Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot connect to IPsec VPN from iOS 10.2

    Scheduled Pinned Locked Moved IPsec
    7 Posts 5 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmbarker
      last edited by

      I have been having difficulty with this VPN configuration for quite some time, but I have finally got it to the point of (nearly) working. I am able to connect on OS X, but not iOS (which is the main OS that this VPN will be used for). Some starter info, my WAN interface is labelled WAN and LAN is labelled LAN (easy enough), the LAN subnet is 192.168.1.0/24. DHCP runs from 192.168.1.100 to 192.168.1.254, and pfSense's IP is 192.168.1.1. Ideally the clients will be able to connect to all devices on 192.168.1.0/24, in addition to all traffic being forwarded out WAN. My IPsec configuration is as follows:

      VPN -> IPsec -> Mobile Clients:

      IKE Extensions: Checked
      User Authentication: Local Database
      Group Authentication: none
      Virtual Address Pool: Checked, 192.168.1.50/28
      Virtual IPv6 Address Pool: Unchecked
      Network List: Checked
      Save Xauth Password: Checked
      DNS Default Domain: Unchecked
      Split DNS: Unchecked
      DNS Servers: Checked
      Server #1-3: Local DNS server (on LAN, 192.168.1.122), 8.8.8.8, 8.8.4.4
      WINS Servers: Unchecked
      Phase2 PFS Group: Unchecked
      Login Banner: Unchecked
      

      VPN -> IPsec -> Tunnels -> Phase 1:

      Disabled: Unchecked
      Key Exchange Version: IKEv1
      Internet Protocol: IPv4
      Interface: WAN
      Description: Blank
      Authentication Method: Mutual PSK + Xauth
      Negotiation mode: Aggressive
      My identifier: My IP address
      Peer identifier: vpnusers@domain.tld
      Pre-shared Key: *****************
      Encryption Algorithm: AES 128 bits
      Hash Algorithm: SHA1
      DH Group: 2 (1024 bit)
      Lifetime (Seconds): 86400
      Disable rekey: Unchecked
      Responder only: Unchecked
      NAT Traversal: Force
      Dead Peer Detection: Checked
      Delay: 10
      Max failures: 5
      

      VPN -> IPsec -> Tunnels -> Phase 2:

      Disabled: Unchecked
      Mode: Tunnel IPv4
      Local Network: Network 0.0.0.0/0
      NAT/BINAT translation: None
      Description: blank
      Protocol: ESP
      Encryption Algorithms: AES 128 bits only
      Hash Algorithms: SHA1 only
      PFS key group: off
      Lifetime: 28800 seconds
      Automatically ping host: blank
      

      Firewall -> Rules -> IPsec: IPv4 * * * * * * (allow all on any from any to any)

      Here is the IPsec log when attempting a connection on iOS (on LTE, not the local network):

