IPSec established, no Traffic passing.



  • IPSec established, no Traffic passing.

    Hi everyone, i´m pretty new to PFSense and IPSec in specific.

    i have a OSX 10.6 (integrated Cisco IPSec-Client) with established IPSec-Connection to pfSense-2.0-BETA1-20100430-1645.

    Tunnel: AES256/SHA1/ESP/XAuth&PSK

    Like mentioned, the Connection itself establishes, but neither client nor pfsense could sent/receive traffic or ping to each other.

    Rules for LAN & WAN and IPSec are set, did even try to disable filtering at all without success.

    Setup: WAN -> 192.168.1.32 /24
    LAN -> 192.168.2.1 /24
    IPSec: Client Pool -> 192.168.3.0 /24 \ 192.168.2.0 /24 –- tried both, without success.
    Local Subnet: LAN Subnet \ Network: 192.168.2.0 /24 --- tried both, without luck.
    Provide Domain & DNS & avail. Network list

    I searched the Forum (2.0-Section&Virtualization), Bugtracker, etc.. without success.

    There´s one post (http://forum.pfsense.org/index.php/topic,12403.0.html) with same issue and hint from scott ullrich regarding changing few sysctl´s (net.enc.OUT/IN.ipsec_BPF/FILTER_mask=0x0000001/2), but no affect to my install.

    What did i forget/wrong?!?

    If someone needs more information, please ask..

    Thanks in advance..

    Sydney.



  • It seems that the Client doesn´t receive a IP from pfSense, since the connection is shown up under Status/Overview, SAD&SPD are set, but the remote IP-field stays empty.
    The Client however says, he received an IP from the given Pool..

    I´ve tried different Clients (OSX-Cisco-IPSec; Shrewsoft VPN, IPSecuritas, etc..)..
    I did tried to some hint´s out of related topics, changing sysctl´s, changing mtu, …

    Is this mal-configuration by me or a bug in the beta?

    ??? ::) ???

    Thankful for any advice..

    Sydney



  • mobile IPsec doesn't work at the moment.



  • OK, thanks cmb..

    Is it a routing or filtering problem then?
    Nothing i can do about it?



  • Most likely it's an ipsec tools issue. See this thread for more details http://forum.pfsense.org/index.php/topic,23519.0.html



  • anyone try the newer snap-version, the newer version can work fine? thank U!



  • I tried May 14th snapshot and was able to successfully establish pure IPSec VPN connection between iPhone and pfSense and access internal network. Thanks for fixing it guys



  • hey azzido, with which settings?!?


  • Rebel Alliance Developer Netgate

    If you setup a site-to-site type tunnel, IPsec work. If you setup a mobile style tunnel, it does not work. I confirmed this again last week, but I was on the May 12th snapshot. I should update and try it again today.

    I'm not sure what azzido did, but I'd also be interesting in knowing what method was used.

    I know how to make it work by hand after the connection is established, but it is completely impractical and only useful for verifying tests. (See my post on the ipsec-tools-devel list here: http://sourceforge.net/mailarchive/message.php?msg_name=4BEDB60C.2080501%40pingle.org )


  • Rebel Alliance Developer Netgate

    I just tried a mobile tunnel again on today's snapshot and I still can't pass traffic when it connects.



  • after all, what was/is the problem with roadwarrior support?
    wrong security policies (SPD's)?!?
    I'm would love to know, how azzido got it working, with or without little snitches..


  • Rebel Alliance Developer Netgate

    When the mobile client connects, it makes SPDs but doesn't properly tie them to the tunnel somehow.

    Flushing the SPDs and adding them back by hand makes it work - though the output of setkey before and after appears identical.



  • I will post my setup once I get back home. It's basically the same setup that I posted in my previous thread that was not working before. Typing this while on the bus connected via VPN :)



  • no way, man. congrats to the first benefits of your first class tunnel…

    but you didn't had to flush & re-add the policies by hand? (i guess not, in a bus...)
    i tried with the same config you've posted in another thread, iphone& ipsec i guess, on a 14May/22:45-i386-livecd-snapshot, but without luck..

    would be great if you could help..



  • No, didn't have to do anything fancy this time. It just works. And SPDs are auto generated. The only problem is if iPhone disconnects from 3g it does not automatically re-establish VPN tunnel so you have to connect manually. I think there is a way to force iPhone to automatically establish tunnel when you try to access certain sites.



  • i dont get it. how could this be possible.. you're sure that traffic is passing through the tunnel?
    jimp couldn't get it to work too, at least without flushing spd's..



  • Yep, works like a charm actually. I just need Internet connection with faster uplink now



  • you've separated the ipsec-net from the lan-net this time (ip range)?
    386 or amd64?
    nano or live?
    tell us, make us wise, my friend..

    what about your network setting's, did you add a new gateway?



