Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec Mobile Clients don't receive traffic seen on IPsec interface

    IPsec
    1
    1
    174
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Overhacked
      last edited by Overhacked

      First time trying to get a working IKEv2 EAP-TLS configuration for macOS and iOS mobile clients. I had a tested working configuration, then came back the next morning and successfully connected but no traffic would pass. I am nearly certain that I didn't change anything right before I left. I see traffic in both directions on the IPsec enc0 interface, but the clients behave as if they do not receive any replies.

      All configuration attached. Any insights?

      Summary

      • Server: pfSense 2.4.5 on Netgate XG-7100
      • Clients: macOS 10.14.6 & iOS 13.3.1

      PKI

      • Internal Root CA
        • Intermediate L2 CA
          • VPN Server Certificate
          • Intermediate L3 CA
            • VPN Client Certificates

      Configuration Details

      pfSense Configuration Pages

      Mobile Clients

      Mobile Clients Configuration.png

      Phase 1

      Phase 1.png

      Phase 2 - IPv4

      Phase 2 IPv4.png

      Phase 2 - IPv6

      Phase 2 IPv6.png

      ipsec.conf

      # This file is automatically generated. Do not edit
config setup
	uniqueids = yes

conn con-mobile
	fragmentation = yes
	keyexchange = ikev2
	reauth = yes
	forceencaps = no
	mobike = yes
	
	rekey = yes
	margintime = 20s
	installpolicy = yes
	type = tunnel
	dpdaction = clear
	dpddelay = 10s
	dpdtimeout = 60s
	
	auto = add
	left = <<WAN IPv4>>,<<WAN IPv6>>
	right = %any
	leftid = fqdn:<<WAN DNS name with A and AAAA records>>
	ikelifetime = 28800s
	lifetime = 3600s
	rightsourceip = 10.xxx.xxx.xxx/26,<<Globally routable IPv6 prefix>>/122
	rightdns = <<IPv4 address of firewall LAN interface>>
	ike = aes256-sha256-modp2048!
	esp = aes256-sha256-modp2048!
	eap_identity=%identity
	leftauth=pubkey
	rightauth=eap-tls
	leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
	leftsendcert=always
	rightca="<<DN of internal intermediate CA that issues all client certificates>>"
	leftsubnet = 0.0.0.0/0,2000::/3

      strongswan.conf

      
# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.
starter {
	load_warning = no
	config_file = /var/etc/ipsec/ipsec.conf
}

charon {
# number of worker threads in charon
	threads = 16
	ikesa_table_size = 32
	ikesa_table_segments = 4
	init_limit_half_open = 1000
	install_routes = no
	load_modular = yes
	ignore_acquire_ts = yes
	
	
	cisco_unity = no
	
	

	syslog {
		identifier = charon
		# log everything under daemon since it ends up in the same place regardless with our syslog.conf
		daemon {
			ike_name = yes
			dmn = 1
			mgr = 1
			ike = 1
			chd = 1
			job = 1
			cfg = 1
			knl = 1
			net = 1
			asn = 1
			enc = 1
			imc = 1
			imv = 1
			pts = 1
			tls = 1
			esp = 1
			lib = 1

		}
		# disable logging under auth so logs aren't duplicated
		auth {
			default = -1
		}
	}

	plugins {
		# Load defaults
		include /var/etc/ipsec/strongswan.d/charon/*.conf

		stroke {
			secrets_file = /var/etc/ipsec/ipsec.secrets
		}

		unity {
			load = no
		}

		curve25519 {
			load = yes
		}
		attr {
		}
		xauth-generic {
			script = /etc/inc/ipsec.auth-user.php
			authcfg = Local Database
		}

	}
}

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.