      Mar 25 18:47:09	charon		12[NET] <13> received packet: from {IOS_CLIENT}[11052] to {IPSEC_SERVER}[500] (780 bytes)
      Mar 25 18:47:09	charon		12[ENC] <13> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
      Mar 25 18:47:09	charon		12[CFG] <13> looking for an ike config for {IPSEC_SERVER}...{IOS_CLIENT}
      Mar 25 18:47:09	charon		12[CFG] <13> candidate: %any...%any, prio 24
      Mar 25 18:47:09	charon		12[CFG] <13> candidate: {IPSEC_SERVER}...%any, prio 1052
      Mar 25 18:47:09	charon		12[CFG] <13> found matching ike config: {IPSEC_SERVER}...%any with prio 1052
      Mar 25 18:47:09	charon		12[IKE] <13> received FRAGMENTATION vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received NAT-T (RFC 3947) vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received XAuth vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received Cisco Unity vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> received DPD vendor ID
      Mar 25 18:47:09	charon		12[IKE] <13> {IOS_CLIENT} is initiating a Aggressive Mode IKE_SA
      Mar 25 18:47:09	charon		12[IKE] <13> IKE_SA (unnamed)[13] state change: CREATED => CONNECTING
      Mar 25 18:47:09	charon		12[CFG] <13> selecting proposal:
      Mar 25 18:47:09	charon		12[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 18:47:09	charon		12[CFG] <13> selecting proposal:
      Mar 25 18:47:09	charon		12[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 18:47:09	charon		12[CFG] <13> selecting proposal:
      Mar 25 18:47:09	charon		12[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 18:47:09	charon		12[CFG] <13> selecting proposal:
      Mar 25 18:47:09	charon		12[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 18:47:09	charon		12[CFG] <13> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
      Mar 25 18:47:09	charon		12[CFG] <13> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 25 18:47:09	charon		12[IKE] <13> no proposal found
      Mar 25 18:47:09	charon		12[IKE] <13> queueing INFORMATIONAL task
      Mar 25 18:47:09	charon		12[IKE] <13> activating new tasks
      Mar 25 18:47:09	charon		12[IKE] <13> activating INFORMATIONAL task
      Mar 25 18:47:09	charon		12[ENC] <13> generating INFORMATIONAL_V1 request 4149312655 [ N(NO_PROP) ]
      Mar 25 18:47:09	charon		12[NET] <13> sending packet: from {IPSEC_SERVER}[500] to {IOS_CLIENT}[11052] (56 bytes)
      Mar 25 18:47:09	charon		12[IKE] <13> IKE_SA (unnamed)[13] state change: CONNECTING => DESTROYING
      Mar 25 18:47:09	charon		12[NET] <14> received packet: from {IOS_CLIENT}[11052] to {IPSEC_SERVER}[500] (780 bytes)
      Mar 25 18:47:09	charon		12[ENC] <14> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
      Mar 25 18:47:09	charon		12[CFG] <14> looking for an ike config for {IPSEC_SERVER}...{IOS_CLIENT}
      Mar 25 18:47:09	charon		12[CFG] <14> candidate: %any...%any, prio 24
      Mar 25 18:47:09	charon		12[CFG] <14> candidate: {IPSEC_SERVER}...%any, prio 1052
      Mar 25 18:47:09	charon		12[CFG] <14> found matching ike config: {IPSEC_SERVER}...%any with prio 1052
      Mar 25 18:47:09	charon		12[IKE] <14> received FRAGMENTATION vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received NAT-T (RFC 3947) vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received XAuth vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received Cisco Unity vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> received DPD vendor ID
      Mar 25 18:47:09	charon		12[IKE] <14> {IOS_CLIENT} is initiating a Aggressive Mode IKE_SA
      Mar 25 18:47:09	charon		12[IKE] <14> IKE_SA (unnamed)[14] state change: CREATED => CONNECTING
      Mar 25 18:47:09	charon		12[CFG] <14> selecting proposal:
      Mar 25 18:47:09	charon		12[CFG] <14> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 18:47:09	charon		12[CFG] <14> selecting proposal:
      Mar 25 18:47:09	charon		12[CFG] <14> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 18:47:09	charon		12[CFG] <14> selecting proposal:
      Mar 25 18:47:09	charon		12[CFG] <14> proposal matches
      Mar 25 18:47:09	charon		12[CFG] <14> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
      Mar 25 18:47:09	charon		12[CFG] <14> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 25 18:47:09	charon		12[CFG] <14> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 25 18:47:09	charon		12[CFG] <14> looking for XAuthInitPSK peer configs matching {IPSEC_SERVER}...{IOS_CLIENT}[vpnusers@barker.ddns.net]
      Mar 25 18:47:09	charon		12[CFG] <14> candidate "bypasslan", match: 1/1/24 (me/other/ike)
      Mar 25 18:47:09	charon		12[CFG] <14> candidate "con1", match: 1/1/1052 (me/other/ike)
      Mar 25 18:47:09	charon		12[CFG] <14> selected peer config "con1"
      Mar 25 18:47:09	charon		12[IKE] <con1|14> sending XAuth vendor ID
      Mar 25 18:47:09	charon		12[IKE] <con1|14> sending DPD vendor ID
      Mar 25 18:47:09	charon		12[IKE] <con1|14> sending FRAGMENTATION vendor ID
      Mar 25 18:47:09	charon		12[IKE] <con1|14> sending NAT-T (RFC 3947) vendor ID
      Mar 25 18:47:09	charon		12[ENC] <con1|14> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
      Mar 25 18:47:09	charon		12[NET] <con1|14> sending packet: from {IPSEC_SERVER}[500] to {IOS_CLIENT}[11052] (412 bytes)
      Mar 25 18:47:09	charon		12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (92 bytes)
      Mar 25 18:47:09	charon		12[IKE] <con1|14> queueing INFORMATIONAL_V1 request as tasks still active
      Mar 25 18:47:09	charon		10[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (100 bytes)
      Mar 25 18:47:09	charon		10[ENC] <con1|14> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
      Mar 25 18:47:09	charon		10[IKE] <con1|14> queueing XAUTH task
      Mar 25 18:47:09	charon		10[IKE] <con1|14> remote host is behind NAT
      Mar 25 18:47:09	charon		10[ENC] <con1|14> parsed INFORMATIONAL_V1 request 3237568392 [ HASH N(INITIAL_CONTACT) ]
      Mar 25 18:47:09	charon		10[IKE] <con1|14> activating new tasks
      Mar 25 18:47:09	charon		10[IKE] <con1|14> activating XAUTH task
      Mar 25 18:47:09	charon		10[ENC] <con1|14> generating TRANSACTION request 3475687874 [ HASH CPRQ(X_USER X_PWD) ]
      Mar 25 18:47:09	charon		10[NET] <con1|14> sending packet: from {IPSEC_SERVER}[4500] to {IOS_CLIENT}[29543] (76 bytes)
      Mar 25 18:47:09	charon		12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (92 bytes)
      Mar 25 18:47:09	charon		12[ENC] <con1|14> parsed TRANSACTION response 3475687874 [ HASH CPRP(X_USER X_PWD) ]
      Mar 25 18:47:10	charon		user '{USERNAME}' authenticated
      Mar 25 18:47:10	charon		12[IKE] <con1|14> XAuth-SCRIPT succeeded for user '{USERNAME}'.
      Mar 25 18:47:10	charon		12[IKE] <con1|14> XAuth authentication of '{USERNAME}' successful
      Mar 25 18:47:10	charon		12[IKE] <con1|14> reinitiating already active tasks
      Mar 25 18:47:10	charon		12[IKE] <con1|14> XAUTH task
      Mar 25 18:47:10	charon		12[ENC] <con1|14> generating TRANSACTION request 989377680 [ HASH CPS(X_STATUS) ]
      Mar 25 18:47:10	charon		12[NET] <con1|14> sending packet: from {IPSEC_SERVER}[4500] to {IOS_CLIENT}[29543] (76 bytes)
      Mar 25 18:47:10	charon		12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (76 bytes)
      Mar 25 18:47:10	charon		12[ENC] <con1|14> parsed TRANSACTION response 989377680 [ HASH CPA(X_STATUS) ]
      Mar 25 18:47:10	charon		12[IKE] <con1|14> IKE_SA con1[14] established between {IPSEC_SERVER}[{IPSEC_SERVER}]...{IOS_CLIENT}[vpnusers@barker.ddns.net]
      Mar 25 18:47:10	charon		12[IKE] <con1|14> IKE_SA con1[14] state change: CONNECTING => ESTABLISHED
      Mar 25 18:47:10	charon		12[IKE] <con1|14> scheduling reauthentication in 85442s
      Mar 25 18:47:10	charon		12[IKE] <con1|14> maximum IKE_SA lifetime 85982s
      Mar 25 18:47:10	charon		12[IKE] <con1|14> activating new tasks
      Mar 25 18:47:10	charon		12[IKE] <con1|14> nothing to initiate