  • This is IPsec setup on pfSense:

    VPN -> IPsec -> Mobile clients

    IKE Extensions
            Enable IPsec Mobile Client Support                      yes
        Extended Authentication (Xauth)
            User Authentication                                      system
            Group Authentication                                    system
        Client Configuration (mode-cfg)
            Virtual Address Pool
                Provide a vitual IP address to clients              yes
                Network                                              192.168.103.0 / 24              !!! use subnet that is not currently used
            Network List
                Provide a list of accessible networks to clients    no
            DNS Default Domain
                Provide a default domain name to clients            yes
                Domain                                              domain.lan                      !!! can be same as pfSense domain
            DNS Servers
                Provide a DNS server list to clients                yes
                DNS Servers                                          208.67.222.222                  !!! openDNS
            WINS Servers
                Provide a WINS server list to clients                no
            Phase2 PFS Group
                Provide the Phase2 PFS group to clients              no
            Login Banner
                Provide a login banner to clients                    no

    VPN -> IPsec > Tunnels

    Enable IPsec                                                yes

    VPN -> IPsec -> Tunnels -> Phase 1

    General information
            Interface                                                WAN
            Description                                              iPhone
        Phase 1 proposal (Authentication)
            Authentication method                                    Mutual PSK + Xauth
            Negotiation mode                                        aggressive                      !!! as per iPhone documentation
            My identifier                                            My IP address
            Peer identifier                                          Distinguished name              !!! enter name of the group
            Pre-Shared Key                                          *                                !!! 63 random alpha-numeric characters (a-z, A-Z, 0-9) from https://www.grc.com/passwords.htm
            Encryption algorithm                                    AES / 256 bits                   !!! that's the first thing iPhone proposes so that's what we use
            Hash algorithm                                          SHA1                            !!! that's the first thing iPhone proposes so that's what we use
            DH key group                                            2                                !!! as per iPhone documentation
            Lifetime                                                28800                            !!! leave default
        Advanced Options
            NAT Traversal                                            Enable
            Dead Peer Detection
                Enable DPD                                          yes
                Delay between requesting peer acknowledgement.      10
                No of consecutive failures allowed before disconnect 5

    VPN -> IPsec -> Tunnels -> Phase 2

    Mode                                                        Tunnel
        Local Network
            Type                                                    none
            Address                                                  leave blank
        Phase 2 proposal (SA/Key Exchange)
            Protocol                                                ESP
            Encryption algorithms                                    AES / 256 bits
            Hash algorithms                                          SHA1
            PFS key group                                            off
            Lifetime                                                3600
        Advanced Options
            Automatically ping host                                  -

    and here is iPhone setup:

    Settings -> General -> Network -> VPN -> Add VPN Configuration -> IPSec

    Description                              descriptive name
    Server                                    domain name or IP address of pfSense WAN interface
    Account                                  user name (on pfSense box)
    Password                                  user password
    Use Certificate                          off
    Group Name                                Peer identifier from pfSense setup
    Secret                                    Pre-Shared Key from pfSense setup

    • User that you specify in iPhone needs to be created on pfSense under System -> User Manager

    • If you use Alix board disable glxsb under System -> Advanced -> Miscellaneous

    • Firewall needs to allow incoming UDP connections from WAN on ports 500 and 4500

    • Firewall needs to allow IPSec traffic; create allow all rule with loggin while testing

    Try this and post your /var/etc/racoon.conf in case it does not work.

    Good luck



  • awesome, thanks..
    i give it a try right now..


  • Rebel Alliance Developer Netgate

    Are you using that script mentioned in the other thread that flushes the keys? If so, it's just doing what I did by hand, automatically. And it's not a long-term solution for anyone using IPsec for other uses as well as mobile clients.



  • No, I am not doing anything this time. It's all configured thru web interface. SPDs are automatically created by Racoon and they work just fine.

    pfSense is running on Alix board, iPhone OS is v3.1.3

    Version  2.0-BETA1 built on Fri May 14 23:44:07 EDT 2010 FreeBSD 8.0-STABLE
    Platform  nanobsd



  • tried latest snapshot (386-live) and still no traffic.
    same config as azzido.



  • Post your /var/etc/racoon.conf file and I will compare it with mine.

    Execute this:

    /usr/bin/killall racoon && /usr/local/sbin/setkey -FP && /usr/local/sbin/setkey -F && rm /var/log/ipsec.log && touch /var/log/ipsec.log && /usr/sbin/clog -i -s 511488 /var/log/ipsec.log && /etc/rc.d/syslogd restart && /usr/local/sbin/racoon -dd -f /var/etc/racoon.conf
    

    and try to establish tunnel. Then post /var/log/ipsec.log maybe we can find something in the log.



  • Also, are you trying to reach host on the internal network or internet? I had to configure outbound NAT for 192.168.103.0/24 before I could reach internet from iPhone.



  • i was trying to reach pfsense's internal lan ip.

    racoon.conf:

    This file is automatically generated. Do not edit

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    listen
    {
    adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    isakmp 192.168.1.17 [500];
    isakmp_natt 192.168.1.17 [4500];
    }

    mode_cfg
    {
    auth_source system;
    group_source system;
    pool_size 253;
    network4 192.168.3.1;
    netmask4 255.255.255.0;
    dns4 192.168.2.1;
    default_domain "workgroup";
    }

    remote anonymous
    {
    ph1id 1;
    exchange_mode aggressive;
    my_identifier address 192.168.1.17;
    peers_identifier fqdn "iphone";
    ike_frag on;
    generate_policy = unique;
    initial_contact = off;
    nat_traversal = on;

    dpd_delay = 10;
    dpd_maxfail = 5;
    support_proxy on;
    proposal_check claim;

    proposal
    {
    authentication_method xauth_psk_server;
    encryption_algorithm aes 256;
    hash_algorithm sha1;
    dh_group 2;
    lifetime time 28800 secs;
    }
    }

    sainfo   anonymous
    {
    remoteid 1;
    encryption_algorithm aes 256;
    authentication_algorithm hmac_sha1;

