iOS not connecting



  • This is going to sound crazy and make no sense, I have been fighting this for a month. I have 2 firewalls running 2.4.4p2 in an Outside/DMZ/Inside configuration with a /28 of Public IPs in the DMZ and reserved IP on the Public side of the Outside FW. I have my iPhone configured for a IKEv1 VPN to the Outside FW (70.165.xx.yy) and one to the Inside FW (70.184.aa.bb); I can connect to the Outside one but, not the Inside; the configurations are identical. The odd thing is the packets destine to the Inside firewall never show up at the Outside of the Outside FW, they do however make it when I connect to the Outside VPN (see below tcpdump). It gets stranger, if I change the VPN configuration on the phone to IKEv2 the packets make it all the way to the Inside FW and get an EAP error (expected, I don't want to screw with CERTS). Anyone have a clue?

    16:35:12.102234 IP 174.223.11.61.4118 > 70.184.aa.bb.500: isakmp: parent_sa ikev2_init[I]
    16:35:12.173804 IP 70.184.aa.bb.500 > 174.223.11.61.4118: isakmp: parent_sa ikev2_init[R]
    16:35:12.410179 IP 174.223.11.61.4125 > 70.184.aa.bb.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
    16:35:12.412296 IP 70.184.aa.bb.4500 > 174.223.11.61.4125: NONESP-encap: isakmp: child_sa ikev2_auth[R]

    16:51:20.516281 IP 174.223.11.61.4108 > 70.165.xx.yy.500: isakmp: phase 1 I agg
    16:51:20.563129 IP 70.165.xx.yy.500 > 174.223.11.61.4108: isakmp: phase 1 R agg
    16:51:20.698046 IP 174.223.11.61.4109 > 70.165.xx.yy.4500: NONESP-encap: isakmp: phase 1 I agg
    16:51:20.698107 IP 174.223.11.61.4109 > 70.165.xx.yy.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
    16:51:20.698794 IP 70.165.xx.yy.4500 > 174.223.11.61.4109: NONESP-encap: isakmp: phase 2/others R #6[E]
    16:51:20.777623 IP 174.223.11.61.4109 > 70.165.xx.yy.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
    16:51:21.229840 IP 70.165.xx.yy.4500 > 174.223.11.61.4109: NONESP-encap: isakmp: phase 2/others R #6[E]
    16:51:21.367777 IP 174.223.11.61.4109 > 70.165.xx.yy.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
    16:51:21.375898 IP 174.223.11.61.4109 > 70.165.xx.yy.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
    16:51:21.376951 IP 70.165.xx.yy.4500 > 174.223.11.61.4109: NONESP-encap: isakmp: phase 2/others R #6[E]
    16:51:22.601057 IP 174.223.11.61.4109 > 70.165.xx.yy.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
    16:51:22.602343 IP 70.165.xx.yy.4500 > 174.223.11.61.4109: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
    16:51:22.679887 IP 174.223.11.61.4109 > 70.165.xx.yy.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

    I followed this configuration guide:

    Phase 1 settings¶
    • Navigate to VPN > IPsec
    • Locate the Mobile Phase 1 in the list
    • Click  to edit the Mobile Phase 1
    • Enter the following settings:
    • Authentication method: Mutual PSK + Xauth
    • Negotiation mode: aggressive
    • My identifier: My IP address
    • Peer identfier: User Distinguished Name, vpnusers@example.com
    • Pre-Shared Key: aaabbbccc (Use something much longer and more random!)
    N/A Policy Generation: Unique
    N/A • Proposal Checking: Strict
    • Encryption Algorithm: AES 128
    • Hash Algorithm: SHA1
    • DH Key Group: 2
    • Lifetime: 86400
    • NAT Traversal: Force
    • Click Save
    Phase 2 settings¶
    • Click  inside the Mobile Phase 1 to expand its Phase 2 list.
    • Click  to add a new Phase 2
    • Enter the following settings:
    • Mode: Tunnel
    • Local Network: (the local network, e.g. LAN, or 0.0.0.0/0 to send everything over VPN)
    • Protocol: ESP
    • Encryption Algorithms: AES 128 only
    • Hash Algorithms: SHA1 only
    • PFS key group: off
    • Lifetime: 28800
    • Add additional phase 2 entries for additional local networks if necessary
    • Click Save
    • Click Apply Changes
    User Settings¶
    • Navigate to System > User Manager
    • Add a user, grant the user the User - VPN - IPsec xauth Dialin permission, or add them to a group with this permission.
    • Note that for xauth, the password used is the password for the user, not the “IPsec Pre-Shared Key” field. That is used for non-xauth IPsec.


Log in to reply