Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec VPN Not Passing Traffic for iPhones/Macs

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 933 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      ddeacon22
      last edited by ddeacon22

      I have recently installed pfSense on a 6 port mini pc and have been working through setting up but have been struggling getting the VPN working properly. End devices I’m trying to connect in are iPhones and Macbooks. The system is set up with Port 1 as WAN (PPPoE) and ports 2-6 are bridged together as a LAN (192.168.22.0/24). Everything has been working fine until I started trying to get the VPN going.

      I am able to make the VPN connection but when I’m connecting in through LTE on the phones, I cannot ping or reach anything on the LAN side or vice versa (10.10.0.2<==/==>192.168.22.xx). IPsec logs don’t tell me anything is wrong. I’ve been able to connect with several IPsec configurations with the same result but am just using Mutual PSK for now until I work this out.

      This is my IPsec configuration so I was hoping for some tips to help troubleshoot as I’ve been at it on and off for the last week without resolution having exhausted all the articles and YouTube videos on setting up IPsec on pfSense.

      Mobile Client Config

      Provide a virtual IP: Checked 10.10.0.0/24

      Phase 1

      Key Exchange: IKEv2
      Protocol: IPv4
      Interface: WAN
      Auth Method: Mutual PSK
      My ID: Distinguished name
      Encryption Algorithms:
      AES 256 / SHA1 / DH2 (1024)
      AES 226 / SHA256 / DH14 (2048)
      DPD Enabled / 10 / 5

      Phase 2

      Mode: Tunnel IPv4
      Local Network: Network 0.0.0.0/0
      NAT/BINAT: None
      Protocol: ESP
      Encryption Algorithms: AES / Auto
      Hash Algorithms: SHA1 / SHA256
      PFS Key Group: Off

      IPSec Firewall Rule

      Action: Pass
      Interface: IPsec
      Address Family: IPv4
      Protocol: Any
      Source: Any
      Destination: Any