    lifetime time 3600 secs;
    compression_algorithm deflate;
    }

    ipsec_log:
    May 18 00:56:09 pfSense racoon: INFO: respond new phase 1 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]
    May 18 00:56:09 pfSense racoon: INFO: begin Aggressive mode.
    May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: RFC 3947
    May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: CISCO-UNITY
    May 18 00:56:09 pfSense racoon: INFO: received Vendor ID: DPD
    May 18 00:56:09 pfSense racoon: INFO: Selected NAT-T version: RFC 3947
    May 18 00:56:09 pfSense racoon: INFO: Adding remote and local NAT-D payloads.
    May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.7[500] with algo #2
    May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.17[500] with algo #2
    May 18 00:56:09 pfSense racoon: INFO: Adding xauth VID payload.
    May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.17[500] with algo #2
    May 18 00:56:09 pfSense racoon: INFO: NAT-D payload #0 verified
    May 18 00:56:09 pfSense racoon: INFO: Hashing 192.168.1.7[500] with algo #2
    May 18 00:56:09 pfSense racoon: INFO: NAT-D payload #1 verified
    May 18 00:56:09 pfSense racoon: ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    May 18 00:56:09 pfSense racoon: INFO: NAT not detected
    May 18 00:56:09 pfSense racoon: INFO: Sending Xauth request
    May 18 00:56:09 pfSense racoon: INFO: ISAKMP-SA established 192.168.1.17[500]-192.168.1.7[500] spi:c52ad072fefeec7a:e2d97b50d90eed6b
    May 18 00:56:13 pfSense racoon: INFO: Using port 0
    May 18 00:56:13 pfSense racoon: INFO: login succeeded for user "sydney"
    May 18 00:56:13 pfSense racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    May 18 00:56:13 pfSense racoon: WARNING: Ignored attribute 28683
    May 18 00:56:13 pfSense racoon: INFO: respond new phase 2 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]
    May 18 00:56:13 pfSense racoon: INFO: no policy found, try to generate the policy : 192.168.3.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    May 18 00:56:13 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=184685857(0xb021521)
    May 18 00:56:13 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=103635710(0x62d5afe)
    May 18 00:56:13 pfSense racoon: ERROR: such policy does not already exist: "192.168.3.1/32[0] 0.0.0.0/0[0] proto=any dir=in"
    May 18 00:56:13 pfSense racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.3.1/32[0] proto=any dir=out"
    May 18 00:56:14 pfSense racoon: INFO: initiate new phase 2 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]
    May 18 00:56:14 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=193249986(0xb84c2c2)
    May 18 00:56:14 pfSense racoon: INFO: IPsec-SA established: ESP 192.168.1.17[500]->192.168.1.7[500] spi=108727917(0x67b0e6d)
    May 18 00:56:14 pfSense racoon: INFO: generated policy, deleting it.
    May 18 00:56:14 pfSense racoon: INFO: purged IPsec-SA proto_id=ESP spi=103635710.



  • eazydor, start racoon in debug mode with the command I posted earlier and post log with more info. In your case racoon deletes policies right after they are created so there is something else going on there.



  • yes, it seems like.. log says generating policy & deleting it.. webinterface says bidirectional spd's are created..
    anyhow, i'm not a pro when it comes to ipsec..
    btw: thanks for your help..
    heres the debug-log from before, forgotten to post. the log end's, where the other's post log began..