      Mar 25 18:47:10	charon		09[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (172 bytes)
      Mar 25 18:47:10	charon		09[ENC] <con1|14> unknown attribute type (28683)
      Mar 25 18:47:10	charon		09[ENC] <con1|14> parsed TRANSACTION request 848382079 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing INTERNAL_IP4_ADDRESS attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing INTERNAL_IP4_NETMASK attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing INTERNAL_IP4_DNS attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing INTERNAL_IP4_NBNS attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing INTERNAL_ADDRESS_EXPIRY attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing APPLICATION_VERSION attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_BANNER attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_DEF_DOMAIN attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_SPLITDNS_NAME attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_SPLIT_INCLUDE attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_LOCAL_LAN attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_PFS attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_SAVE_PASSWD attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_FW_TYPE attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing UNITY_BACKUP_SERVERS attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> processing (28683) attribute
      Mar 25 18:47:10	charon		09[IKE] <con1|14> peer requested virtual IP %any
      Mar 25 18:47:10	charon		09[CFG] <con1|14> reassigning offline lease to '{USERNAME}'
      Mar 25 18:47:10	charon		09[IKE] <con1|14> assigning virtual IP 192.168.1.50 to peer '{USERNAME}'
      Mar 25 18:47:10	charon		09[ENC] <con1|14> generating TRANSACTION response 848382079 [ HASH CPRP(ADDR DNS DNS DNS SUBNET U_SPLITINC U_SAVEPWD) ]
      Mar 25 18:47:10	charon		09[NET] <con1|14> sending packet: from {IPSEC_SERVER}[4500] to {IOS_CLIENT}[29543] (124 bytes)
      Mar 25 18:47:20	charon		12[IKE] <con1|14> sending DPD request
      Mar 25 18:47:20	charon		12[IKE] <con1|14> queueing ISAKMP_DPD task
      Mar 25 18:47:20	charon		12[IKE] <con1|14> activating new tasks
      Mar 25 18:47:20	charon		12[IKE] <con1|14> activating ISAKMP_DPD task
      Mar 25 18:47:20	charon		12[ENC] <con1|14> generating INFORMATIONAL_V1 request 2909798410 [ HASH N(DPD) ]
      Mar 25 18:47:20	charon		12[NET] <con1|14> sending packet: from {IPSEC_SERVER}[4500] to {IOS_CLIENT}[29543] (92 bytes)
      Mar 25 18:47:20	charon		12[IKE] <con1|14> activating new tasks
      Mar 25 18:47:20	charon		12[IKE] <con1|14> nothing to initiate
      Mar 25 18:47:20	charon		12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (92 bytes)
      Mar 25 18:47:20	charon		12[ENC] <con1|14> parsed INFORMATIONAL_V1 request 518142421 [ HASH N(DPD_ACK) ]
      Mar 25 18:47:20	charon		12[IKE] <con1|14> activating new tasks
      Mar 25 18:47:20	charon		12[IKE] <con1|14> nothing to initiate
      Mar 25 18:47:26	charon		12[NET] <con1|14> received packet: from {IOS_CLIENT}[29543] to {IPSEC_SERVER}[4500] (92 bytes)
      Mar 25 18:47:26	charon		12[ENC] <con1|14> parsed INFORMATIONAL_V1 request 912504045 [ HASH D ]
      Mar 25 18:47:26	charon		12[IKE] <con1|14> received DELETE for IKE_SA con1[14]
      Mar 25 18:47:26	charon		12[IKE] <con1|14> deleting IKE_SA con1[14] between {IPSEC_SERVER}[{IPSEC_SERVER}]...{IOS_CLIENT}[vpnusers@barker.ddns.net]
      Mar 25 18:47:26	charon		12[IKE] <con1|14> IKE_SA con1[14] state change: ESTABLISHED => DELETING
      Mar 25 18:47:26	charon		12[IKE] <con1|14> IKE_SA con1[14] state change: DELETING => DELETING
      Mar 25 18:47:26	charon		12[IKE] <con1|14> IKE_SA con1[14] state change: DELETING => DESTROYING
      Mar 25 18:47:26	charon		12[CFG] <con1|14> lease 192.168.1.50 by '{USERNAME}' went offline</con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14></con1|14>
      

