IPsec VPN Not Passing Traffic for iPhones/Macs

ddeacon22

I have recently installed pfSense on a 6 port mini pc and have been working through setting up but have been struggling getting the VPN working properly. End devices I’m trying to connect in are iPhones and Macbooks. The system is set up with Port 1 as WAN (PPPoE) and ports 2-6 are bridged together as a LAN (192.168.22.0/24). Everything has been working fine until I started trying to get the VPN going.

I am able to make the VPN connection but when I’m connecting in through LTE on the phones, I cannot ping or reach anything on the LAN side or vice versa (10.10.0.2<==/==>192.168.22.xx). IPsec logs don’t tell me anything is wrong. I’ve been able to connect with several IPsec configurations with the same result but am just using Mutual PSK for now until I work this out.

This is my IPsec configuration so I was hoping for some tips to help troubleshoot as I’ve been at it on and off for the last week without resolution having exhausted all the articles and YouTube videos on setting up IPsec on pfSense.

Mobile Client Config

Provide a virtual IP: Checked 10.10.0.0/24

Phase 1

Key Exchange: IKEv2
Protocol: IPv4
Interface: WAN
Auth Method: Mutual PSK
My ID: Distinguished name
Encryption Algorithms:
AES 256 / SHA1 / DH2 (1024)
AES 226 / SHA256 / DH14 (2048)
DPD Enabled / 10 / 5

Phase 2

Mode: Tunnel IPv4
Local Network: Network 0.0.0.0/0
NAT/BINAT: None
Protocol: ESP
Encryption Algorithms: AES / Auto
Hash Algorithms: SHA1 / SHA256
PFS Key Group: Off

IPSec Firewall Rule

Action: Pass
Interface: IPsec
Address Family: IPv4
Protocol: Any
Source: Any
Destination: Any