      Here is a connection through LTE

      Jun 23 14:40:12 charon 06[NET] <con1|11> sending packet: from XX.XX.XX.166[4500] to XX.XX.XX.80[42324] (320 bytes)
      Jun 23 14:40:12 charon 06[ENC] <con1|11> generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS U_DEFDOM U_SPLITDNS) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
      Jun 23 14:40:12 charon 06[CHD] <con1|11> CHILD_SA con1{8} state change: INSTALLING => INSTALLED
      Jun 23 14:40:12 charon 06[IKE] <con1|11> CHILD_SA con1{8} established with SPIs ce2dcb54_i 02105f9e_o and TS 0.0.0.0/0|/0 === 10.10.0.2/32|/0
      Jun 23 14:40:12 charon 06[CHD] <con1|11> SPI 0x02105f9e, src XX.XX.XX.166 dst XX.XX.XX.80
      Jun 23 14:40:12 charon 06[CHD] <con1|11> adding outbound ESP SA
      Jun 23 14:40:12 charon 06[CHD] <con1|11> SPI 0xce2dcb54, src XX.XX.XX.80 dst XX.XX.XX.166
      Jun 23 14:40:12 charon 06[CHD] <con1|11> adding inbound ESP SA
      Jun 23 14:40:12 charon 06[CHD] <con1|11> using HMAC_SHA2_256_128 for integrity
      Jun 23 14:40:12 charon 06[CHD] <con1|11> using AES_CBC for encryption
      Jun 23 14:40:12 charon 06[CHD] <con1|11> CHILD_SA con1{8} state change: CREATED => INSTALLING
      Jun 23 14:40:12 charon 06[CFG] <con1|11> config: 10.10.0.2/32|/0, received: ::/0|/0 => no match
      Jun 23 14:40:12 charon 06[CFG] <con1|11> config: 10.10.0.2/32|/0, received: 0.0.0.0/0|/0 => match: 10.10.0.2/32|/0
      Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting traffic selectors for other:
      Jun 23 14:40:12 charon 06[CFG] <con1|11> config: 0.0.0.0/0|/0, received: ::/0|/0 => no match
      Jun 23 14:40:12 charon 06[CFG] <con1|11> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
      Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting traffic selectors for us:
      Jun 23 14:40:12 charon 06[CFG] <con1|11> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
      Jun 23 14:40:12 charon 06[CFG] <con1|11> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
      Jun 23 14:40:12 charon 06[CFG] <con1|11> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
      Jun 23 14:40:12 charon 06[CFG] <con1|11> proposal matches
      Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
      Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable ENCRYPTION_ALGORITHM found
      Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
      Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable ENCRYPTION_ALGORITHM found
      Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
      Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable INTEGRITY_ALGORITHM found
      Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
      Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable INTEGRITY_ALGORITHM found
      Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
      Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable INTEGRITY_ALGORITHM found
      Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
      Jun 23 14:40:12 charon 06[CFG] <con1|11> found matching child config "con1" with prio 12
      Jun 23 14:40:12 charon 06[CFG] <con1|11> candidate "con1" with prio 10+2
      Jun 23 14:40:12 charon 06[CFG] <con1|11> 10.10.0.2/32|/0
      Jun 23 14:40:12 charon 06[CFG] <con1|11> proposing traffic selectors for other:
      Jun 23 14:40:12 charon 06[CFG] <con1|11> 0.0.0.0/0|/0
      Jun 23 14:40:12 charon 06[CFG] <con1|11> proposing traffic selectors for us:
      Jun 23 14:40:12 charon 06[CFG] <con1|11> looking for a child config for 0.0.0.0/0|/0 ::/0|/0 === 0.0.0.0/0|/0 ::/0|/0
      Jun 23 14:40:12 charon 06[IKE] <con1|11> building UNITY_SPLITDNS_NAME attribute
      Jun 23 14:40:12 charon 06[IKE] <con1|11> building UNITY_DEF_DOMAIN attribute
      Jun 23 14:40:12 charon 06[IKE] <con1|11> building INTERNAL_IP4_DNS attribute
      Jun 23 14:40:12 charon 06[IKE] <con1|11> no virtual IP found for %any6 requested by XXXX:XXXX:XXX:XXX:XXX:XXX:XXX:bb44'
      Jun 23 14:40:12 charon 06[IKE] <con1|11> peer requested virtual IP %any6
      Jun 23 14:40:12 charon 06[IKE] <con1|11> assigning virtual IP 10.10.0.2 to peer XXXX:XXXX:XXX:XXX:XXX:XXX:XXX:bb44'
      Jun 23 14:40:12 charon 06[CFG] <con1|11> reassigning offline lease to XXXX:XXXX:XXX:XXX:XXX:XXX:XXX:bb44'
      Jun 23 14:40:12 charon 06[IKE] <con1|11> peer requested virtual IP %any
      Jun 23 14:40:12 charon 06[IKE] <con1|11> maximum IKE_SA lifetime 28631s
      Jun 23 14:40:12 charon 06[IKE] <con1|11> scheduling reauthentication in 28091s
      Jun 23 14:40:12 charon 06[IKE] <con1|11> IKE_SA con1[11] state change: CONNECTING => ESTABLISHED
      Jun 23 14:40:12 charon 06[IKE] <con1|11> IKE_SA con1[11] established between XX.XX.XX.166[DISTINGUISHED_NAME]...XX.XX.XX.80[2605:8d80:540:39cf:7c41:f2ee:4257:bb44]
      Jun 23 14:40:12 charon 06[IKE] <con1|11> successfully created shared key MAC
      Jun 23 14:40:12 charon 06[IKE] <con1|11> authentication of 'DISTINGUISHED_NAME' (myself) with pre-shared key
      Jun 23 14:40:12 charon 06[IKE] <con1|11> peer supports MOBIKE
      Jun 23 14:40:12 charon 06[IKE] <con1|11> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Jun 23 14:40:12 charon 06[IKE] <con1|11> processing (25) attribute
      Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP6_DNS attribute
      Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP6_DHCP attribute
      Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP6_ADDRESS attribute
      Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP4_NETMASK attribute
      Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP4_DNS attribute
      Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP4_DHCP attribute
      Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP4_ADDRESS attribute
      Jun 23 14:40:12 charon 06[IKE] <con1|11> authentication of XXXX:XXXX:XXX:XXX:XXX:XXX:XXX:bb44' with pre-shared key successful
      Jun 23 14:40:12 charon 06[CFG] <con1|11> selected peer config 'con1'
      Jun 23 14:40:12 charon 06[CFG] <11> candidate "con1", match: 20/1/1052 (me/other/ike)
      Jun 23 14:40:12 charon 06[CFG] <11> looking for peer configs matching XX.XX.XX.166[DISTINGUISHED_NAME]...XX.XX.XX.80[2605:8d80:540:39cf:7c41:f2ee:4257:bb44]
      Jun 23 14:40:12 charon 06[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
      Jun 23 14:40:12 charon 06[ENC] <11> unknown attribute type (25)
      Jun 23 14:40:12 charon 06[NET] <11> received packet: from XX.XX.XX.80[42324] to XX.XX.XX.166[4500] (560 bytes)
      Jun 23 14:40:12 charon 06[NET] <11> sending packet: from XX.XX.XX.166[500] to XX.XX.XX.80[42323] (448 bytes)
      Jun 23 14:40:12 charon 06[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
      Jun 23 14:40:12 charon 06[IKE] <11> remote host is behind NAT
      Jun 23 14:40:12 charon 06[IKE] <11> local host is behind NAT, sending keep alives
      Jun 23 14:40:12 charon 06[CFG] <11> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      Jun 23 14:40:12 charon 06[CFG] <11> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      Jun 23 14:40:12 charon 06[CFG] <11> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Jun 23 14:40:12 charon 06[CFG] <11> proposal matches
      Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
      Jun 23 14:40:12 charon 06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
      Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
      Jun 23 14:40:12 charon 06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
      Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
      Jun 23 14:40:12 charon 06[CFG] <11> no acceptable PSEUDO_RANDOM_FUNCTION found
      Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
      Jun 23 14:40:12 charon 06[CFG] <11> no acceptable PSEUDO_RANDOM_FUNCTION found
      Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
      Jun 23 14:40:12 charon 06[CFG] <11> no acceptable PSEUDO_RANDOM_FUNCTION found
      Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
      Jun 23 14:40:12 charon 06[IKE] <11> IKE_SA (unnamed)[11] state change: CREATED => CONNECTING
      Jun 23 14:40:12 charon 06[IKE] <11> XX.XX.XX.80 is initiating an IKE_SA
      Jun 23 14:40:12 charon 06[CFG] <11> found matching ike config: XX.XX.XX.166...%any with prio 1052
      Jun 23 14:40:12 charon 06[CFG] <11> candidate: XX.XX.XX.166...%any, prio 1052
      Jun 23 14:40:12 charon 06[CFG] <11> looking for an ike config for XX.XX.XX.166...XX.XX.XX.80
      Jun 23 14:40:12 charon 06[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
      Jun 23 14:40:12 charon 06[NET] <11> received packet: from XX.XX.XX.80[42323] to XX.XX.XX.166[500] (604 bytes)