    May 18 00:53:44 pfSense racoon: DEBUG: ===
    May 18 00:53:44 pfSense racoon: DEBUG: 92 bytes message received from 192.168.1.7[500] to 192.168.1.17[500]
    May 18 00:53:44 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 8687228d 0000005c f7bbc7d9 1b8ac1c5 ef95e2e7 7088ffe8 24ff2767 e4c1d632 316840cf 5289f3bb b7054faa b9ba4dee e0094fb0 d0c76b9d c7b6cbdd d2873584 28a9f94f 7c2a53f0
    May 18 00:53:44 pfSense racoon: DEBUG: receive Information.
    May 18 00:53:44 pfSense racoon: DEBUG: compute IV for phase2
    May 18 00:53:44 pfSense racoon: DEBUG: phase1 last IV:
    May 18 00:53:44 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 8687228d
    May 18 00:53:44 pfSense racoon: DEBUG: hash(sha1)
    May 18 00:53:44 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:44 pfSense racoon: DEBUG: phase2 IV computed:
    May 18 00:53:44 pfSense racoon: DEBUG:  ebb44c15 995f764a fb86e417 e73722ac
    May 18 00:53:44 pfSense racoon: DEBUG: begin decryption.
    May 18 00:53:44 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:44 pfSense racoon: DEBUG: IV was saved for next processing:
    May 18 00:53:44 pfSense racoon: DEBUG:  c7b6cbdd d2873584 28a9f94f 7c2a53f0
    May 18 00:53:44 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:44 pfSense racoon: DEBUG: with key:
    May 18 00:53:44 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
    May 18 00:53:44 pfSense racoon: DEBUG: decrypted payload by IV:
    May 18 00:53:44 pfSense racoon: DEBUG:  ebb44c15 995f764a fb86e417 e73722ac
    May 18 00:53:44 pfSense racoon: DEBUG: decrypted payload, but not trimed.
    May 18 00:53:44 pfSense racoon: DEBUG:  0b000018 0ef1fdb0 4594cff9 7153f598 140e3973 4c2fec77 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fa 00000000 00000008
    May 18 00:53:44 pfSense racoon: DEBUG: padding len=9
    May 18 00:53:44 pfSense racoon: DEBUG: skip to trim padding.
    May 18 00:53:44 pfSense racoon: DEBUG: decrypted.
    May 18 00:53:44 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 8687228d 0000005c 0b000018 0ef1fdb0 4594cff9 7153f598 140e3973 4c2fec77 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fa 00000000 00000008
    May 18 00:53:44 pfSense racoon: DEBUG: IV freed
    May 18 00:53:44 pfSense racoon: DEBUG: HASH with:
    May 18 00:53:44 pfSense racoon: DEBUG:  8687228d 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fa
    May 18 00:53:44 pfSense racoon: DEBUG: hmac(hmac_sha1)
    May 18 00:53:44 pfSense racoon: DEBUG: HASH computed:
    May 18 00:53:44 pfSense racoon: DEBUG:  0ef1fdb0 4594cff9 7153f598 140e3973 4c2fec77
    May 18 00:53:44 pfSense racoon: DEBUG: hash validated.
    May 18 00:53:44 pfSense racoon: DEBUG: begin.
    May 18 00:53:44 pfSense racoon: DEBUG: seen nptype=8(hash)
    May 18 00:53:44 pfSense racoon: DEBUG: seen nptype=11(notify)
    May 18 00:53:44 pfSense racoon: DEBUG: succeed.
    May 18 00:53:44 pfSense racoon: DEBUG: DPD R-U-There-Ack received
    May 18 00:53:44 pfSense racoon: DEBUG: received an R-U-THERE-ACK
    May 18 00:53:54 pfSense racoon: DEBUG: DPD monitoring….
    May 18 00:53:54 pfSense racoon: DEBUG: compute IV for phase2
    May 18 00:53:54 pfSense racoon: DEBUG: phase1 last IV:
    May 18 00:53:54 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 d4f0852d
    May 18 00:53:54 pfSense racoon: DEBUG: hash(sha1)
    May 18 00:53:54 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:54 pfSense racoon: DEBUG: phase2 IV computed:
    May 18 00:53:54 pfSense racoon: DEBUG:  8275876d d53aec3a 20f20372 a86b0ad9
    May 18 00:53:54 pfSense racoon: DEBUG: HASH with:
    May 18 00:53:54 pfSense racoon: DEBUG:  d4f0852d 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fb
    May 18 00:53:54 pfSense racoon: DEBUG: hmac(hmac_sha1)
    May 18 00:53:54 pfSense racoon: DEBUG: HASH computed:
    May 18 00:53:54 pfSense racoon: DEBUG:  06ecf3cb d1ba85c9 e33ef9a6 6a33169c 101b95d3
    May 18 00:53:54 pfSense racoon: DEBUG: begin encryption.
    May 18 00:53:54 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:54 pfSense racoon: DEBUG: pad length = 8
    May 18 00:53:54 pfSense racoon: DEBUG:  0b000018 06ecf3cb d1ba85c9 e33ef9a6 6a33169c 101b95d3 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fb 809cf693 aeb8fe07
    May 18 00:53:54 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:54 pfSense racoon: DEBUG: with key:
    May 18 00:53:54 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
    May 18 00:53:54 pfSense racoon: DEBUG: encrypted payload by IV:
    May 18 00:53:54 pfSense racoon: DEBUG:  8275876d d53aec3a 20f20372 a86b0ad9
    May 18 00:53:54 pfSense racoon: DEBUG: save IV for next:
    May 18 00:53:54 pfSense racoon: DEBUG:  33907334 562172df 5ef9df74 52ea5936
    May 18 00:53:54 pfSense racoon: DEBUG: encrypted.
    May 18 00:53:54 pfSense racoon: DEBUG: 92 bytes from 192.168.1.17[500] to 192.168.1.7[500]
    May 18 00:53:54 pfSense racoon: DEBUG: sockname 192.168.1.17[500]
    May 18 00:53:54 pfSense racoon: DEBUG: send packet from 192.168.1.17[500]
    May 18 00:53:54 pfSense racoon: DEBUG: send packet to 192.168.1.7[500]
    May 18 00:53:54 pfSense racoon: DEBUG: 1 times of 92 bytes message will be sent to 192.168.1.7[500]
