VPN IPSec iOS 13 VPN on Demand from App



  • Hi,
    i switched to a new SG-3100 and all Site 2 Site Connections are working fine.

    The last thing doesn´t work is the VPN on Demand IPSec Tunnel from my iPhone ( iOS13) pocketControl App.

    On the iPhone i can´t see what settings are necessary to connect to the pfsense.

    The only thing i can enter in the App are:

    Server
    Account
    Passwort
    Groupname
    and Shared Secret

    the App creates its own VPN Connection under Settings -> VPN -> Personal VPN.

    Mar 1 22:53:11	charon		11[CFG] vici client 178 disconnected
    Mar 1 22:53:11	charon		10[CFG] vici client 178 requests: list-sas
    Mar 1 22:53:11	charon		10[CFG] vici client 178 registered for: list-sa
    Mar 1 22:53:11	charon		16[CFG] vici client 178 connected
    Mar 1 22:53:06	charon		07[IKE] <52> IKE_SA (unnamed)[52] state change: CONNECTING => DESTROYING
    Mar 1 22:53:06	charon		07[NET] <52> sending packet: from 178.251.xx.xx[500] to 92.248.xx.xxx[500] (56 bytes)
    Mar 1 22:53:06	charon		07[ENC] <52> generating INFORMATIONAL_V1 request 3435498570 [ N(NO_PROP) ]
    Mar 1 22:53:06	charon		07[IKE] <52> activating INFORMATIONAL task
    Mar 1 22:53:06	charon		07[IKE] <52> activating new tasks
    Mar 1 22:53:06	charon		07[IKE] <52> queueing INFORMATIONAL task
    Mar 1 22:53:06	charon		07[IKE] <52> no proposal found
    Mar 1 22:53:06	charon		07[CFG] <52> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Mar 1 22:53:06	charon		07[CFG] <52> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Mar 1 22:53:06	charon		07[CFG] <52> no acceptable ENCRYPTION_ALGORITHM found
    Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
    Mar 1 22:53:06	charon		07[CFG] <52> no acceptable ENCRYPTION_ALGORITHM found
    Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
    Mar 1 22:53:06	charon		07[CFG] <52> no acceptable ENCRYPTION_ALGORITHM found
    Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
    Mar 1 22:53:06	charon		07[CFG] <52> no acceptable ENCRYPTION_ALGORITHM found
    Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
    Mar 1 22:53:06	charon		07[CFG] <52> no acceptable ENCRYPTION_ALGORITHM found
    Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
    Mar 1 22:53:06	charon		07[CFG] <52> no acceptable ENCRYPTION_ALGORITHM found
    Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
    Mar 1 22:53:06	charon		07[CFG] <52> no acceptable INTEGRITY_ALGORITHM found
    Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
    Mar 1 22:53:06	charon		07[CFG] <52> no acceptable INTEGRITY_ALGORITHM found
    Mar 1 22:53:06	charon		07[CFG] <52> selecting proposal:
    Mar 1 22:53:06	charon		07[IKE] <52> IKE_SA (unnamed)[52] state change: CREATED => CONNECTING
    Mar 1 22:53:06	charon		07[IKE] <52> 92.248.xx.xxx is initiating a Aggressive Mode IKE_SA
    Mar 1 22:53:06	charon		07[IKE] <52> received DPD vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received Cisco Unity vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received XAuth vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received draft-ietf-ipsec-nat-t-ike vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received NAT-T (RFC 3947) vendor ID
    Mar 1 22:53:06	charon		07[IKE] <52> received FRAGMENTATION vendor ID
    Mar 1 22:53:06	charon		07[CFG] <52> found matching ike config: 178.251.xx.xx...%any with prio 1052
    Mar 1 22:53:06	charon		07[CFG] <52> candidate: 178.251.xx.xx...%any, prio 1052
    Mar 1 22:53:06	charon		07[CFG] <52> looking for an IKEv1 config for 178.251.xx.xx...92.248.xx.xxx
    Mar 1 22:53:06	charon		07[ENC] <52> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Mar 1 22:53:06	charon		07[NET] <52> received packet: from 92.248.xx.xxx[500] to 178.251.xx.xx[500] (766 bytes)
    Mar 1 22:53:06	charon		07[IKE] <51> IKE_SA (unnamed)[51] state change: CONNECTING => DESTROYING
    Mar 1 22:53:06	charon		07[NET] <51> sending packet: from 178.251.xx.xx[500] to 92.248.xx.xxx[500] (56 bytes)
    Mar 1 22:53:06	charon		07[ENC] <51> generating INFORMATIONAL_V1 request 2473055166 [ N(AUTH_FAILED) ]