      Initializing a functioning connection from OS X:

      Mar 25 19:25:34	charon		13[CFG] vici client 1 connected
      Mar 25 19:25:34	charon		14[CFG] vici client 1 registered for: list-sa
      Mar 25 19:25:34	charon		14[CFG] vici client 1 requests: list-sas
      Mar 25 19:25:34	charon		14[CFG] vici client 1 disconnected
      Mar 25 19:25:39	charon		14[CFG] vici client 2 connected
      Mar 25 19:25:39	charon		14[CFG] vici client 2 registered for: list-sa
      Mar 25 19:25:39	charon		14[CFG] vici client 2 requests: list-sas
      Mar 25 19:25:39	charon		15[CFG] vici client 2 disconnected
      Mar 25 19:25:44	charon		14[CFG] vici client 3 connected
      Mar 25 19:25:44	charon		14[CFG] vici client 3 registered for: list-sa
      Mar 25 19:25:44	charon		11[CFG] vici client 3 requests: list-sas
      Mar 25 19:25:44	charon		14[CFG] vici client 3 disconnected
      Mar 25 19:26:01	charon		14[NET] <16> received packet: from {OSX_CLIENT}[500] to {IPSEC_SERVER}[500] (780 bytes)
      Mar 25 19:26:01	charon		14[ENC] <16> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
      Mar 25 19:26:01	charon		14[CFG] <16> looking for an ike config for {IPSEC_SERVER}...{OSX_CLIENT}
      Mar 25 19:26:01	charon		14[CFG] <16> candidate: %any...%any, prio 24
      Mar 25 19:26:01	charon		14[CFG] <16> candidate: {IPSEC_SERVER}...%any, prio 1052
      Mar 25 19:26:01	charon		14[CFG] <16> found matching ike config: {IPSEC_SERVER}...%any with prio 1052
      Mar 25 19:26:01	charon		14[IKE] <16> received FRAGMENTATION vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received NAT-T (RFC 3947) vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received XAuth vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received Cisco Unity vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> received DPD vendor ID
      Mar 25 19:26:01	charon		14[IKE] <16> {OSX_CLIENT} is initiating a Aggressive Mode IKE_SA
      Mar 25 19:26:01	charon		14[IKE] <16> IKE_SA (unnamed)[16] state change: CREATED => CONNECTING
      Mar 25 19:26:01	charon		14[CFG] <16> selecting proposal:
      Mar 25 19:26:01	charon		14[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 19:26:01	charon		14[CFG] <16> selecting proposal:
      Mar 25 19:26:01	charon		14[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 19:26:01	charon		14[CFG] <16> selecting proposal:
      Mar 25 19:26:01	charon		14[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 19:26:01	charon		14[CFG] <16> selecting proposal:
      Mar 25 19:26:01	charon		14[CFG] <16> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 19:26:01	charon		14[CFG] <16> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
      Mar 25 19:26:01	charon		14[CFG] <16> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 25 19:26:01	charon		14[IKE] <16> no proposal found
      Mar 25 19:26:01	charon		14[IKE] <16> queueing INFORMATIONAL task
      Mar 25 19:26:01	charon		14[IKE] <16> activating new tasks
      Mar 25 19:26:01	charon		14[IKE] <16> activating INFORMATIONAL task
      Mar 25 19:26:01	charon		14[ENC] <16> generating INFORMATIONAL_V1 request 1842137378 [ N(NO_PROP) ]
      Mar 25 19:26:01	charon		14[NET] <16> sending packet: from {IPSEC_SERVER}[500] to {OSX_CLIENT}[500] (56 bytes)
      Mar 25 19:26:01	charon		14[IKE] <16> IKE_SA (unnamed)[16] state change: CONNECTING => DESTROYING
      Mar 25 19:26:01	charon		14[NET] <17> received packet: from {OSX_CLIENT}[500] to {IPSEC_SERVER}[500] (780 bytes)
      Mar 25 19:26:01	charon		14[ENC] <17> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
      Mar 25 19:26:01	charon		14[CFG] <17> looking for an ike config for {IPSEC_SERVER}...{OSX_CLIENT}
      Mar 25 19:26:01	charon		14[CFG] <17> candidate: %any...%any, prio 24
      Mar 25 19:26:01	charon		14[CFG] <17> candidate: {IPSEC_SERVER}...%any, prio 1052
      Mar 25 19:26:01	charon		14[CFG] <17> found matching ike config: {IPSEC_SERVER}...%any with prio 1052
      Mar 25 19:26:01	charon		14[IKE] <17> received FRAGMENTATION vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received NAT-T (RFC 3947) vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received XAuth vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received Cisco Unity vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> received DPD vendor ID
      Mar 25 19:26:01	charon		14[IKE] <17> {OSX_CLIENT} is initiating a Aggressive Mode IKE_SA
      Mar 25 19:26:01	charon		14[IKE] <17> IKE_SA (unnamed)[17] state change: CREATED => CONNECTING
      Mar 25 19:26:01	charon		14[CFG] <17> selecting proposal:
      Mar 25 19:26:01	charon		14[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 19:26:01	charon		14[CFG] <17> selecting proposal:
      Mar 25 19:26:01	charon		14[CFG] <17> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 19:26:01	charon		14[CFG] <17> selecting proposal:
      Mar 25 19:26:01	charon		14[CFG] <17> proposal matches
      Mar 25 19:26:01	charon		14[CFG] <17> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
      Mar 25 19:26:01	charon		14[CFG] <17> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 25 19:26:01	charon		14[CFG] <17> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 25 19:26:01	charon		14[CFG] <17> looking for XAuthInitPSK peer configs matching {IPSEC_SERVER}...{OSX_CLIENT}[vpnusers@barker.ddns.net]
      Mar 25 19:26:01	charon		14[CFG] <17> candidate "bypasslan", match: 1/1/24 (me/other/ike)
      Mar 25 19:26:01	charon		14[CFG] <17> candidate "con1", match: 1/1/1052 (me/other/ike)
      Mar 25 19:26:01	charon		14[CFG] <17> selected peer config "con1"
      Mar 25 19:26:01	charon		14[IKE] <con1|17> sending XAuth vendor ID
      Mar 25 19:26:01	charon		14[IKE] <con1|17> sending DPD vendor ID
      Mar 25 19:26:01	charon		14[IKE] <con1|17> sending FRAGMENTATION vendor ID
      Mar 25 19:26:01	charon		14[IKE] <con1|17> sending NAT-T (RFC 3947) vendor ID
      Mar 25 19:26:01	charon		14[ENC] <con1|17> generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
      Mar 25 19:26:01	charon		14[NET] <con1|17> sending packet: from {IPSEC_SERVER}[500] to {OSX_CLIENT}[500] (412 bytes)
      Mar 25 19:26:01	charon		14[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (100 bytes)
      Mar 25 19:26:01	charon		14[ENC] <con1|17> parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
      Mar 25 19:26:01	charon		14[IKE] <con1|17> queueing XAUTH task
      Mar 25 19:26:01	charon		14[IKE] <con1|17> faking NAT situation to enforce UDP encapsulation
      Mar 25 19:26:01	charon		14[IKE] <con1|17> activating new tasks
      Mar 25 19:26:01	charon		14[IKE] <con1|17> activating XAUTH task
      Mar 25 19:26:01	charon		14[ENC] <con1|17> generating TRANSACTION request 2079721641 [ HASH CPRQ(X_USER X_PWD) ]
      Mar 25 19:26:01	charon		14[NET] <con1|17> sending packet: from {IPSEC_SERVER}[4500] to {OSX_CLIENT}[4500] (76 bytes)
      Mar 25 19:26:01	charon		14[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (92 bytes)
      Mar 25 19:26:01	charon		14[ENC] <con1|17> parsed INFORMATIONAL_V1 request 2511949227 [ HASH N(INITIAL_CONTACT) ]
      Mar 25 19:26:01	charon		04[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (92 bytes)
      Mar 25 19:26:01	charon		04[ENC] <con1|17> parsed TRANSACTION response 2079721641 [ HASH CPRP(X_USER X_PWD) ]
      Mar 25 19:26:01	charon		user '{USERNAME}' authenticated
      Mar 25 19:26:01	charon		04[IKE] <con1|17> XAuth-SCRIPT succeeded for user '{USERNAME}'.
      Mar 25 19:26:01	charon		04[IKE] <con1|17> XAuth authentication of '{USERNAME}' successful
      Mar 25 19:26:01	charon		04[IKE] <con1|17> reinitiating already active tasks
      Mar 25 19:26:01	charon		04[IKE] <con1|17> XAUTH task
      Mar 25 19:26:01	charon		04[ENC] <con1|17> generating TRANSACTION request 1395159188 [ HASH CPS(X_STATUS) ]
      Mar 25 19:26:01	charon		04[NET] <con1|17> sending packet: from {IPSEC_SERVER}[4500] to {OSX_CLIENT}[4500] (76 bytes)
      Mar 25 19:26:01	charon		14[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (76 bytes)
      Mar 25 19:26:01	charon		14[ENC] <con1|17> parsed TRANSACTION response 1395159188 [ HASH CPA(X_STATUS) ]
      Mar 25 19:26:01	charon		14[IKE] <con1|17> IKE_SA con1[17] established between {IPSEC_SERVER}[{IPSEC_SERVER}]...{OSX_CLIENT}[vpnusers@barker.ddns.net]
      Mar 25 19:26:01	charon		14[IKE] <con1|17> IKE_SA con1[17] state change: CONNECTING => ESTABLISHED
      Mar 25 19:26:01	charon		14[IKE] <con1|17> scheduling reauthentication in 85777s
      Mar 25 19:26:01	charon		14[IKE] <con1|17> maximum IKE_SA lifetime 86317s
      Mar 25 19:26:01	charon		14[IKE] <con1|17> activating new tasks
      Mar 25 19:26:01	charon		14[IKE] <con1|17> nothing to initiate
      Mar 25 19:26:01	charon		04[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (172 bytes)
      Mar 25 19:26:01	charon		04[ENC] <con1|17> unknown attribute type (28683)
