Trying to get a VPN profile working for iPad/iPhone

5828527957295927

Good morning IT colleagues,

I am trying to set up a VPN profile for iPad and iPhone. I have a site to site VPN also and so a phase 1 and phase 2 already set. The idea was to set up another phase 2 that I could use to connect my mobile Apple devices through IPsec. The errors that I get on the PFsense side is always about the proposal mismatches. I cannot set these on my iPad natively and did not checked if there are 3th party apps for that since I prefer to use the native VPN client of iPad OS.

Could you think with me? I think that I just miss some experience on this, the solution could not be that hard I hope.

Best regards and many thanks in advance!

Mar 22 20:55:34 charon 75910 13[NET] <142> received packet: from SOURCE_IP[500] to DESTINATION_IP[500] (370 bytes)
Mar 22 20:55:34 charon 75910 13[ENC] <142> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Mar 22 20:55:34 charon 75910 13[CFG] <142> looking for an IKEv2 config for DESTINATION_IP...SOURCE_IP
Mar 22 20:55:34 charon 75910 13[CFG] <142> candidate: DESTINATION_IP...SOURCE_IP, prio 3100
Mar 22 20:55:34 charon 75910 13[CFG] <142> candidate: DESTINATION_IP...0.0.0.0/0, ::/0, prio 1052
Mar 22 20:55:34 charon 75910 13[CFG] <142> candidate: DESTINATION_IP...0.0.0.0, prio 1052
Mar 22 20:55:34 charon 75910 13[CFG] <142> found matching ike config: DESTINATION_IP...SOURCE_IP with prio 3100
Mar 22 20:55:34 charon 75910 13[IKE] <142> local endpoint changed from 0.0.0.0[500] to DESTINATION_IP[500]
Mar 22 20:55:34 charon 75910 13[IKE] <142> remote endpoint changed from 0.0.0.0 to SOURCE_IP[500]
Mar 22 20:55:34 charon 75910 13[IKE] <142> SOURCE_IP is initiating an IKE_SA
Mar 22 20:55:34 charon 75910 13[IKE] <142> IKE_SA (unnamed)[142] state change: CREATED => CONNECTING
Mar 22 20:55:34 charon 75910 13[CFG] <142> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <142> no acceptable ENCRYPTION_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <142> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <142> no acceptable ENCRYPTION_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <142> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <142> no acceptable INTEGRITY_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <142> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <142> no acceptable INTEGRITY_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <142> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 22 20:55:34 charon 75910 13[CFG] <142> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_256
Mar 22 20:55:34 charon 75910 13[CFG] <142> looking for IKEv2 configs for DESTINATION_IP...SOURCE_IP
Mar 22 20:55:34 charon 75910 13[CFG] <142> candidate: DESTINATION_IP...SOURCE_IP, prio 3100
Mar 22 20:55:34 charon 75910 13[CFG] <142> candidate: DESTINATION_IP...0.0.0.0/0, ::/0, prio 1052
Mar 22 20:55:34 charon 75910 13[CFG] <142> candidate: DESTINATION_IP...0.0.0.0, prio 1052
Mar 22 20:55:34 charon 75910 13[IKE] <142> no matching proposal found, trying alternative config
Mar 22 20:55:34 charon 75910 13[CFG] <142> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <142> no acceptable KEY_EXCHANGE_METHOD found
Mar 22 20:55:34 charon 75910 13[CFG] <142> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <142> no acceptable KEY_EXCHANGE_METHOD found
Mar 22 20:55:34 charon 75910 13[CFG] <142> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <142> no acceptable ENCRYPTION_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <142> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <142> no acceptable ENCRYPTION_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <142> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 22 20:55:34 charon 75910 13[CFG] <142> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_384
Mar 22 20:55:34 charon 75910 13[IKE] <142> no matching proposal found, trying alternative config
Mar 22 20:55:34 charon 75910 13[CFG] <142> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <142> no acceptable KEY_EXCHANGE_METHOD found
Mar 22 20:55:34 charon 75910 13[CFG] <142> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <142> no acceptable KEY_EXCHANGE_METHOD found
Mar 22 20:55:34 charon 75910 13[CFG] <142> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <142> no acceptable ENCRYPTION_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <142> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <142> no acceptable ENCRYPTION_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <142> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 22 20:55:34 charon 75910 13[CFG] <142> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_384
Mar 22 20:55:34 charon 75910 13[CFG] <142> received supported signature hash algorithms: sha512 sha384 sha256
Mar 22 20:55:34 charon 75910 13[IKE] <142> remote host is behind NAT
