Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to route all internet traffic from Iphone IPSEC connection

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    15 Posts 3 Posters 23.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      azzido
      last edited by

      Uncheck 'Provide a list of accessible networks to clients' on the mobile clients page and try again.

      It will remove the

      split_network include 0.0.0.0/0;

      from the mode_cfg section. That is the only thing that I see is different between your config file and mine.

      1 Reply Last reply Reply Quote 0
      • G Offline
        GoldServe
        last edited by

        Thanks, now I can see traffic TRY to pass through IPSEC but it does not succeed. Only traffic to my pfsense box (web interface) is okay.

        TCPDUMP when accessing config page:

        03:23:08.147383 (authentic,confidential): SPI 0x0e4441f7: IP 192.168.50.2.50036 > lanner_pfsense.home.http: Flags [.], ack 9395, win 32849, options [nop,nop,TS val 840484309 ecr 1910909083], length 0

        TCPDUMP when traffic is not passed:

        03:23:37.874327 (authentic,confidential): SPI 0x0e4441f7: IP 192.168.50.2.50042 > mail.xxxx.com.https: Flags [s], seq 968577356, win 65535, options [mss 1240,nop,wscale 2,nop,nop,TS val 840484605 ecr 0,sackOK,eol], length 0
03:23:38.076497 (authentic,confidential): SPI 0x0e4441f7: IP 192.168.50.2.50041 > pz-in-f109.1e100.net.imaps: Flags [s], seq 1033338215, win 65535, options [mss 1240,sackOK,eol], length 0
03:23:38.077448 (authentic,confidential): SPI 0x0e4441f7: IP 192.168.50.2.50040 > pz-in-f109.1e100.net.imaps: Flags [s], seq 1372681901, win 65535, options [mss 1240,sackOK,eol], length 0[/s][/s][/s]
        1 Reply Last reply Reply Quote 0
        • A Offline
          azzido
          last edited by

          Make sure you have firewall rule that allows IPSec traffic to all networks. I would suggest enabling logging on all IPSec rules so you can see when it's being passed. Then run tcpdump on wan and check if traffic from your iPhone leaves with wan ip as source or does it have IPSec ip instead. I had to manually add NAT rule for IPSec traffic when I configured mine because traffic was being sent out to wan with local IPSec ip as source ip.

          1 Reply Last reply Reply Quote 0
          • S Offline
            spiritbreaker
            last edited by

            Hi all,

            seems like they go back to iptools 7.3 in new pfsense 2.0 snapshots. Its first time i see iphone vpn working.

            Cisco Client on iPhone works, Cisco VPN Client on PC dont work :(

            If u try with ipsec client from PC u got same error like iphone without split network option. see below:

            @Goldserve and azzido

            Uncheck 'Provide a list of accessible networks to clients' on the mobile clients page and try again.

            seems u need to provide networks otherwise connection on iphone cant establish.

            Without this option there are some phase 2 errors:

            Wan 10.128.70.0/24
            Lan 192.168.56.0/24
            VPN Pool 192.168.80.0/24
            IPSEC allow all * *

            
2010-08-12 16:01:53: DEBUG: anonymous configuration selected for 10.128.70.32.
2010-08-12 16:01:53: DEBUG: getsainfo params: loc='0.0.0.0/0', rmt='192.168.80.1', peer='<key-id>', id=1
2010-08-12 16:01:53: DEBUG: getsainfo pass #1
2010-08-12 16:01:53: DEBUG: evaluating sainfo: loc='192.168.56.0/24', rmt='ANONYMOUS', peer='ANY', id=1
2010-08-12 16:01:53: DEBUG: getsainfo pass #2
2010-08-12 16:01:53: DEBUG: evaluating sainfo: loc='192.168.56.0/24', rmt='ANONYMOUS', peer='ANY', id=1
2010-08-12 16:01:53: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
2010-08-12 16:01:53: DEBUG: cmpid target: '0.0.0.0/0'
2010-08-12 16:01:53: DEBUG: cmpid source: '192.168.56.0/24'
2010-08-12 16:01:53: ERROR: failed to get sainfo.
2010-08-12 16:01:53: ERROR: failed to get sainfo.
2010-08-12 16:01:53: ERROR: failed to pre-process packet.
2010-08-12 16:01:53: DEBUG: IV freed</key-id>

            cya

            Pfsense running at 11 Locations
            -mobile OPENVPN and IPSEC
            -multiwan failover
            -filtering proxy(squidguard) in bridgemode with ntop monitoring

            1 Reply Last reply Reply Quote 0
            • A Offline
              azzido
              last edited by

              Spirit, post your racoon.conf file. You must have configured something wrong if it cannot find sainfo.