    May 18 00:53:54 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 d4f0852d 0000005c b60b7b2a a0045fe7 68612a04 eb0b46ba 7b47d633 63be9cd8 9d88bcd1 5eed3243 693f0866 6595fc38 1f57a013 fb3da34f 33907334 562172df 5ef9df74 52ea5936
    May 18 00:53:54 pfSense racoon: DEBUG: sendto Information notify.
    May 18 00:53:54 pfSense racoon: DEBUG: IV freed
    May 18 00:53:54 pfSense racoon: DEBUG: DPD R-U-There sent (0)
    May 18 00:53:54 pfSense racoon: DEBUG: rescheduling send_r_u (5).
    May 18 00:53:55 pfSense racoon: DEBUG: ===
    May 18 00:53:55 pfSense racoon: DEBUG: 92 bytes message received from 192.168.1.7[500] to 192.168.1.17[500]
    May 18 00:53:55 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 8a92b90d 0000005c f0c46d19 5cb6c703 81c1b21f df953996 209e50b2 7f760ab9 544b924e b46339c4 16685840 4b164e74 5c968790 89847014 0c9a6b97 9af19916 5ebc4d94 2a00fe3d
    May 18 00:53:55 pfSense racoon: DEBUG: receive Information.
    May 18 00:53:55 pfSense racoon: DEBUG: compute IV for phase2
    May 18 00:53:55 pfSense racoon: DEBUG: phase1 last IV:
    May 18 00:53:55 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 8a92b90d
    May 18 00:53:55 pfSense racoon: DEBUG: hash(sha1)
    May 18 00:53:55 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:55 pfSense racoon: DEBUG: phase2 IV computed:
    May 18 00:53:55 pfSense racoon: DEBUG:  49138853 ee0d92e8 ca7f9bd7 c7f8a69d
    May 18 00:53:55 pfSense racoon: DEBUG: begin decryption.
    May 18 00:53:55 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:55 pfSense racoon: DEBUG: IV was saved for next processing:
    May 18 00:53:55 pfSense racoon: DEBUG:  0c9a6b97 9af19916 5ebc4d94 2a00fe3d
    May 18 00:53:55 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:55 pfSense racoon: DEBUG: with key:
    May 18 00:53:55 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
    May 18 00:53:55 pfSense racoon: DEBUG: decrypted payload by IV:
    May 18 00:53:55 pfSense racoon: DEBUG:  49138853 ee0d92e8 ca7f9bd7 c7f8a69d
    May 18 00:53:55 pfSense racoon: DEBUG: decrypted payload, but not trimed.
    May 18 00:53:55 pfSense racoon: DEBUG:  0b000018 ab5e2b9b 8d954f99 45ca9503 55050216 652192cb 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fb 00000000 00000008
    May 18 00:53:55 pfSense racoon: DEBUG: padding len=9
    May 18 00:53:55 pfSense racoon: DEBUG: skip to trim padding.
    May 18 00:53:55 pfSense racoon: DEBUG: decrypted.
    May 18 00:53:55 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 8a92b90d 0000005c 0b000018 ab5e2b9b 8d954f99 45ca9503 55050216 652192cb 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fb 00000000 00000008
    May 18 00:53:55 pfSense racoon: DEBUG: IV freed
    May 18 00:53:55 pfSense racoon: DEBUG: HASH with:
    May 18 00:53:55 pfSense racoon: DEBUG:  8a92b90d 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fb
    May 18 00:53:55 pfSense racoon: DEBUG: hmac(hmac_sha1)
    May 18 00:53:55 pfSense racoon: DEBUG: HASH computed:
    May 18 00:53:55 pfSense racoon: DEBUG:  ab5e2b9b 8d954f99 45ca9503 55050216 652192cb
    May 18 00:53:55 pfSense racoon: DEBUG: hash validated.
    May 18 00:53:55 pfSense racoon: DEBUG: begin.
    May 18 00:53:55 pfSense racoon: DEBUG: seen nptype=8(hash)
    May 18 00:53:55 pfSense racoon: DEBUG: seen nptype=11(notify)
    May 18 00:53:55 pfSense racoon: DEBUG: succeed.
    May 18 00:53:55 pfSense racoon: DEBUG: DPD R-U-There-Ack received
    May 18 00:53:55 pfSense racoon: DEBUG: received an R-U-THERE-ACK
    May 18 00:53:58 pfSense racoon: DEBUG: ===
    May 18 00:53:58 pfSense racoon: DEBUG: 92 bytes message received from 192.168.1.7[500] to 192.168.1.17[500]
    May 18 00:53:58 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 f8f5ad12 0000005c 0c4a69d5 3456047f f697c87b b5fe2433 c0ab868c a0eb3671 fd56381f d57759a3 11bcb4b3 dd19935a 6e2472c9 64050207 5899857c 6e2f1278 0b15e6dc 2e49fe18
    May 18 00:53:58 pfSense racoon: DEBUG: receive Information.
    May 18 00:53:58 pfSense racoon: DEBUG: compute IV for phase2
    May 18 00:53:58 pfSense racoon: DEBUG: phase1 last IV:
    May 18 00:53:58 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 f8f5ad12
    May 18 00:53:58 pfSense racoon: DEBUG: hash(sha1)
    May 18 00:53:58 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:58 pfSense racoon: DEBUG: phase2 IV computed:
    May 18 00:53:58 pfSense racoon: DEBUG:  3d2b1859 6e879b36 6f4c3d51 5e8423f0
    May 18 00:53:58 pfSense racoon: DEBUG: begin decryption.
    May 18 00:53:58 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:58 pfSense racoon: DEBUG: IV was saved for next processing:
    May 18 00:53:58 pfSense racoon: DEBUG:  5899857c 6e2f1278 0b15e6dc 2e49fe18
    May 18 00:53:58 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:58 pfSense racoon: DEBUG: with key:
    May 18 00:53:58 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
    May 18 00:53:58 pfSense racoon: DEBUG: decrypted payload by IV:
    May 18 00:53:58 pfSense racoon: DEBUG:  3d2b1859 6e879b36 6f4c3d51 5e8423f0
    May 18 00:53:58 pfSense racoon: DEBUG: decrypted payload, but not trimed.
    May 18 00:53:58 pfSense racoon: DEBUG:  0b000018 773820b3 b096d012 25d26b6d d8f140e4 3de296d3 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 00000d70 00000000 00000008
    May 18 00:53:58 pfSense racoon: DEBUG: padding len=9