Mar 22 20:55:34 charon 75910 13[IKE] <142> received proposals unacceptable
Mar 22 20:55:34 charon 75910 13[ENC] <142> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Mar 22 20:55:34 charon 75910 13[NET] <142> sending packet: from DESTINATION_IP[500] to SOURCE_IP[500] (36 bytes)
Mar 22 20:55:34 charon 75910 13[IKE] <142> IKE_SA (unnamed)[142] state change: CONNECTING => DESTROYING
Mar 22 20:55:34 charon 75910 13[NET] <143> received packet: from SOURCE_IP[500] to DESTINATION_IP[500] (370 bytes)
Mar 22 20:55:34 charon 75910 13[ENC] <143> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Mar 22 20:55:34 charon 75910 13[CFG] <143> looking for an IKEv2 config for DESTINATION_IP...SOURCE_IP
Mar 22 20:55:34 charon 75910 13[CFG] <143> candidate: DESTINATION_IP...SOURCE_IP, prio 3100
Mar 22 20:55:34 charon 75910 13[CFG] <143> candidate: DESTINATION_IP...0.0.0.0/0, ::/0, prio 1052
Mar 22 20:55:34 charon 75910 13[CFG] <143> candidate: DESTINATION_IP...0.0.0.0, prio 1052
Mar 22 20:55:34 charon 75910 13[CFG] <143> found matching ike config: DESTINATION_IP...SOURCE_IP with prio 3100
Mar 22 20:55:34 charon 75910 13[IKE] <143> local endpoint changed from 0.0.0.0[500] to DESTINATION_IP[500]
Mar 22 20:55:34 charon 75910 13[IKE] <143> remote endpoint changed from 0.0.0.0 to SOURCE_IP[500]
Mar 22 20:55:34 charon 75910 13[IKE] <143> SOURCE_IP is initiating an IKE_SA
Mar 22 20:55:34 charon 75910 13[IKE] <143> IKE_SA (unnamed)[143] state change: CREATED => CONNECTING
Mar 22 20:55:34 charon 75910 13[CFG] <143> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <143> no acceptable ENCRYPTION_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <143> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <143> no acceptable ENCRYPTION_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <143> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <143> no acceptable INTEGRITY_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <143> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <143> no acceptable INTEGRITY_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <143> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 22 20:55:34 charon 75910 13[CFG] <143> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_256
Mar 22 20:55:34 charon 75910 13[CFG] <143> looking for IKEv2 configs for DESTINATION_IP...SOURCE_IP
Mar 22 20:55:34 charon 75910 13[CFG] <143> candidate: DESTINATION_IP...SOURCE_IP, prio 3100
Mar 22 20:55:34 charon 75910 13[CFG] <143> candidate: DESTINATION_IP...0.0.0.0/0, ::/0, prio 1052
Mar 22 20:55:34 charon 75910 13[CFG] <143> candidate: DESTINATION_IP...0.0.0.0, prio 1052
Mar 22 20:55:34 charon 75910 13[IKE] <143> no matching proposal found, trying alternative config
Mar 22 20:55:34 charon 75910 13[CFG] <143> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <143> no acceptable KEY_EXCHANGE_METHOD found
Mar 22 20:55:34 charon 75910 13[CFG] <143> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <143> no acceptable KEY_EXCHANGE_METHOD found
Mar 22 20:55:34 charon 75910 13[CFG] <143> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <143> no acceptable ENCRYPTION_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <143> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <143> no acceptable ENCRYPTION_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <143> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 22 20:55:34 charon 75910 13[CFG] <143> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_384
Mar 22 20:55:34 charon 75910 13[IKE] <143> no matching proposal found, trying alternative config
Mar 22 20:55:34 charon 75910 13[CFG] <143> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <143> no acceptable KEY_EXCHANGE_METHOD found
Mar 22 20:55:34 charon 75910 13[CFG] <143> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <143> no acceptable KEY_EXCHANGE_METHOD found
Mar 22 20:55:34 charon 75910 13[CFG] <143> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <143> no acceptable ENCRYPTION_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <143> selecting proposal:
Mar 22 20:55:34 charon 75910 13[CFG] <143> no acceptable ENCRYPTION_ALGORITHM found
Mar 22 20:55:34 charon 75910 13[CFG] <143> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 22 20:55:34 charon 75910 13[CFG] <143> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_384
Mar 22 20:55:34 charon 75910 13[CFG] <143> received supported signature hash algorithms: sha512 sha384 sha256
Mar 22 20:55:34 charon 75910 13[IKE] <143> remote host is behind NAT
Mar 22 20:55:34 charon 75910 13[IKE] <143> received proposals unacceptable
Mar 22 20:55:34 charon 75910 13[ENC] <143> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Mar 22 20:55:34 charon 75910 13[NET] <143> sending packet: from DESTINATION_IP[500] to SOURCE_IP[500] (36 bytes)
Mar 22 20:55:34 charon 75910 13[IKE] <143> IKE_SA (unnamed)[143] state change: CONNECTING => DESTROYING