              1 Reply Last reply Reply Quote 0
              • G Offline
                GoldServe
                last edited by

                Thanks for the NAT clue. I had enabled manual outbound nat because I wanted static ports so I added a new rule to NAT my IPSEC connections and all is working.

                I now have the issue where the IPSEC tunnel will stop passing traffic after some time (last time I checked, I was connected for 1 hour). I will test again and see when things go south.

                1 Reply Last reply Reply Quote 0
                • A Offline
                  azzido
                  last edited by

                  Yes, the tunnel expires after 3600 seconds and it does not refresh it automatically. I think this is a known issue.

                  1 Reply Last reply Reply Quote 0
                  • G Offline
                    GoldServe
                    last edited by

                    Is there a bug number for me to track this? I'm just happy I got this much working :)

                    Thanks for ALL your help!

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      spiritbreaker
                      last edited by

                      Hi azzido,

                      i got it to work too. thx for hints.

                      I try the same with cisco vpn client on win xp and it works if u route all traffic into tunnel.

                      If u set Phase 2 local network to Lan and check option "provide network to Clients" the connection dont work on xp ( iPhone still work).

                      racoon.conf

                      
# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
	isakmp 10.128.70.249 [500];
	isakmp_natt 10.128.70.249 [4500];
}

mode_cfg
{
	auth_source system;
	group_source system;
	pool_size 253;
	network4 192.168.80.1;
	netmask4 255.255.255.0;
	split_network include 192.168.50.0/24;
	default_domain "test.local";
	banner "/var/etc/racoon.motd";
}

remote anonymous
{
	ph1id 1;
	exchange_mode aggressive;
	my_identifier address 10.128.70.249;
	peers_identifier fqdn "private.local";
	ike_frag on;
	generate_policy = unique;
	initial_contact = off;
	nat_traversal = on;

	dpd_delay = 10;
	dpd_maxfail = 5;
	support_proxy on;
	proposal_check claim;

	proposal
	{
		authentication_method xauth_psk_server;
		encryption_algorithm aes 256;
		hash_algorithm sha1;
		dh_group 2;
		lifetime time 28800 secs;
	}
}

sainfo subnet 192.168.50.0/24 any anonymous
{
	remoteid 1;
	encryption_algorithm aes 256;
	authentication_algorithm hmac_sha1;

	lifetime time 3600 secs;
	compression_algorithm deflate;
}

                      can u help me plz?

                      ty

                      cya

                      Pfsense running at 11 Locations
                      -mobile OPENVPN and IPSEC
                      -multiwan failover
                      -filtering proxy(squidguard) in bridgemode with ntop monitoring

                      1 Reply Last reply Reply Quote 0
                      • A Offline
                        azzido
                        last edited by

                        Spirit, your config file looks fine and if you say that iPhone works fine with this configuration, but Cisco client does not I would think that there is something wrong with Cisco client and/or routing on the xp box.

                        Take a look at item number 4 in the 'Connect with the VPN Client' on this page: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml You should see '192.168.50.0/24' displayed on your Cisco client.

                        You can also try Shrew Soft VPN client (http://www.shrew.net) instead of Cisco client to see if that works.

                        1 Reply Last reply Reply Quote 0
                        • G Offline
                          GoldServe
                          last edited by

                          Thanks, shrew client works very well! I set up my ipsec vpn all from china and now i'm using the shrew client on my win 7 laptop and bypassing all this great firewall of china crap. No twitter to follow sullrich, blah.

                          Cheers!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.