER}[500] (780 bytes)
    Mar 25 18:47:09	charon		12[ENC] <14> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Mar 25 18:47:09	charon		12[CFG] <14> looking for an ike config for {IPSEC_SERVER}...{IOS_CLIENT}
    Mar 25 18:47:09	charon		12[CFG] <14> candidate: %any...%any, prio 24
    Mar 25 18:47:09	charon		12[CFG] <14> candidate: {IPSEC_SERVER}...%any, prio 1052
    Mar 25 18:47:09	charon		12[CFG] <14> found matching ike config: {IPSEC_SERVER}...%any with prio 1052
    Mar 25 18:47:09	charon		12[IKE] <14> received FRAGMENTATION vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received NAT-T (RFC 3947) vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received XAuth vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received Cisco Unity vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> received DPD vendor ID
    Mar 25 18:47:09	charon		12[IKE] <14> {IOS_CLIENT} is initiating a Aggressive Mode IKE_SA
    Mar 25 18:47:09	charon		12[IKE] <14> IKE_SA (unnamed)[14] state change: CREATED => CONNECTING
    Mar 25 18:47:09	charon		12[CFG] <14> selecting proposal:
    Mar 25 18:47:09	charon		12[CFG] <14> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 18:47:09	charon		12[CFG] <14> selecting proposal:
    Mar 25 18:47:09	charon		12[CFG] <14> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 18:47:09	charon		12[CFG] <14> selecting proposal:
    Mar 25 18:47:09	charon		12[CFG] <14> proposal matches
    Mar 25 18:47:09	charon		12[CFG] <14> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Mar 25 18:47:09	charon		12[CFG] <14> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 25 18:47:09	charon		12[CFG] <14> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 25 18:47:09	charon		12[CFG] <14> looking for XAuthInitPSK peer configs matching {IPSEC_SERVER}...{IOS_CLIENT}[vpnusers@barker.ddns.net]
    Mar 25 18:47:09	charon		12[CFG] <14> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Mar 25 18:47:09	charon		12[CFG] <14> candidate "con1", match: 1/1/1052 (me/other/ike)
    Mar 25 18:47:09	charon		12[CFG] <14> selected peer config "con1"
    Mar 25 18:47:09	charon		12[IKE] <con1|14> sending XAuth vendor ID
    Mar 25 18:47:09	charon		12[IKE] <con1|14> sending DPD vendor ID
    Mar 25 18:47:09	charon		12[IKE] <con1|14> sending FRAGMENTATION vendor ID
    Mar 25 18:47:09	charon		12[IKE] <con1|14> sending NAT-T (RFC 3947) vendor ID
    Mar 25 18:47:09	charon		12[ENC] <con1|14> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
    Mar 25 18:47:09	charon		12[NET] <con1|14> sending packet: from {IPSEC_SERVER}[500] to {IOS_CLIENT}[11052] (412 bytes)
    Mar 25 18:47:09	charon		12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (92 bytes)
    Mar 25 18:47:09	charon		12[IKE] <con1|14> queueing INFORMATIONAL_V1 request as tasks still active
    Mar 25 18:47:09	charon		10[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (100 bytes)
    Mar 25 18:47:09	charon		10[ENC] <con1|14> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
    Mar 25 18:47:09	charon		10[IKE] <con1|14> queueing XAUTH task
    Mar 25 18:47:09	charon		10[IKE] <con1|14> remote host is behind NAT
    Mar 25 18:47:09	charon		10[ENC] <con1|14> parsed INFORMATIONAL_V1 request 3237568392 [ HASH N(INITIAL_CONTACT) ]
    Mar 25 18:47:09	charon		10[IKE] <con1|14> activating new tasks
    Mar 25 18:47:09	charon		10[IKE] <con1|14> activating XAUTH task
    Mar 25 18:47:09	charon		10[ENC] <con1|14> generating TRANSACTION request 3475687874 [ HASH CPRQ(X_USER X_PWD) ]
    Mar 25 18:47:09	charon		10[NET] <con1|14> sending packet: from {IPSEC_SERVER}[4500] to {IOS_CLIENT}[29543] (76 bytes)
    Mar 25 18:47:09	charon		12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (92 bytes)
    Mar 25 18:47:09	charon		12[ENC] <con1|14> parsed TRANSACTION response 3475687874 [ HASH CPRP(X_USER X_PWD) ]
    Mar 25 18:47:10	charon		user '{USERNAME}' authenticated
    Mar 25 18:47:10	charon		12[IKE] <con1|14> XAuth-SCRIPT succeeded for user '{USERNAME}'.
    Mar 25 18:47:10	charon		12[IKE] <con1|14> XAuth authentication of '{USERNAME}' successful
    Mar 25 18:47:10	charon		12[IKE] <con1|14> reinitiating already active tasks
    Mar 25 18:47:10	charon		12[IKE] <con1|14> XAUTH task
    Mar 25 18:47:10	charon		12[ENC] <con1|14> generating TRANSACTION request 989377680 [ HASH CPS(X_STATUS) ]
    Mar 25 18:47:10	charon		12[NET] <con1|14> sending packet: from {IPSEC_SERVER}[4500] to {IOS_CLIENT}[29543] (76 bytes)
    Mar 25 18:47:10	charon		12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (76 bytes)