      Let me know if you need any other config details or logs to help.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • D
        ddeacon22
        last edited by

        Spent some time reconfiguring and am still having some challenges but thought I'd add some new details.

        I've reconfigured the VPN per the tutorial at: https://forum.netgate.com/topic/95139/valid-configuration-for-ikev2-vpn-for-ios-and-osx

        On the iPhone I still can connect but not pass traffic over an LTE connection. The weird thing I have noticed when connected though is the the Server Address in the iPhone connection is showing as an IPv6 address for some reason.

        I tried another test, I set my phone up as a wifi hotspot and installed the VPN profile I made on my MacBook. I then connected my Mac to the Wifi hotspot and turned the VPN on and was able to tunnel into the network and browse, so that works at least.

        1 Reply Last reply Reply Quote 0
        • D
          ddeacon22
          last edited by

          For anyone running into this problem, after much digging I found this is actually a problem with Rogers cellular service. You need to call Rogers in the interim and have them blacklist your IMEI from using IPv6. They are working on a more permanent fix...I opened a ticket and am currently waiting for them to blacklist mine but details are at this Rogers community thread.

          http://communityforums.rogers.com/t5/Network-Coverage/Issues-with-IKEv2-IPSec-VPN-on-Rogers-LTE-3G/td-p/419136/page/8

          D

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.