Here is a connection through LTE

Jun 23 14:40:12 charon 06[NET] <con1|11> sending packet: from XX.XX.XX.166[4500] to XX.XX.XX.80[42324] (320 bytes)
Jun 23 14:40:12 charon 06[ENC] <con1|11> generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS U_DEFDOM U_SPLITDNS) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Jun 23 14:40:12 charon 06[CHD] <con1|11> CHILD_SA con1{8} state change: INSTALLING => INSTALLED
Jun 23 14:40:12 charon 06[IKE] <con1|11> CHILD_SA con1{8} established with SPIs ce2dcb54_i 02105f9e_o and TS 0.0.0.0/0|/0 === 10.10.0.2/32|/0
Jun 23 14:40:12 charon 06[CHD] <con1|11> SPI 0x02105f9e, src XX.XX.XX.166 dst XX.XX.XX.80
Jun 23 14:40:12 charon 06[CHD] <con1|11> adding outbound ESP SA
Jun 23 14:40:12 charon 06[CHD] <con1|11> SPI 0xce2dcb54, src XX.XX.XX.80 dst XX.XX.XX.166
Jun 23 14:40:12 charon 06[CHD] <con1|11> adding inbound ESP SA
Jun 23 14:40:12 charon 06[CHD] <con1|11> using HMAC_SHA2_256_128 for integrity
Jun 23 14:40:12 charon 06[CHD] <con1|11> using AES_CBC for encryption
Jun 23 14:40:12 charon 06[CHD] <con1|11> CHILD_SA con1{8} state change: CREATED => INSTALLING
Jun 23 14:40:12 charon 06[CFG] <con1|11> config: 10.10.0.2/32|/0, received: ::/0|/0 => no match
Jun 23 14:40:12 charon 06[CFG] <con1|11> config: 10.10.0.2/32|/0, received: 0.0.0.0/0|/0 => match: 10.10.0.2/32|/0
Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting traffic selectors for other:
Jun 23 14:40:12 charon 06[CFG] <con1|11> config: 0.0.0.0/0|/0, received: ::/0|/0 => no match
Jun 23 14:40:12 charon 06[CFG] <con1|11> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting traffic selectors for us:
Jun 23 14:40:12 charon 06[CFG] <con1|11> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Jun 23 14:40:12 charon 06[CFG] <con1|11> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jun 23 14:40:12 charon 06[CFG] <con1|11> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Jun 23 14:40:12 charon 06[CFG] <con1|11> proposal matches
Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable ENCRYPTION_ALGORITHM found
Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable ENCRYPTION_ALGORITHM found
Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable INTEGRITY_ALGORITHM found
Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable INTEGRITY_ALGORITHM found
Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
Jun 23 14:40:12 charon 06[CFG] <con1|11> no acceptable INTEGRITY_ALGORITHM found
Jun 23 14:40:12 charon 06[CFG] <con1|11> selecting proposal:
Jun 23 14:40:12 charon 06[CFG] <con1|11> found matching child config "con1" with prio 12
Jun 23 14:40:12 charon 06[CFG] <con1|11> candidate "con1" with prio 10+2
Jun 23 14:40:12 charon 06[CFG] <con1|11> 10.10.0.2/32|/0
Jun 23 14:40:12 charon 06[CFG] <con1|11> proposing traffic selectors for other:
Jun 23 14:40:12 charon 06[CFG] <con1|11> 0.0.0.0/0|/0
Jun 23 14:40:12 charon 06[CFG] <con1|11> proposing traffic selectors for us:
Jun 23 14:40:12 charon 06[CFG] <con1|11> looking for a child config for 0.0.0.0/0|/0 ::/0|/0 === 0.0.0.0/0|/0 ::/0|/0
Jun 23 14:40:12 charon 06[IKE] <con1|11> building UNITY_SPLITDNS_NAME attribute
Jun 23 14:40:12 charon 06[IKE] <con1|11> building UNITY_DEF_DOMAIN attribute
Jun 23 14:40:12 charon 06[IKE] <con1|11> building INTERNAL_IP4_DNS attribute
Jun 23 14:40:12 charon 06[IKE] <con1|11> no virtual IP found for %any6 requested by XXXX:XXXX:XXX:XXX:XXX:XXX:XXX:bb44'
Jun 23 14:40:12 charon 06[IKE] <con1|11> peer requested virtual IP %any6
Jun 23 14:40:12 charon 06[IKE] <con1|11> assigning virtual IP 10.10.0.2 to peer XXXX:XXXX:XXX:XXX:XXX:XXX:XXX:bb44'
Jun 23 14:40:12 charon 06[CFG] <con1|11> reassigning offline lease to XXXX:XXXX:XXX:XXX:XXX:XXX:XXX:bb44'
Jun 23 14:40:12 charon 06[IKE] <con1|11> peer requested virtual IP %any
Jun 23 14:40:12 charon 06[IKE] <con1|11> maximum IKE_SA lifetime 28631s
Jun 23 14:40:12 charon 06[IKE] <con1|11> scheduling reauthentication in 28091s
Jun 23 14:40:12 charon 06[IKE] <con1|11> IKE_SA con1[11] state change: CONNECTING => ESTABLISHED
Jun 23 14:40:12 charon 06[IKE] <con1|11> IKE_SA con1[11] established between XX.XX.XX.166[DISTINGUISHED_NAME]...XX.XX.XX.80[2605:8d80:540:39cf:7c41:f2ee:4257:bb44]
Jun 23 14:40:12 charon 06[IKE] <con1|11> successfully created shared key MAC
Jun 23 14:40:12 charon 06[IKE] <con1|11> authentication of 'DISTINGUISHED_NAME' (myself) with pre-shared key
Jun 23 14:40:12 charon 06[IKE] <con1|11> peer supports MOBIKE