    Mar 25 18:47:10	charon		12[ENC] <con1|14> parsed TRANSACTION response 989377680 [ HASH CPA(X_STATUS) ]
    Mar 25 18:47:10	charon		12[IKE] <con1|14> IKE_SA con1[14] established between {IPSEC_SERVER}[{IPSEC_SERVER}]...{IOS_CLIENT}[vpnusers@barker.ddns.net]
    Mar 25 18:47:10	charon		12[IKE] <con1|14> IKE_SA con1[14] state change: CONNECTING => ESTABLISHED
    Mar 25 18:47:10	charon		12[IKE] <con1|14> scheduling reauthentication in 85442s
    Mar 25 18:47:10	charon		12[IKE] <con1|14> maximum IKE_SA lifetime 85982s
    Mar 25 18:47:10	charon		12[IKE] <con1|14> activating new tasks
    Mar 25 18:47:10	charon		12[IKE] <con1|14> nothing to initiate
    Mar 25 18:47:10	charon		09[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (172 bytes)
    Mar 25 18:47:10	charon		09[ENC] <con1|14> unknown attribute type (28683)
    Mar 25 18:47:10	charon		09[ENC] <con1|14> parsed TRANSACTION request 848382079 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing INTERNAL_IP4_ADDRESS attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing INTERNAL_IP4_NETMASK attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing INTERNAL_IP4_DNS attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing INTERNAL_IP4_NBNS attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing INTERNAL_ADDRESS_EXPIRY attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing APPLICATION_VERSION attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_BANNER attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_DEF_DOMAIN attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_SPLITDNS_NAME attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_SPLIT_INCLUDE attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_LOCAL_LAN attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_PFS attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_SAVE_PASSWD attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_FW_TYPE attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_BACKUP_SERVERS attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> processing (28683) attribute
    Mar 25 18:47:10	charon		09[IKE] <con1|14> peer requested virtual IP %any
    Mar 25 18:47:10	charon		09[CFG] <con1|14> reassigning offline lease to '{USERNAME}'
    Mar 25 18:47:10	charon		09[IKE] <con1|14> assigning virtual IP 192.168.1.50 to peer '{USERNAME}'
    Mar 25 18:47:10	charon		09[ENC] <con1|14> generating TRANSACTION response 848382079 [ HASH CPRP(ADDR DNS DNS DNS SUBNET U_SPLITINC U_SAVEPWD) ]
    Mar 25 18:47:10	charon		09[NET] <con1|14> sending packet: from {IPSEC_SERVER}[4500] to {IOS_CLIENT}[29543] (124 bytes)
    Mar 25 18:47:20	charon		12[IKE] <con1|14> sending DPD request
    Mar 25 18:47:20	charon		12[IKE] <con1|14> queueing ISAKMP_DPD task
    Mar 25 18:47:20	charon		12[IKE] <con1|14> activating new tasks
    Mar 25 18:47:20	charon		12[IKE] <con1|14> activating ISAKMP_DPD task
    Mar 25 18:47:20	charon		12[ENC] <con1|14> generating INFORMATIONAL_V1 request 2909798410 [ HASH N(DPD) ]
    Mar 25 18:47:20	charon		12[NET] <con1|14> sending packet: from {IPSEC_SERVER}[4500] to {IOS_CLIENT}[29543] (92 bytes)
    Mar 25 18:47:20	charon		12[IKE] <con1|14> activating new tasks
    Mar 25 18:47:20	charon		12[IKE] <con1|14> nothing to initiate
    Mar 25 18:47:20	charon		12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (92 bytes)
    Mar 25 18:47:20	charon		12[ENC] <con1|14> parsed INFORMATIONAL_V1 request 518142421 [ HASH N(DPD_ACK) ]
    Mar 25 18:47:20	charon		12[IKE] <con1|14> activating new tasks
    Mar 25 18:47:20	charon		12[IKE] <con1|14> nothing to initiate
    Mar 25 18:47:26	charon		12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (92 bytes)
    Mar 25 18:47:26	charon		12[ENC] <con1|14> parsed INFORMATIONAL_V1 request 912504045 [ HASH D ]
    Mar 25 18:47:26	charon		12[IKE] <con1|14> received DELETE for IKE_SA con1[14]
    Mar 25 18:47:26	charon		12[IKE] <con1|14> deleting IKE_SA con1[14] between {IPSEC_SERVER}[{IPSEC_SERVER}]...{IOS_CLIENT}[vpnusers@barker.ddns.net]
    Mar 25 18:47:26	charon		12[IKE] <con1|14> IKE_SA con1[14] state change: ESTABLISHED => DELETING
    Mar 25 18:47:26	charon		12[IKE] <con1|14> IKE_SA con1[14] state change: DELETING => DELETING
    Mar 25 18:47:26	charon		12[IKE] <con1|14> IKE_SA con1[14] state change: DELETING => DESTROYING
    Mar 25 18:47:26	charon		12[CFG] <con1|14> lease 192.168.1.50 by '{USERNAME}' went offline</con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14>
    

