IPsec VPN between iPhone and PfSense

aleph

Hello guys,
I'm trying to make an IPsec connection between an iphone and my Pfsense.
I've already done a PPTP VNP and it works, but I don't know how to configure the IPsec.

I have the following settings on my iPhone and I don't understand what to write there:

• Description (ok, I got that!)
• Server (I've entered the WAN IP address of the PfSense box)
• Account (here I don't know what to enter)
• Password (the same as above)
• Use Certificate (is set on NO)
• Group Name (I don't know what to enter)
• Secret (I've entered the pre-shared key)

I really don't understand much about VPNs, and it would be wonderful if someone here could tell me what to enter on my iPhone and how to correctly set my PfSense box.

Thank you all.

Aleph

mircsicz

Hi hi,

seems we're the only one's willing to connect an iPhone to pfsense.

I've found you're other posting at http://discussions.apple.com/thread.jspa?messageID=8398194 two, but even at the apple board there isn't an answer!!!

Hopefully one of the vpn experienced readers at the board is willing to give as a hand so we can try to find a solution.

Greetz
Mircsicz

jcpolo

You can add me to the list of people that are interesting in doing this. I will play with it some more and see what I come up with and report back. However if I were you I would just try, try, try and look at your ipsec logs and see what errors you are getting thats how I figured out a lot of the things I have done with pfsense.

Dec 2 09:30:59 racoon: ERROR: not acceptable Identity Protection mode
Dec 2 09:30:56 racoon: ERROR: not acceptable Identity Protection mode

is what I am getting as of right now when I try the following

• Description (name)
• Server (server url)
• Account (tried the VPN: IPsec: Edit pre-shared key "identifier" as well as the mobile client identifier) neither worked.
• Password (tried the pre shared key and nothing) neither worked
• Use Certificate (is set on NO)
• Group Name (I don't know what to enter) me either
• Secret (I've entered the pre-shared key and nothing) neither worked

SpaceBass

Working on this one as well..
I've been playing with settings and am making some progress. I seem to be getting stuck on phase 1 - authentication

Below is my log:

Dec 3 18:55:42 	racoon: ERROR: failed to get valid proposal.
Dec 3 18:55:42 	racoon: ERROR: no suitable proposal found.
Dec 3 18:55:42 	racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#8) = pre-shared key:XAuth pskey client
Dec 3 18:55:42 	racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = AES-CBC:DES-CBC
Dec 3 18:55:42 	racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = MD5:SHA
Dec 3 18:55:42 	racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#7) = pre-shared key:XAuth pskey client
Dec 3 18:55:42 	racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = AES-CBC:DES-CBC
Dec 3 18:55:42 	racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#6) = pre-shared key:XAuth pskey client
Dec 3 18:55:42 	racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = AES-CBC:3DES-CBC
Dec 3 18:55:42 	racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = MD5:SHA
Dec 3 18:55:42 	racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#5) = pre-shared key:XAuth pskey client
Dec 3 18:55:42 	racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
Dec 3 18:55:42 	racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#4) = pre-shared key:XAuth pskey client
Dec 3 18:55:42 	racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#3) = pre-shared key:XAuth pskey client
Dec 3 18:55:42 	racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = MD5:SHA
Dec 3 18:55:42 	racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#2) = pre-shared key:XAuth pskey client
Dec 3 18:55:42 	racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = MD5:SHA
Dec 3 18:55:42 	racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = pre-shared key:XAuth pskey client
Dec 3 18:55:42 	racoon: INFO: received Vendor ID: DPD
Dec 3 18:55:42 	racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 3 18:55:42 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Dec 3 18:55:42 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 3 18:55:42 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 3 18:55:42 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Dec 3 18:55:42 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Dec 3 18:55:42 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Dec 3 18:55:42 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Dec 3 18:55:42 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Dec 3 18:55:42 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Dec 3 18:55:42 	racoon: INFO: received Vendor ID: RFC 3947
Dec 3 18:55:42 	racoon: INFO: begin Identity Protection mode.

cmb

The iPhone's IPsec client isn't compatible with pfSense 1.x. It will be with 2.0. PPTP with the iPhone works fine.

SpaceBass

thans CMB
The fortunate thing about challenges like this is that it gives me a chance to learn, although sometimes painfully, about topics that I would otherwise never delve into. In this case I came to the same conclusion that you already knew.

I have verified that PPtP does work with the iPhone and PFsense. I suppose it is up to each admin to determine how they feel about the security of pptp and their network. For me, it was not worth the risk, so I am still searching for other solutions.

In my case its complicated by having only one WAN IP and an existing IPsec tunnel…otherwise I'd forward the ports to Leopard Server and use L2TP.