Jun 23 14:40:12 charon 06[IKE] <con1|11> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 23 14:40:12 charon 06[IKE] <con1|11> processing (25) attribute
Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP6_DNS attribute
Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP6_DHCP attribute
Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP6_ADDRESS attribute
Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP4_NETMASK attribute
Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP4_DNS attribute
Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP4_DHCP attribute
Jun 23 14:40:12 charon 06[IKE] <con1|11> processing INTERNAL_IP4_ADDRESS attribute
Jun 23 14:40:12 charon 06[IKE] <con1|11> authentication of XXXX:XXXX:XXX:XXX:XXX:XXX:XXX:bb44' with pre-shared key successful
Jun 23 14:40:12 charon 06[CFG] <con1|11> selected peer config 'con1'
Jun 23 14:40:12 charon 06[CFG] <11> candidate "con1", match: 20/1/1052 (me/other/ike)
Jun 23 14:40:12 charon 06[CFG] <11> looking for peer configs matching XX.XX.XX.166[DISTINGUISHED_NAME]...XX.XX.XX.80[2605:8d80:540:39cf:7c41:f2ee:4257:bb44]
Jun 23 14:40:12 charon 06[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 23 14:40:12 charon 06[ENC] <11> unknown attribute type (25)
Jun 23 14:40:12 charon 06[NET] <11> received packet: from XX.XX.XX.80[42324] to XX.XX.XX.166[4500] (560 bytes)
Jun 23 14:40:12 charon 06[NET] <11> sending packet: from XX.XX.XX.166[500] to XX.XX.XX.80[42323] (448 bytes)
Jun 23 14:40:12 charon 06[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jun 23 14:40:12 charon 06[IKE] <11> remote host is behind NAT
Jun 23 14:40:12 charon 06[IKE] <11> local host is behind NAT, sending keep alives
Jun 23 14:40:12 charon 06[CFG] <11> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 23 14:40:12 charon 06[CFG] <11> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 23 14:40:12 charon 06[CFG] <11> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun 23 14:40:12 charon 06[CFG] <11> proposal matches
Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
Jun 23 14:40:12 charon 06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
Jun 23 14:40:12 charon 06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
Jun 23 14:40:12 charon 06[CFG] <11> no acceptable PSEUDO_RANDOM_FUNCTION found
Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
Jun 23 14:40:12 charon 06[CFG] <11> no acceptable PSEUDO_RANDOM_FUNCTION found
Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
Jun 23 14:40:12 charon 06[CFG] <11> no acceptable PSEUDO_RANDOM_FUNCTION found
Jun 23 14:40:12 charon 06[CFG] <11> selecting proposal:
Jun 23 14:40:12 charon 06[IKE] <11> IKE_SA (unnamed)[11] state change: CREATED => CONNECTING
Jun 23 14:40:12 charon 06[IKE] <11> XX.XX.XX.80 is initiating an IKE_SA
Jun 23 14:40:12 charon 06[CFG] <11> found matching ike config: XX.XX.XX.166...%any with prio 1052
Jun 23 14:40:12 charon 06[CFG] <11> candidate: XX.XX.XX.166...%any, prio 1052
Jun 23 14:40:12 charon 06[CFG] <11> looking for an ike config for XX.XX.XX.166...XX.XX.XX.80
Jun 23 14:40:12 charon 06[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 23 14:40:12 charon 06[NET] <11> received packet: from XX.XX.XX.80[42323] to XX.XX.XX.166[500] (604 bytes)

Let me know if you need any other config details or logs to help.

Thanks in advance.

ddeacon22

Spent some time reconfiguring and am still having some challenges but thought I'd add some new details.

I've reconfigured the VPN per the tutorial at: https://forum.netgate.com/topic/95139/valid-configuration-for-ikev2-vpn-for-ios-and-osx

On the iPhone I still can connect but not pass traffic over an LTE connection. The weird thing I have noticed when connected though is the the Server Address in the iPhone connection is showing as an IPv6 address for some reason.

I tried another test, I set my phone up as a wifi hotspot and installed the VPN profile I made on my MacBook. I then connected my Mac to the Wifi hotspot and turned the VPN on and was able to tunnel into the network and browse, so that works at least.

ddeacon22

For anyone running into this problem, after much digging I found this is actually a problem with Rogers cellular service. You need to call Rogers in the interim and have them blacklist your IMEI from using IPv6. They are working on a more permanent fix...I opened a ticket and am currently waiting for them to blacklist mine but details are at this Rogers community thread.

http://communityforums.rogers.com/t5/Network-Coverage/Issues-with-IKEv2-IPSec-VPN-on-Rogers-LTE-3G/td-p/419136/page/8

D