    Initializing a functioning connection from OS X:

    Mar 25 19:25:34	charon		13[CFG] vici client 1 connected
    Mar 25 19:25:34	charon		14[CFG] vici client 1 registered for: list-sa
    Mar 25 19:25:34	charon		14[CFG] vici client 1 requests: list-sas
    Mar 25 19:25:34	charon		14[CFG] vici client 1 disconnected
    Mar 25 19:25:39	charon		14[CFG] vici client 2 connected
    Mar 25 19:25:39	charon		14[CFG] vici client 2 registered for: list-sa
    Mar 25 19:25:39	charon		14[CFG] vici client 2 requests: list-sas
    Mar 25 19:25:39	charon		15[CFG] vici client 2 disconnected
    Mar 25 19:25:44	charon		14[CFG] vici client 3 connected
    Mar 25 19:25:44	charon		14[CFG] vici client 3 registered for: list-sa
    Mar 25 19:25:44	charon		11[CFG] vici client 3 requests: list-sas
    Mar 25 19:25:44	charon		14[CFG] vici client 3 disconnected
    Mar 25 19:26:01	charon		14[NET] <16> received packet: from {OSX_CLIENT}[500] to {IPSEC_SERVER}[500] (780 bytes)
    Mar 25 19:26:01	charon		14[ENC] <16> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Mar 25 19:26:01	charon		14[CFG] <16> looking for an ike config for {IPSEC_SERVER}...{OSX_CLIENT}
    Mar 25 19:26:01	charon		14[CFG] <16> candidate: %any...%any, prio 24
    Mar 25 19:26:01	charon		14[CFG] <16> candidate: {IPSEC_SERVER}...%any, prio 1052
    Mar 25 19:26:01	charon		14[CFG] <16> found matching ike config: {IPSEC_SERVER}...%any with prio 1052
    Mar 25 19:26:01	charon		14[IKE] <16> received FRAGMENTATION vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received NAT-T (RFC 3947) vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received XAuth vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received Cisco Unity vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> received DPD vendor ID
    Mar 25 19:26:01	charon		14[IKE] <16> {OSX_CLIENT} is initiating a Aggressive Mode IKE_SA
    Mar 25 19:26:01	charon		14[IKE] <16> IKE_SA (unnamed)[16] state change: CREATED => CONNECTING
    Mar 25 19:26:01	charon		14[CFG] <16> selecting proposal:
    Mar 25 19:26:01	charon		14[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 19:26:01	charon		14[CFG] <16> selecting proposal:
    Mar 25 19:26:01	charon		14[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 19:26:01	charon		14[CFG] <16> selecting proposal:
    Mar 25 19:26:01	charon		14[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 19:26:01	charon		14[CFG] <16> selecting proposal:
    Mar 25 19:26:01	charon		14[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 19:26:01	charon		14[CFG] <16> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Mar 25 19:26:01	charon		14[CFG] <16> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 25 19:26:01	charon		14[IKE] <16> no proposal found
    Mar 25 19:26:01	charon		14[IKE] <16> queueing INFORMATIONAL task
    Mar 25 19:26:01	charon		14[IKE] <16> activating new tasks
    Mar 25 19:26:01	charon		14[IKE] <16> activating INFORMATIONAL task
    Mar 25 19:26:01	charon		14[ENC] <16> generating INFORMATIONAL_V1 request 1842137378 [ N(NO_PROP) ]
    Mar 25 19:26:01	charon		14[NET] <16> sending packet: from {IPSEC_SERVER}[500] to {OSX_CLIENT}[500] (56 bytes)
    Mar 25 19:26:01	charon		14[IKE] <16> IKE_SA (unnamed)[16] state change: CONNECTING => DESTROYING
    Mar 25 19:26:01	charon		14[NET] <17> received packet: from {OSX_CLIENT}[500] to {IPSEC_SERVER}[500] (780 bytes)
