IPsec VPN Not Passing Traffic for iPhones/Macs



  • I have recently installed pfSense on a 6 port mini pc and have been working through setting up but have been struggling getting the VPN working properly. End devices I’m trying to connect in are iPhones and Macbooks. The system is set up with Port 1 as WAN (PPPoE) and ports 2-6 are bridged together as a LAN (192.168.22.0/24). Everything has been working fine until I started trying to get the VPN going.

    I am able to make the VPN connection but when I’m connecting in through LTE on the phones, I cannot ping or reach anything on the LAN side or vice versa (10.10.0.2<==/==>192.168.22.xx). IPsec logs don’t tell me anything is wrong. I’ve been able to connect with several IPsec configurations with the same result but am just using Mutual PSK for now until I work this out.

    This is my IPsec configuration so I was hoping for some tips to help troubleshoot as I’ve been at it on and off for the last week without resolution having exhausted all the articles and YouTube videos on setting up IPsec on pfSense.

    Mobile Client Config

    Provide a virtual IP: Checked 10.10.0.0/24

    Phase 1

    Key Exchange: IKEv2
    Protocol: IPv4
    Interface: WAN
    Auth Method: Mutual PSK
    My ID: Distinguished name
    Encryption Algorithms:
    AES 256 / SHA1 / DH2 (1024)
    AES 226 / SHA256 / DH14 (2048)
    DPD Enabled / 10 / 5

    Phase 2

    Mode: Tunnel IPv4
    Local Network: Network 0.0.0.0/0
    NAT/BINAT: None
    Protocol: ESP
    Encryption Algorithms: AES / Auto
    Hash Algorithms: SHA1 / SHA256
    PFS Key Group: Off

    IPSec Firewall Rule

    Action: Pass
    Interface: IPsec
    Address Family: IPv4
    Protocol: Any
    Source: Any
    Destination: Any