      Mar 25 19:26:01	charon		04[ENC] <con1|17> parsed TRANSACTION request 3617415040 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing INTERNAL_IP4_ADDRESS attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing INTERNAL_IP4_NETMASK attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing INTERNAL_IP4_DNS attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing INTERNAL_IP4_NBNS attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing INTERNAL_ADDRESS_EXPIRY attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing APPLICATION_VERSION attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_BANNER attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_DEF_DOMAIN attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_SPLITDNS_NAME attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_SPLIT_INCLUDE attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_LOCAL_LAN attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_PFS attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_SAVE_PASSWD attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_FW_TYPE attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing UNITY_BACKUP_SERVERS attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> processing (28683) attribute
      Mar 25 19:26:01	charon		04[IKE] <con1|17> peer requested virtual IP %any
      Mar 25 19:26:01	charon		04[CFG] <con1|17> reassigning offline lease to '{USERNAME}'
      Mar 25 19:26:01	charon		04[IKE] <con1|17> assigning virtual IP 192.168.1.50 to peer '{USERNAME}'
      Mar 25 19:26:01	charon		04[ENC] <con1|17> generating TRANSACTION response 3617415040 [ HASH CPRP(ADDR DNS DNS DNS SUBNET U_SPLITINC U_SAVEPWD) ]
      Mar 25 19:26:01	charon		04[NET] <con1|17> sending packet: from {IPSEC_SERVER}[4500] to {OSX_CLIENT}[4500] (124 bytes)
      Mar 25 19:26:05	charon		14[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (300 bytes)
      Mar 25 19:26:05	charon		14[ENC] <con1|17> parsed QUICK_MODE request 3434504322 [ HASH SA No ID ID ]
      Mar 25 19:26:05	charon		14[CFG] <con1|17> looking for a child config for 0.0.0.0/0|/0 === 192.168.1.50/32|/0
      Mar 25 19:26:05	charon		14[CFG] <con1|17> proposing traffic selectors for us:
      Mar 25 19:26:05	charon		14[CFG] <con1|17> 0.0.0.0/0|/0
      Mar 25 19:26:05	charon		14[CFG] <con1|17> proposing traffic selectors for other:
      Mar 25 19:26:05	charon		14[CFG] <con1|17> 192.168.1.50/32|/0
      Mar 25 19:26:05	charon		14[CFG] <con1|17> candidate "con1" with prio 5+5
      Mar 25 19:26:05	charon		14[CFG] <con1|17> found matching child config "con1" with prio 10
      Mar 25 19:26:05	charon		14[CFG] <con1|17> selecting traffic selectors for other:
      Mar 25 19:26:05	charon		14[CFG] <con1|17> config: 192.168.1.50/32|/0, received: 192.168.1.50/32|/0 => match: 192.168.1.50/32|/0
      Mar 25 19:26:05	charon		14[CFG] <con1|17> selecting traffic selectors for us:
      Mar 25 19:26:05	charon		14[CFG] <con1|17> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
      Mar 25 19:26:05	charon		14[CFG] <con1|17> selecting proposal:
      Mar 25 19:26:05	charon		14[CFG] <con1|17> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 19:26:05	charon		14[CFG] <con1|17> selecting proposal:
      Mar 25 19:26:05	charon		14[CFG] <con1|17> no acceptable ENCRYPTION_ALGORITHM found
      Mar 25 19:26:05	charon		14[CFG] <con1|17> selecting proposal:
      Mar 25 19:26:05	charon		14[CFG] <con1|17> proposal matches
      Mar 25 19:26:05	charon		14[CFG] <con1|17> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
      Mar 25 19:26:05	charon		14[CFG] <con1|17> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Mar 25 19:26:05	charon		14[CFG] <con1|17> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Mar 25 19:26:05	charon		14[IKE] <con1|17> received 3600s lifetime, configured 28800s
      Mar 25 19:26:05	charon		14[ENC] <con1|17> generating QUICK_MODE response 3434504322 [ HASH SA No ID ID ]
      Mar 25 19:26:05	charon		14[NET] <con1|17> sending packet: from {IPSEC_SERVER}[4500] to {OSX_CLIENT}[4500] (172 bytes)
      Mar 25 19:26:05	charon		04[NET] <con1|17> received packet: from {OSX_CLIENT}[4500] to {IPSEC_SERVER}[4500] (60 bytes)
      Mar 25 19:26:05	charon		04[ENC] <con1|17> parsed QUICK_MODE request 3434504322 [ HASH ]
      Mar 25 19:26:05	charon		04[CHD] <con1|17> using AES_CBC for encryption
      Mar 25 19:26:05	charon		04[CHD] <con1|17> using HMAC_SHA1_96 for integrity
      Mar 25 19:26:05	charon		04[CHD] <con1|17> adding inbound ESP SA
      Mar 25 19:26:05	charon		04[CHD] <con1|17> SPI 0xc7f4c871, src {OSX_CLIENT} dst {IPSEC_SERVER}
      Mar 25 19:26:05	charon		04[CHD] <con1|17> adding outbound ESP SA
      Mar 25 19:26:05	charon		04[CHD] <con1|17> SPI 0x09ad8b82, src {IPSEC_SERVER} dst {OSX_CLIENT}
      Mar 25 19:26:05	charon		04[IKE] <con1|17> CHILD_SA con1{3} established with SPIs c7f4c871_i 09ad8b82_o and TS 0.0.0.0/0|/0 === 192.168.1.50/32|/0</con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17>
      