    Mar 25 19:26:01	charon		14[ENC] <17> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Mar 25 19:26:01	charon		14[CFG] <17> looking for an ike config for {IPSEC_SERVER}...{OSX_CLIENT}
    Mar 25 19:26:01	charon		14[CFG] <17> candidate: %any...%any, prio 24
    Mar 25 19:26:01	charon		14[CFG] <17> candidate: {IPSEC_SERVER}...%any, prio 1052
    Mar 25 19:26:01	charon		14[CFG] <17> found matching ike config: {IPSEC_SERVER}...%any with prio 1052
    Mar 25 19:26:01	charon		14[IKE] <17> received FRAGMENTATION vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received NAT-T (RFC 3947) vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received XAuth vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received Cisco Unity vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> received DPD vendor ID
    Mar 25 19:26:01	charon		14[IKE] <17> {OSX_CLIENT} is initiating a Aggressive Mode IKE_SA
    Mar 25 19:26:01	charon		14[IKE] <17> IKE_SA (unnamed)[17] state change: CREATED => CONNECTING
    Mar 25 19:26:01	charon		14[CFG] <17> selecting proposal:
    Mar 25 19:26:01	charon		14[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 19:26:01	charon		14[CFG] <17> selecting proposal:
    Mar 25 19:26:01	charon		14[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 19:26:01	charon		14[CFG] <17> selecting proposal:
    Mar 25 19:26:01	charon		14[CFG] <17> proposal matches
    Mar 25 19:26:01	charon		14[CFG] <17> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Mar 25 19:26:01	charon		14[CFG] <17> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 25 19:26:01	charon		14[CFG] <17> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 25 19:26:01	charon		14[CFG] <17> looking for XAuthInitPSK peer configs matching {IPSEC_SERVER}...{OSX_CLIENT}[vpnusers@barker.ddns.net]
    Mar 25 19:26:01	charon		14[CFG] <17> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Mar 25 19:26:01	charon		14[CFG] <17> candidate "con1", match: 1/1/1052 (me/other/ike)
    Mar 25 19:26:01	charon		14[CFG] <17> selected peer config "con1"
    Mar 25 19:26:01	charon		14[IKE] <con1|17> sending XAuth vendor ID
    Mar 25 19:26:01	charon		14[IKE] <con1|17> sending DPD vendor ID
    Mar 25 19:26:01	charon		14[IKE] <con1|17> sending FRAGMENTATION vendor ID
    Mar 25 19:26:01	charon		14[IKE] <con1|17> sending NAT-T (RFC 3947) vendor ID
    Mar 25 19:26:01	charon		14[ENC] <con1|17> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
    Mar 25 19:26:01	charon		14[NET] <con1|17> sending packet: from {IPSEC_SERVER}[500] to {OSX_CLIENT}[500] (412 bytes)
    Mar 25 19:26:01	charon		14[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (100 bytes)
    Mar 25 19:26:01	charon		14[ENC] <con1|17> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
    Mar 25 19:26:01	charon		14[IKE] <con1|17> queueing XAUTH task
    Mar 25 19:26:01	charon		14[IKE] <con1|17> faking NAT situation to enforce UDP encapsulation
    Mar 25 19:26:01	charon		14[IKE] <con1|17> activating new tasks
    Mar 25 19:26:01	charon		14[IKE] <con1|17> activating XAUTH task
    Mar 25 19:26:01	charon		14[ENC] <con1|17> generating TRANSACTION request 2079721641 [ HASH CPRQ(X_USER X_PWD) ]
    Mar 25 19:26:01	charon		14[NET] <con1|17> sending packet: from {IPSEC_SERVER}[4500] to {OSX_CLIENT}[4500] (76 bytes)
    Mar 25 19:26:01	charon		14[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (92 bytes)