    Mar 1 22:53:06	charon		07[IKE] <51> activating INFORMATIONAL task
    Mar 1 22:53:06	charon		07[IKE] <51> activating new tasks
    Mar 1 22:53:06	charon		07[IKE] <51> queueing INFORMATIONAL task
    Mar 1 22:53:06	charon		07[IKE] <51> found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode
    Mar 1 22:53:06	charon		07[CFG] <51> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
    Mar 1 22:53:06	charon		07[CFG] <51> looking for XAuthInitPSK peer configs matching 178.251.xx.xx...92.248.xx.xxx[maximilian]
    Mar 1 22:53:06	charon		07[CFG] <51> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Mar 1 22:53:06	charon		07[CFG] <51> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Mar 1 22:53:06	charon		07[CFG] <51> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Mar 1 22:53:06	charon		07[CFG] <51> proposal matches
    Mar 1 22:53:06	charon		07[CFG] <51> selecting proposal:
    Mar 1 22:53:06	charon		07[IKE] <51> IKE_SA (unnamed)[51] state change: CREATED => CONNECTING
    Mar 1 22:53:06	charon		07[IKE] <51> 92.248.xx.xxx is initiating a Aggressive Mode IKE_SA
    Mar 1 22:53:06	charon		07[IKE] <51> received DPD vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received Cisco Unity vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received XAuth vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received draft-ietf-ipsec-nat-t-ike vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received NAT-T (RFC 3947) vendor ID
    Mar 1 22:53:06	charon		07[IKE] <51> received FRAGMENTATION vendor ID
    Mar 1 22:53:06	charon		07[CFG] <51> found matching ike config: 178.251.xx.xx...%any with prio 1052
    Mar 1 22:53:06	charon		07[CFG] <51> candidate: 178.251.xx.xx...%any, prio 1052
    Mar 1 22:53:06	charon		07[CFG] <51> looking for an IKEv1 config for 178.251.xx.xx...92.248.xx.xxx
    Mar 1 22:53:06	charon		07[ENC] <51> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Mar 1 22:53:06	charon		07[NET] <51> received packet: from 92.248.xx.xxx[500] to 178.251.xx.xx[500] (766 bytes)
    Mar 1 22:53:05	charon		09[CFG] vici client 177 disconnected
    Mar 1 22:53:05	charon		13[CFG] vici client 177 requests: list-sas
    Mar 1 22:53:05	charon		13[CFG] vici client 177 registered for: list-sa
    Mar 1 22:53:05	charon		09[CFG] vici client 177 connected
    Mar 1 22:52:59	charon		08[CFG] vici client 176 disconnected
    Mar 1 22:52:59	charon		05[CFG] vici client 176 requests: list-sas
    Mar 1 22:52:59	charon		08[CFG] vici client 176 registered for: list-sa
    Mar 1 22:52:59	charon		05[CFG] vici client 176 connected
    Mar 1 22:52:56	charon		05[IKE] <50> IKE_SA (unnamed)[50] state change: CONNECTING => DESTROYING
    Mar 1 22:52:56	charon		05[NET] <50> sending packet: from 178.251.xx.xx[500] to 92.248.xx.xxx[500] (56 bytes)
    Mar 1 22:52:56	charon		05[ENC] <50> generating INFORMATIONAL_V1 request 1405839326 [ N(NO_PROP) ]
    Mar 1 22:52:56	charon		05[IKE] <50> activating INFORMATIONAL task
    Mar 1 22:52:56	charon		05[IKE] <50> activating new tasks
    Mar 1 22:52:56	charon		05[IKE] <50> queueing INFORMATIONAL task
    Mar 1 22:52:56	charon		05[IKE] <50> no proposal found
    Mar 1 22:52:56	charon		05[CFG] <50> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Mar 1 22:52:56	charon		05[CFG] <50> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Mar 1 22:52:56	charon		05[CFG] <50> no acceptable ENCRYPTION_ALGORITHM found
    Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
    Mar 1 22:52:56	charon		05[CFG] <50> no acceptable ENCRYPTION_ALGORITHM found
    Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
    Mar 1 22:52:56	charon		05[CFG] <50> no acceptable ENCRYPTION_ALGORITHM found
    Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
    Mar 1 22:52:56	charon		05[CFG] <50> no acceptable ENCRYPTION_ALGORITHM found
    Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
    Mar 1 22:52:56	charon		05[CFG] <50> no acceptable ENCRYPTION_ALGORITHM found
    Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