    Here is a connection through LTE

    Jun 23 14:40:12 charon 06[NET] <con1|11> sending packet: from XX.XX.XX.166[4500] to XX.XX.XX.80[42324] (320 bytes)
    Jun 23 14:40:12 charon 06[ENC] <con1|11> generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS U_DEFDOM U_SPLITDNS) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
    Jun 23 14:40:12 charon 06[CHD] <con1|11> CHILD_SA con1{8} state change: INSTALLING => INSTALLED
    Jun 23 14:40:12 charon 06[IKE] <con1|11> CHILD_SA con1{8} established with SPIs ce2dcb54_i 02105f9e_o and TS 0.0.0.0/0|/0 === 10.10.0.2/32|/0
    Jun 23 14:40:12 charon 06[CHD] <con1|11> SPI 0x02105f9e, src XX.XX.XX.166 dst XX.XX.XX.80
    Jun 23 14:40:12 charon 06[CHD] <con1|11> adding outbound ESP SA
    Jun 23 14:40:12 charon 06[CHD] <con1|11> SPI 0xce2dcb54, src XX.XX.XX.80 dst XX.XX.XX.166
    Jun 23 14:40:12 charon 06[CHD] <con1|11> adding inbound ESP SA
    Jun 23 14:40:12 charon 06[CHD] <con1|11> using HMAC_SHA2_256_128 for integrity
    Jun 23 14:40:12 charon 06[CHD] <con1|11> using AES_CBC for encryption
    Jun 23 14:40:12 charon 06[CHD] <con1|11> CHILD_SA con1{8} state change: CREATED => INSTALLING
    Jun 23 14:40:12 charon 06[CFG] <con1|11> config: 10.10.0.2/32|/0, received: ::/0|/0 => no match
    Jun 23 14:40:12 charon 06[CFG] <con1|11> config: 10.10.0.2/32|/0, received: 0.0.0.0/0|/0 => match: 10.10.0.2/32|/0
    Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting traffic selectors for other:
    Jun 23 14:40:12 charon 06[CFG] <con1|11> config: 0.0.0.0/0|/0, received: ::/0|/0 => no match
    Jun 23 14:40:12 charon 06[CFG] <con1|11> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
    Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting traffic selectors for us:
    Jun 23 14:40:12 charon 06[CFG] <con1|11> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
    Jun 23 14:40:12 charon 06[CFG] <con1|11> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
    Jun 23 14:40:12 charon 06[CFG] <con1|11> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
    Jun 23 14:40:12 charon 06[CFG] <con1|11> proposal matches
    Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
    Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable ENCRYPTION_ALGORITHM found
    Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
    Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable ENCRYPTION_ALGORITHM found
    Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
    Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable INTEGRITY_ALGORITHM found
    Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
    Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable INTEGRITY_ALGORITHM found
    Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
    Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable INTEGRITY_ALGORITHM found
    Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
    Jun 23 14:40:12 charon 06[CFG] <con1|11> found matching child config "con1" with prio 12
    Jun 23 14:40:12 charon 06[CFG] <con1|11> candidate "con1" with prio 10+2
    Jun 23 14:40:12 charon 06[CFG] <con1|11> 10.10.0.2/32|/0
    Jun 23 14:40:12 charon 06[CFG] <con1|11> proposing traffic selectors for other:
    Jun 23 14:40:12 charon 06[CFG] <con1|11> 0.0.0.0/0|/0
    Jun 23 14:40:12 charon 06[CFG] <con1|11> proposing traffic selectors for us:
    Jun 23 14:40:12 charon 06[CFG] <con1|11> looking for a child config for 0.0.0.0/0|/0 ::/0|/0 === 0.0.0.0/0|/0 ::/0|/0
    Jun 23 14:40:12 charon 06[IKE] <con1|11> building UNITY_SPLITDNS_NAME attribute
    Jun 23 14:40:12 charon 06[IKE] <con1|11> building UNITY_DEF_DOMAIN attribute
    Jun 23 14:40:12 charon 06[IKE] <con1|11> building INTERNAL_IP4_DNS attribute
    Jun 23 14:40:12 charon 06[IKE] <con1|11> no virtual IP found for %any6 requested by XXXX:XXXX:XXX:XXX:XXX:XXX:XXX:bb44'
    Jun 23 14:40:12 charon 06[IKE] <con1|11> peer requested virtual IP %any6
    Jun 23 14:40:12 charon 06[IKE] <con1|11> assigning virtual IP 10.10.0.2 to peer XXXX:XXXX:XXX:XXX:XXX:XXX:XXX:bb44'
    Jun 23 14:40:12 charon 06[CFG] <con1|11> reassigning offline lease to XXXX:XXXX:XXX:XXX:XXX:XXX:XXX:bb44'
    Jun 23 14:40:12 charon 06[IKE] <con1|11> peer requested virtual IP %any
    Jun 23 14:40:12 charon 06[IKE] <con1|11> maximum IKE_SA lifetime 28631s
    Jun 23 14:40:12 charon 06[IKE] <con1|11> scheduling reauthentication in 28091s
    Jun 23 14:40:12 charon 06[IKE] <con1|11> IKE_SA con1[11] state change: CONNECTING => ESTABLISHED
    Jun 23 14:40:12 charon 06[IKE] <con1|11> IKE_SA con1[11] established between XX.XX.XX.166[DISTINGUISHED_NAME]...XX.XX.XX.80[2605:8d80:540:39cf:7c41:f2ee:4257:bb44]
    Jun 23 14:40:12 charon 06[IKE] <con1|11> successfully created shared key MAC
    Jun 23 14:40:12 charon 06[IKE] <con1|11> authentication of 'DISTINGUISHED_NAME' (myself) with pre-shared key
    Jun 23 14:40:12 charon 06[IKE] <con1|11> peer supports MOBIKE