    Mar 25 19:26:01	charon		14[ENC] <con1|17> parsed INFORMATIONAL_V1 request 2511949227 [ HASH N(INITIAL_CONTACT) ]
    Mar 25 19:26:01	charon		04[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (92 bytes)
    Mar 25 19:26:01	charon		04[ENC] <con1|17> parsed TRANSACTION response 2079721641 [ HASH CPRP(X_USER X_PWD) ]
    Mar 25 19:26:01	charon		user '{USERNAME}' authenticated
    Mar 25 19:26:01	charon		04[IKE] <con1|17> XAuth-SCRIPT succeeded for user '{USERNAME}'.
    Mar 25 19:26:01	charon		04[IKE] <con1|17> XAuth authentication of '{USERNAME}' successful
    Mar 25 19:26:01	charon		04[IKE] <con1|17> reinitiating already active tasks
    Mar 25 19:26:01	charon		04[IKE] <con1|17> XAUTH task
    Mar 25 19:26:01	charon		04[ENC] <con1|17> generating TRANSACTION request 1395159188 [ HASH CPS(X_STATUS) ]
    Mar 25 19:26:01	charon		04[NET] <con1|17> sending packet: from {IPSEC_SERVER}[4500] to {OSX_CLIENT}[4500] (76 bytes)
    Mar 25 19:26:01	charon		14[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (76 bytes)
    Mar 25 19:26:01	charon		14[ENC] <con1|17> parsed TRANSACTION response 1395159188 [ HASH CPA(X_STATUS) ]
    Mar 25 19:26:01	charon		14[IKE] <con1|17> IKE_SA con1[17] established between {IPSEC_SERVER}[{IPSEC_SERVER}]...{OSX_CLIENT}[vpnusers@barker.ddns.net]
    Mar 25 19:26:01	charon		14[IKE] <con1|17> IKE_SA con1[17] state change: CONNECTING => ESTABLISHED
    Mar 25 19:26:01	charon		14[IKE] <con1|17> scheduling reauthentication in 85777s
    Mar 25 19:26:01	charon		14[IKE] <con1|17> maximum IKE_SA lifetime 86317s
    Mar 25 19:26:01	charon		14[IKE] <con1|17> activating new tasks
    Mar 25 19:26:01	charon		14[IKE] <con1|17> nothing to initiate
    Mar 25 19:26:01	charon		04[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (172 bytes)
    Mar 25 19:26:01	charon		04[ENC] <con1|17> unknown attribute type (28683)
    Mar 25 19:26:01	charon		04[ENC] <con1|17> parsed TRANSACTION request 3617415040 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing INTERNAL_IP4_ADDRESS attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing INTERNAL_IP4_NETMASK attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing INTERNAL_IP4_DNS attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing INTERNAL_IP4_NBNS attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing INTERNAL_ADDRESS_EXPIRY attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing APPLICATION_VERSION attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_BANNER attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_DEF_DOMAIN attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_SPLITDNS_NAME attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_SPLIT_INCLUDE attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_LOCAL_LAN attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_PFS attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_SAVE_PASSWD attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_FW_TYPE attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_BACKUP_SERVERS attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> processing (28683) attribute
    Mar 25 19:26:01	charon		04[IKE] <con1|17> peer requested virtual IP %any
    Mar 25 19:26:01	charon		04[CFG] <con1|17> reassigning offline lease to '{USERNAME}'
    Mar 25 19:26:01	charon		04[IKE] <con1|17> assigning virtual IP 192.168.1.50 to peer '{USERNAME}'