    May 18 00:53:58 pfSense racoon: DEBUG: skip to trim padding.
    May 18 00:53:58 pfSense racoon: DEBUG: decrypted.
    May 18 00:53:58 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 f8f5ad12 0000005c 0b000018 773820b3 b096d012 25d26b6d d8f140e4 3de296d3 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 00000d70 00000000 00000008
    May 18 00:53:58 pfSense racoon: DEBUG: IV freed
    May 18 00:53:58 pfSense racoon: DEBUG: HASH with:
    May 18 00:53:58 pfSense racoon: DEBUG:  f8f5ad12 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 00000d70
    May 18 00:53:58 pfSense racoon: DEBUG: hmac(hmac_sha1)
    May 18 00:53:58 pfSense racoon: DEBUG: HASH computed:
    May 18 00:53:58 pfSense racoon: DEBUG:  773820b3 b096d012 25d26b6d d8f140e4 3de296d3
    May 18 00:53:58 pfSense racoon: DEBUG: hash validated.
    May 18 00:53:58 pfSense racoon: DEBUG: begin.
    May 18 00:53:58 pfSense racoon: DEBUG: seen nptype=8(hash)
    May 18 00:53:58 pfSense racoon: DEBUG: seen nptype=11(notify)
    May 18 00:53:58 pfSense racoon: DEBUG: succeed.
    May 18 00:53:58 pfSense racoon: DEBUG: DPD R-U-There received
    May 18 00:53:58 pfSense racoon: DEBUG: compute IV for phase2
    May 18 00:53:58 pfSense racoon: DEBUG: phase1 last IV:
    May 18 00:53:58 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 806b0404
    May 18 00:53:58 pfSense racoon: DEBUG: hash(sha1)
    May 18 00:53:58 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:58 pfSense racoon: DEBUG: phase2 IV computed:
    May 18 00:53:58 pfSense racoon: DEBUG:  5a253a10 cb6ea9df 6c7b522c 50d0beca
    May 18 00:53:58 pfSense racoon: DEBUG: HASH with:
    May 18 00:53:58 pfSense racoon: DEBUG:  806b0404 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 00000d70
    May 18 00:53:58 pfSense racoon: DEBUG: hmac(hmac_sha1)
    May 18 00:53:58 pfSense racoon: DEBUG: HASH computed:
    May 18 00:53:58 pfSense racoon: DEBUG:  ec630f5f cd50249e 6bf469d8 eac01234 3d9c50b7
    May 18 00:53:58 pfSense racoon: DEBUG: begin encryption.
    May 18 00:53:58 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:58 pfSense racoon: DEBUG: pad length = 8
    May 18 00:53:58 pfSense racoon: DEBUG:  0b000018 ec630f5f cd50249e 6bf469d8 eac01234 3d9c50b7 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 00000d70 98ff92b3 8ec19b07
    May 18 00:53:58 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:53:58 pfSense racoon: DEBUG: with key:
    May 18 00:53:58 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
    May 18 00:53:58 pfSense racoon: DEBUG: encrypted payload by IV:
    May 18 00:53:58 pfSense racoon: DEBUG:  5a253a10 cb6ea9df 6c7b522c 50d0beca
    May 18 00:53:58 pfSense racoon: DEBUG: save IV for next:
    May 18 00:53:58 pfSense racoon: DEBUG:  e72dc322 c3f7acb9 e7dbd3bc 52f8557b
    May 18 00:53:58 pfSense racoon: DEBUG: encrypted.
    May 18 00:53:58 pfSense racoon: DEBUG: 92 bytes from 192.168.1.17[500] to 192.168.1.7[500]
    May 18 00:53:58 pfSense racoon: DEBUG: sockname 192.168.1.17[500]
    May 18 00:53:58 pfSense racoon: DEBUG: send packet from 192.168.1.17[500]
    May 18 00:53:58 pfSense racoon: DEBUG: send packet to 192.168.1.7[500]
    May 18 00:53:58 pfSense racoon: DEBUG: 1 times of 92 bytes message will be sent to 192.168.1.7[500]
    May 18 00:53:58 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 806b0404 0000005c 6ba8cc84 74b1b7dc 40fd50f5 ad0b7147 4d9d5c82 d06ced8b dd38b5f7 8b3d04fe d52d5505 35f7f2bb 18ce3982 75c46c2e e72dc322 c3f7acb9 e7dbd3bc 52f8557b
    May 18 00:53:58 pfSense racoon: DEBUG: sendto Information notify.
    May 18 00:53:58 pfSense racoon: DEBUG: IV freed
    May 18 00:53:58 pfSense racoon: DEBUG: received a valid R-U-THERE, ACK sent
    May 18 00:54:05 pfSense racoon: DEBUG: DPD monitoring….
    May 18 00:54:05 pfSense racoon: DEBUG: compute IV for phase2
    May 18 00:54:05 pfSense racoon: DEBUG: phase1 last IV:
    May 18 00:54:05 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 9239ec5f
    May 18 00:54:05 pfSense racoon: DEBUG: hash(sha1)
    May 18 00:54:05 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:54:05 pfSense racoon: DEBUG: phase2 IV computed:
    May 18 00:54:05 pfSense racoon: DEBUG:  e98c7c0c 819eb286 42aecd96 56ec3226
    May 18 00:54:05 pfSense racoon: DEBUG: HASH with:
    May 18 00:54:05 pfSense racoon: DEBUG:  9239ec5f 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fc
    May 18 00:54:05 pfSense racoon: DEBUG: hmac(hmac_sha1)
    May 18 00:54:05 pfSense racoon: DEBUG: HASH computed:
    May 18 00:54:05 pfSense racoon: DEBUG:  01b5957d ad75245c 47bfcb19 8c29fdb8 df455b04
    May 18 00:54:05 pfSense racoon: DEBUG: begin encryption.
    May 18 00:54:05 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:54:05 pfSense racoon: DEBUG: pad length = 8
    May 18 00:54:05 pfSense racoon: DEBUG:  0b000018 01b5957d ad75245c 47bfcb19 8c29fdb8 df455b04 00000020 00000001 01108d28 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fc f5b1a39c 859dc607
    May 18 00:54:05 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:54:05 pfSense racoon: DEBUG: with key:
    May 18 00:54:05 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
    May 18 00:54:05 pfSense racoon: DEBUG: encrypted payload by IV:
    May 18 00:54:05 pfSense racoon: DEBUG:  e98c7c0c 819eb286 42aecd96 56ec3226
    May 18 00:54:05 pfSense racoon: DEBUG: save IV for next:
    May 18 00:54:05 pfSense racoon: DEBUG:  0e60760b ff98e10a 2b0cadba 5f0f82ad
    May 18 00:54:05 pfSense racoon: DEBUG: encrypted.
    May 18 00:54:05 pfSense racoon: DEBUG: 92 bytes from 192.168.1.17[500] to 192.168.1.7[500]
    May 18 00:54:05 pfSense racoon: DEBUG: sockname 192.168.1.17[500]
    May 18 00:54:05 pfSense racoon: DEBUG: send packet from 192.168.1.17[500]
    May 18 00:54:05 pfSense racoon: DEBUG: send packet to 192.168.1.7[500]
    May 18 00:54:05 pfSense racoon: DEBUG: 1 times of 92 bytes message will be sent to 192.168.1.7[500]
    May 18 00:54:05 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 9239ec5f 0000005c 96fae9c6 33acdc4f aee486cb b2adc42c 9c1133f5 27db3bb6 a7899e8b 66c19dc0 38b2e53c b0f060b7 dd921690 68d2271b 0e60760b ff98e10a 2b0cadba 5f0f82ad
    May 18 00:54:05 pfSense racoon: DEBUG: sendto Information notify.
    May 18 00:54:05 pfSense racoon: DEBUG: IV freed
    May 18 00:54:05 pfSense racoon: DEBUG: DPD R-U-There sent (0)
    May 18 00:54:05 pfSense racoon: DEBUG: rescheduling send_r_u (5).
    May 18 00:54:06 pfSense racoon: DEBUG: ===
    May 18 00:54:06 pfSense racoon: DEBUG: 92 bytes message received from 192.168.1.7[500] to 192.168.1.17[500]
    May 18 00:54:06 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 f778304f 0000005c 06ac5e88 bc38acf5 27eaab3c 7751ff04 08f7e2f4 c216c470 13ab5255 a0586764 ebfda43d 4a460ace 73df710b 084a9d19 2970b257 14190e96 94b0b513 7b6f5878
    May 18 00:54:06 pfSense racoon: DEBUG: receive Information.
    May 18 00:54:06 pfSense racoon: DEBUG: compute IV for phase2
    May 18 00:54:06 pfSense racoon: DEBUG: phase1 last IV:
    May 18 00:54:06 pfSense racoon: DEBUG:  191bba75 9d7f37f7 9b5799d6 1b161b98 f778304f
    May 18 00:54:06 pfSense racoon: DEBUG: hash(sha1)
    May 18 00:54:06 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:54:06 pfSense racoon: DEBUG: phase2 IV computed:
    May 18 00:54:06 pfSense racoon: DEBUG:  35ba9547 45d4ac75 5a61f5e2 c865503d
    May 18 00:54:06 pfSense racoon: DEBUG: begin decryption.
    May 18 00:54:06 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:54:06 pfSense racoon: DEBUG: IV was saved for next processing:
    May 18 00:54:06 pfSense racoon: DEBUG:  2970b257 14190e96 94b0b513 7b6f5878
    May 18 00:54:06 pfSense racoon: DEBUG: encryption(aes)
    May 18 00:54:06 pfSense racoon: DEBUG: with key:
    May 18 00:54:06 pfSense racoon: DEBUG:  a1e7f77c 6e221db6 b5b319bb b18c223a 6a4288c7 811293a7 e5201056 4e647fdb
    May 18 00:54:06 pfSense racoon: DEBUG: decrypted payload by IV:
    May 18 00:54:06 pfSense racoon: DEBUG:  35ba9547 45d4ac75 5a61f5e2 c865503d
    May 18 00:54:06 pfSense racoon: DEBUG: decrypted payload, but not trimed.
    May 18 00:54:06 pfSense racoon: DEBUG:  0b000018 6cfb3ec8 d36490bc d0ac7d66 f1a207b3 6c6748fa 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fc 00000000 00000008
    May 18 00:54:06 pfSense racoon: DEBUG: padding len=9
    May 18 00:54:06 pfSense racoon: DEBUG: skip to trim padding.
    May 18 00:54:06 pfSense racoon: DEBUG: decrypted.
    May 18 00:54:06 pfSense racoon: DEBUG:  d02d7505 994c3a77 17abc41b 30d5f9cb 08100501 f778304f 0000005c 0b000018 6cfb3ec8 d36490bc d0ac7d66 f1a207b3 6c6748fa 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fc 00000000 00000008
    May 18 00:54:06 pfSense racoon: DEBUG: IV freed
    May 18 00:54:06 pfSense racoon: DEBUG: HASH with:
    May 18 00:54:06 pfSense racoon: DEBUG:  f778304f 00000020 00000001 01108d29 d02d7505 994c3a77 17abc41b 30d5f9cb 000001fc
    May 18 00:54:06 pfSense racoon: DEBUG: hmac(hmac_sha1)
    May 18 00:54:06 pfSense racoon: DEBUG: HASH computed:
    May 18 00:54:06 pfSense racoon: DEBUG:  6cfb3ec8 d36490bc d0ac7d66 f1a207b3 6c6748fa
    May 18 00:54:06 pfSense racoon: DEBUG: hash validated.
    May 18 00:54:06 pfSense racoon: DEBUG: begin.
    May 18 00:54:06 pfSense racoon: DEBUG: seen nptype=8(hash)
    May 18 00:54:06 pfSense racoon: DEBUG: seen nptype=11(notify)
    May 18 00:54:06 pfSense racoon: DEBUG: succeed.
    May 18 00:54:06 pfSense racoon: DEBUG: DPD R-U-There-Ack received
    May 18 00:54:06 pfSense racoon: DEBUG: received an R-U-THERE-ACK
    May 18 00:54:16 pfSense racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
    May 18 00:54:16 pfSense racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
    May 18 00:54:16 pfSense racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    May 18 00:54:16 pfSense racoon: INFO: Resize address pool from 0 to 253
    May 18 00:54:16 pfSense racoon: INFO: 192.168.1.17[4500] used for NAT-T
    May 18 00:54:16 pfSense racoon: INFO: 192.168.1.17[4500] used as isakmp port (fd=14)
    May 18 00:54:16 pfSense racoon: INFO: 192.168.1.17[500] used for NAT-T
    May 18 00:54:16 pfSense racoon: INFO: 192.168.1.17[500] used as isakmp port (fd=15)
    May 18 00:54:16 pfSense racoon: INFO: unsupported PF_KEY message REGISTER
    May 18 00:54:18 pfSense racoon: ERROR: unknown Informational exchange received.
    May 18 00:54:38 pfSense last message repeated 4 times
    May 18 00:56:09 pfSense racoon: INFO: respond new phase 1 negotiation: 192.168.1.17[500]<=>192.168.1.7[500]