    Jun 23 14:40:12 charon 06[IKE] <con1|11> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Jun 23 14:40:12 charon 06[IKE] <con1|11> processing (25) attribute
    Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP6_DNS attribute
    Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP6_DHCP attribute
    Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP6_ADDRESS attribute
    Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP4_NETMASK attribute
    Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP4_DNS attribute
    Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP4_DHCP attribute
    Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP4_ADDRESS attribute
    Jun 23 14:40:12 charon 06[IKE] <con1|11> authentication of XXXX:XXXX:XXX:XXX:XXX:XXX:XXX:bb44' with pre-shared key successful
    Jun 23 14:40:12 charon 06[CFG] <con1|11> selected peer config 'con1'
    Jun 23 14:40:12 charon 06[CFG] <11> candidate "con1", match: 20/1/1052 (me/other/ike)
    Jun 23 14:40:12 charon 06[CFG] <11> looking for peer configs matching XX.XX.XX.166[DISTINGUISHED_NAME]...XX.XX.XX.80[2605:8d80:540:39cf:7c41:f2ee:4257:bb44]
    Jun 23 14:40:12 charon 06[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Jun 23 14:40:12 charon 06[ENC] <11> unknown attribute type (25)
    Jun 23 14:40:12 charon 06[NET] <11> received packet: from XX.XX.XX.80[42324] to XX.XX.XX.166[4500] (560 bytes)
    Jun 23 14:40:12 charon 06[NET] <11> sending packet: from XX.XX.XX.166[500] to XX.XX.XX.80[42323] (448 bytes)
    Jun 23 14:40:12 charon 06[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
    Jun 23 14:40:12 charon 06[IKE] <11> remote host is behind NAT
    Jun 23 14:40:12 charon 06[IKE] <11> local host is behind NAT, sending keep alives
    Jun 23 14:40:12 charon 06[CFG] <11> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Jun 23 14:40:12 charon 06[CFG] <11> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Jun 23 14:40:12 charon 06[CFG] <11> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Jun 23 14:40:12 charon 06[CFG] <11> proposal matches
    Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
    Jun 23 14:40:12 charon 06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
    Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
    Jun 23 14:40:12 charon 06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
    Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
    Jun 23 14:40:12 charon 06[CFG] <11> no acceptable PSEUDO_RANDOM_FUNCTION found
    Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
    Jun 23 14:40:12 charon 06[CFG] <11> no acceptable PSEUDO_RANDOM_FUNCTION found
    Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
    Jun 23 14:40:12 charon 06[CFG] <11> no acceptable PSEUDO_RANDOM_FUNCTION found
    Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
    Jun 23 14:40:12 charon 06[IKE] <11> IKE_SA (unnamed)[11] state change: CREATED => CONNECTING
    Jun 23 14:40:12 charon 06[IKE] <11> XX.XX.XX.80 is initiating an IKE_SA
    Jun 23 14:40:12 charon 06[CFG] <11> found matching ike config: XX.XX.XX.166...%any with prio 1052
    Jun 23 14:40:12 charon 06[CFG] <11> candidate: XX.XX.XX.166...%any, prio 1052
    Jun 23 14:40:12 charon 06[CFG] <11> looking for an ike config for XX.XX.XX.166...XX.XX.XX.80
    Jun 23 14:40:12 charon 06[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Jun 23 14:40:12 charon 06[NET] <11> received packet: from XX.XX.XX.80[42323] to XX.XX.XX.166[500] (604 bytes)

    Let me know if you need any other config details or logs to help.

    Thanks in advance.



  • Spent some time reconfiguring and am still having some challenges but thought I'd add some new details.

    I've reconfigured the VPN per the tutorial at: https://forum.netgate.com/topic/95139/valid-configuration-for-ikev2-vpn-for-ios-and-osx

    On the iPhone I still can connect but not pass traffic over an LTE connection. The weird thing I have noticed when connected though is the the Server Address in the iPhone connection is showing as an IPv6 address for some reason.

    I tried another test, I set my phone up as a wifi hotspot and installed the VPN profile I made on my MacBook. I then connected my Mac to the Wifi hotspot and turned the VPN on and was able to tunnel into the network and browse, so that works at least.



  • For anyone running into this problem, after much digging I found this is actually a problem with Rogers cellular service. You need to call Rogers in the interim and have them blacklist your IMEI from using IPv6. They are working on a more permanent fix...I opened a ticket and am currently waiting for them to blacklist mine but details are at this Rogers community thread.

    http://communityforums.rogers.com/t5/Network-Coverage/Issues-with-IKEv2-IPSec-VPN-on-Rogers-LTE-3G/td-p/419136/page/8

    D


Log in to reply