    Mar 25 19:26:01	charon		04[ENC] <con1|17> generating TRANSACTION response 3617415040 [ HASH CPRP(ADDR DNS DNS DNS SUBNET U_SPLITINC U_SAVEPWD) ]
    Mar 25 19:26:01	charon		04[NET] <con1|17> sending packet: from {IPSEC_SERVER}[4500] to {OSX_CLIENT}[4500] (124 bytes)
    Mar 25 19:26:05	charon		14[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (300 bytes)
    Mar 25 19:26:05	charon		14[ENC] <con1|17> parsed QUICK_MODE request 3434504322 [ HASH SA No ID ID ]
    Mar 25 19:26:05	charon		14[CFG] <con1|17> looking for a child config for 0.0.0.0/0|/0 === 192.168.1.50/32|/0
    Mar 25 19:26:05	charon		14[CFG] <con1|17> proposing traffic selectors for us:
    Mar 25 19:26:05	charon		14[CFG] <con1|17> 0.0.0.0/0|/0
    Mar 25 19:26:05	charon		14[CFG] <con1|17> proposing traffic selectors for other:
    Mar 25 19:26:05	charon		14[CFG] <con1|17> 192.168.1.50/32|/0
    Mar 25 19:26:05	charon		14[CFG] <con1|17> candidate "con1" with prio 5+5
    Mar 25 19:26:05	charon		14[CFG] <con1|17> found matching child config "con1" with prio 10
    Mar 25 19:26:05	charon		14[CFG] <con1|17> selecting traffic selectors for other:
    Mar 25 19:26:05	charon		14[CFG] <con1|17> config: 192.168.1.50/32|/0, received: 192.168.1.50/32|/0 => match: 192.168.1.50/32|/0
    Mar 25 19:26:05	charon		14[CFG] <con1|17> selecting traffic selectors for us:
    Mar 25 19:26:05	charon		14[CFG] <con1|17> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
    Mar 25 19:26:05	charon		14[CFG] <con1|17> selecting proposal:
    Mar 25 19:26:05	charon		14[CFG] <con1|17> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 19:26:05	charon		14[CFG] <con1|17> selecting proposal:
    Mar 25 19:26:05	charon		14[CFG] <con1|17> no acceptable ENCRYPTION_ALGORITHM found
    Mar 25 19:26:05	charon		14[CFG] <con1|17> selecting proposal:
    Mar 25 19:26:05	charon		14[CFG] <con1|17> proposal matches
    Mar 25 19:26:05	charon		14[CFG] <con1|17> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
    Mar 25 19:26:05	charon		14[CFG] <con1|17> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Mar 25 19:26:05	charon		14[CFG] <con1|17> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Mar 25 19:26:05	charon		14[IKE] <con1|17> received 3600s lifetime, configured 28800s
    Mar 25 19:26:05	charon		14[ENC] <con1|17> generating QUICK_MODE response 3434504322 [ HASH SA No ID ID ]
    Mar 25 19:26:05	charon		14[NET] <con1|17> sending packet: from {IPSEC_SERVER}[4500] to {OSX_CLIENT}[4500] (172 bytes)
    Mar 25 19:26:05	charon		04[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (60 bytes)
    Mar 25 19:26:05	charon		04[ENC] <con1|17> parsed QUICK_MODE request 3434504322 [ HASH ]
    Mar 25 19:26:05	charon		04[CHD] <con1|17> using AES_CBC for encryption
    Mar 25 19:26:05	charon		04[CHD] <con1|17> using HMAC_SHA1_96 for integrity
    Mar 25 19:26:05	charon		04[CHD] <con1|17> adding inbound ESP SA
    Mar 25 19:26:05	charon		04[CHD] <con1|17> SPI 0xc7f4c871, src {OSX_CLIENT} dst {IPSEC_SERVER}
    Mar 25 19:26:05	charon		04[CHD] <con1|17> adding outbound ESP SA
    Mar 25 19:26:05	charon		04[CHD] <con1|17> SPI 0x09ad8b82, src {IPSEC_SERVER} dst {OSX_CLIENT}
    Mar 25 19:26:05	charon		04[IKE] <con1|17> CHILD_SA con1{3} established with SPIs c7f4c871_i 09ad8b82_o and TS 0.0.0.0/0|/0 === 192.168.1.50/32|/0</con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17>
    