      Are there any configuration options I can change to allow iOS clients to connect?

      Edit: Forgot to mention, I'm running the latest pfSense (2.3.3-RELEASE-p1).

      1 Reply Last reply Reply Quote 0
      • B
        big_bum
        last edited by

        I'm having the same problem. Android/Windows/Linux works, only iOS doesn't.

        In the logs I see

        Apr 19 00:20:37 pfSense charon: 16[IKE] <con1|2>IKE_SA con1[2] state change: ESTABLISHED => DELETING
        Apr 19 00:20:37 pfSense charon: 16[IKE] <con1|2>IKE_SA con1[2] state change: DELETING => DELETING
        Apr 19 00:20:37 pfSense charon: 16[IKE] <con1|2>IKE_SA con1[2] state change: DELETING => DESTROYING
        Apr 19 00:20:37 pfSense charon: 16[CFG] <con1|2>lease 192.168.2.1 by 'iphone' went offline</con1|2></con1|2></con1|2></con1|2> 
        

        before the iPhone giving me an error.

        1 Reply Last reply Reply Quote 0
        • R
          Roofus
          last edited by

          Out of interest.  Why are you not using OpenVPN for the iOS?

          OpenVPN and Export Client includes option for exporting to iOS device, Andrioid and works like a dream.

          Roofus

          haykuH 1 Reply Last reply Reply Quote 1
          • B
            big_bum
            last edited by

            I managed to make it work without "Provide a list of accessible networks to clients".

            1 Reply Last reply Reply Quote 0
            • B
              Beach
              last edited by

              Hi

              Same problem here worked perfectly before upgrade to 2.3.3-RELEASE-p1.

              May I ask how you solved it big_bum?

              Thanks in advance.

              1 Reply Last reply Reply Quote 0
              • B
                big_bum
                last edited by

                I used this guide to setup VPN: https://www.thegeekpub.com/5855/pfsense-road-warrior-ipsec-config-works/, but on VPN -> IPsec -> Mobile Clients I didn't uncheck "Provide a list of accessible networks to clients".

                With "Provide a list of accessible networks to clients" checked, the connection failed. Without "Provide a list of accessible networks to clients" enabled, it works.

                1 Reply Last reply Reply Quote 0
                • haykuH
                  hayku @Roofus
                  last edited by

                  @roofus Actually is the best option

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.