    Mar 1 22:52:56	charon		05[CFG] <50> no acceptable ENCRYPTION_ALGORITHM found
    Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
    Mar 1 22:52:56	charon		05[CFG] <50> no acceptable INTEGRITY_ALGORITHM found
    Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
    Mar 1 22:52:56	charon		05[CFG] <50> no acceptable INTEGRITY_ALGORITHM found
    Mar 1 22:52:56	charon		05[CFG] <50> selecting proposal:
    Mar 1 22:52:56	charon		05[IKE] <50> IKE_SA (unnamed)[50] state change: CREATED => CONNECTING
    Mar 1 22:52:56	charon		05[IKE] <50> 92.248.xx.xxx is initiating a Aggressive Mode IKE_SA
    Mar 1 22:52:56	charon		05[IKE] <50> received DPD vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received Cisco Unity vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received XAuth vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received draft-ietf-ipsec-nat-t-ike vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received NAT-T (RFC 3947) vendor ID
    Mar 1 22:52:56	charon		05[IKE] <50> received FRAGMENTATION vendor ID
    Mar 1 22:52:56	charon		05[CFG] <50> found matching ike config: 178.251.xx.xx...%any with prio 1052
    Mar 1 22:52:56	charon		05[CFG] <50> candidate: 178.251.xx.xx...%any, prio 1052
    Mar 1 22:52:56	charon		05[CFG] <50> looking for an IKEv1 config for 178.251.xx.xx...92.248.xx.xxx
    Mar 1 22:52:56	charon		05[ENC] <50> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Mar 1 22:52:56	charon		05[NET] <50> received packet: from 92.248.xx.xxx[500] to 178.251.xx.xx[500] (766 bytes)
    Mar 1 22:52:56	charon		05[IKE] <49> IKE_SA (unnamed)[49] state change: CONNECTING => DESTROYING
    Mar 1 22:52:56	charon		05[NET] <49> sending packet: from 178.251.xx.xx[500] to 92.248.xx.xxx[500] (56 bytes)
    Mar 1 22:52:56	charon		05[ENC] <49> generating INFORMATIONAL_V1 request 683185568 [ N(AUTH_FAILED) ]
    Mar 1 22:52:56	charon		05[IKE] <49> activating INFORMATIONAL task
    Mar 1 22:52:56	charon		05[IKE] <49> activating new tasks
    Mar 1 22:52:56	charon		05[IKE] <49> queueing INFORMATIONAL task
    Mar 1 22:52:56	charon		05[IKE] <49> found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode
    Mar 1 22:52:56	charon		05[CFG] <49> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
    Mar 1 22:52:56	charon		05[CFG] <49> looking for XAuthInitPSK peer configs matching 178.251.xx.xx...92.248.xx.xxx[maximilian]
    Mar 1 22:52:56	charon		05[CFG] <49> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Mar 1 22:52:56	charon		05[CFG] <49> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Mar 1 22:52:56	charon		05[CFG] <49> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Mar 1 22:52:56	charon		05[CFG] <49> proposal matches
    Mar 1 22:52:56	charon		05[CFG] <49> selecting proposal:
    Mar 1 22:52:56	charon		05[IKE] <49> IKE_SA (unnamed)[49] state change: CREATED => CONNECTING
    Mar 1 22:52:56	charon		05[IKE] <49> 92.248.xx.xxx is initiating a Aggressive Mode IKE_SA
    Mar 1 22:52:56	charon		05[IKE] <49> received DPD vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received Cisco Unity vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received XAuth vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received draft-ietf-ipsec-nat-t-ike vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received NAT-T (RFC 3947) vendor ID
    Mar 1 22:52:56	charon		05[IKE] <49> received FRAGMENTATION vendor ID
    Mar 1 22:52:56	charon		05[CFG] <49> found matching ike config: 178.251.xx.xx...%any with prio 1052
    Mar 1 22:52:56	charon		05[CFG] <49> candidate: 178.251.xx.xx...%any, prio 1052
    Mar 1 22:52:56	charon		05[CFG] <49> looking for an IKEv1 config for 178.251.xx.xx...92.248.xx.xxx
    Mar 1 22:52:56	charon		05[ENC] <49> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Mar 1 22:52:56	charon		05[NET] <49> received packet: from 92.248.xx.xxx[500] to 178.251.xx.xx[500] (766 bytes)
    

    Can you help me and tell me what i have to reconfig?

    IMG_0750 - Kopie.PNG IMG_0751 - Kopie.PNG

    pfsense 3 - Kopie.JPG pfsense 2 - Kopie.JPG pfsense 1 - Kopie.JPG




Log in to reply