    Are there any configuration options I can change to allow iOS clients to connect?

    Edit: Forgot to mention, I'm running the latest pfSense (2.3.3-RELEASE-p1).



  • I'm having the same problem. Android/Windows/Linux works, only iOS doesn't.

    In the logs I see

    Apr 19 00:20:37 pfSense charon: 16[IKE] <con1|2>IKE_SA con1[2] state change: ESTABLISHED => DELETING
    Apr 19 00:20:37 pfSense charon: 16[IKE] <con1|2>IKE_SA con1[2] state change: DELETING => DELETING
    Apr 19 00:20:37 pfSense charon: 16[IKE] <con1|2>IKE_SA con1[2] state change: DELETING => DESTROYING
    Apr 19 00:20:37 pfSense charon: 16[CFG] <con1|2>lease 192.168.2.1 by 'iphone' went offline</con1|2></con1|2></con1|2></con1|2> 
    

    before the iPhone giving me an error.



  • Out of interest.  Why are you not using OpenVPN for the iOS?

    OpenVPN and Export Client includes option for exporting to iOS device, Andrioid and works like a dream.

    Roofus



  • I managed to make it work without "Provide a list of accessible networks to clients".



  • Hi

    Same problem here worked perfectly before upgrade to 2.3.3-RELEASE-p1.

    May I ask how you solved it big_bum?

    Thanks in advance.



  • I used this guide to setup VPN: https://www.thegeekpub.com/5855/pfsense-road-warrior-ipsec-config-works/, but on VPN -> IPsec -> Mobile Clients I didn't uncheck "Provide a list of accessible networks to clients".

    With "Provide a list of accessible networks to clients" checked, the connection failed. Without "Provide a list of accessible networks to clients" enabled, it works.



  • @roofus Actually is the best option