    single very interesting lines of log: view attachment

    sorry for the ridiculous long posts…

    debug.txt



  • Dont really see anything in those logs that would stand-out right away. Try to connect from iPhone several times in a row after it fails; it happened few times to me where I was able to login only from third or fourth attempt.

    I setup a 32 bit virtual machine with full pfSense install (20100517-1144) and was able to successfully establish tunnel to VM from iPhone via 3G and access hosts on internal network so I think this must be working now.



  • install, setup lan&wan interfaces, config fw-rules, setup ipsec like yours, add user and go..

    i386-live on virtual machine, tunnel established, no traffic..

    did i forget something?



  • I was also able to get mobile IPSEC working, no tweaking necessary.  I attached a windows 7 machine via the shrewsoft ipsec client and was able to access both the firewall and machines on the lan.

    Used the 20100514-2225 iso on an old Pentium III.



  • eazydor, are you trying to connect to pfsense from the same machine that is hosting vm? If that is the case you might need a static route for road warrior traffic to be sent back to vm and not to your default gateway. What interfaces do you have on vm and how are they attached to your net? When you say that tunnel is established how do you know that? From the log that you posted earlier it seems that tunnel is deleted right after it is established.



  • Yes and no.
    I tried from the vm-host & iphone to connect.
    VMHosts spd's are getting deleted, but the ones from the iphone stays and seems to be correct..
    So, i tried to access pfsense's lan ip from the iphone connected to the same network than vmhost, which has 2 bridged interfaces on 1 physical interface. Since bridging is happening on layer2, i don't see the interference..
    But still, the routing tip is correct, i din't mentioned that on a mac, you have to priorise connections in order to have automated routing (interface with higher prio gets the lower weight in the routing table).
    After all, you are right about the vmhost routing problem, cause my mac keeps trying to connect via lan and not ipsec.
    But still, i don't get why my phone can't pass traffic..
    I believe to client is connected, because client and pfsense's log says, that iphone established the connection, recieved an ip and spd's are were created..
    Btw, thanks for your patience..



  • It's seems to me that your setup is quite complex and it's very likely that you might have missed something somewhere. I would suggest you to setup a bit simpler environment to eliminate some of the complexity.

    This is how I test with VM: VM is running on my desktop and has 2 interfaces. First interface shares hosts LAN access (VM has it's own IP on physical network so you can say it's attached to my physical pfSense box LAN). Second interface is host-only so traffic is being passed only between my desktop and VM. I then forward ports 500 and 4500 from WAN on my physical pfSense box (gateway) to virtual machine and try to connect to VPN from iPhone using 3G. Once tunnel is up and running I can access VM and my desktop pc from iPhone. The only thing I need to do is setup a static route on my desktop to pass all traffic coming from iPhone back to VM via host-only network.

    You can try to troubleshoot this by running tcpdump on various machines/interfaces and see where traffic is being blocked. You should see ESP traffic coming into VM and TCP traffic leaving VM, then TCP traffic coming and leaving your mac and finally TCP traffic from mac coming into VM and leaving as ESP traffic to your iPhone.



  • i thought too.. adding complexity to ipsec is never a good idea..

    but thank you for your setup. i will give it a try..

    you see, if you could get traffic over your tunnel, it´s obvious that it´s fixed and works. So i can't lay down until it works and i understood what was going on..

    these forum´s are awesome.. even if i couldn't fix the problem, i learn so much here..



  • so you don't connect directly to pfsense's wan interface, you go via nat over the vm-host?

    or how do you speak from iphone to pfsense's wan, when you have a host-only connection on that interface.. (host-only= virtual interface?)



  • When using my physical pfSense box I use wan interface but when I am testing with vm I forward IPSec ports to VMs wan interface which is connected to my physical network.



  • allright, to test with 2 independent networks..

    but that´s mainly the problem when testing networking-stuff, at least to me.. because a virtualized test-environment is almost always coupled with unforeseen behavior (routing, loopbacks, bridged or virtual interfaces&devices, etc..)

    i think, i'm gonna order an alix- or atom-board for testing purposes…

    but you see, that´s why i love my job, it´s almost always the fault of humans, in this case, my fault..

    anyhow, good to know that this part (spd's) has been fixed..


  • Rebel Alliance Developer Netgate

    The SPD problem is still present, but maybe not in his specific case.



  • does somebody know where i can monitor the changes regarding this problem?


Locked