IPSec VPN and iPhone

fredriksimon

Trying to get our iPhones to connect to our network with IPSec VPN. Trying to use VPN On demand on the iPhones so I must use RSA. Have somebody got this working? I get this error in the log "ERROR: phase1 negotiation failed due to time up. 0d97de25134ec7e7:dee851651ad2a107"

/Fredrik

azzido

Yes, I have shared rsa + xauth working with iPhone. And I am also using on demand VPN on the iPhone side. I would suggest you to get shared psk running first before attempting to setup rsa.

fredriksimon

We have already had a shared psk running, but want to use VPN on Demand and for that I need to get RSA working. Can you tell me your setting to get inte to work?

azzido

First you need to add CA's public key on the Certificate page in pfSense, then you need to add certificates (public/private) for the domain you will be using to connect to VPN server. On the phase 1 configuration page change authentication to Mutual RSA + XAuth, change negotiation mode to main, select ASN.1 as my and peer identifiers and select your host and CA certificates.

In the iPhone enterprise tool create a profile for your iPhone. Add CA certificate and user certificate with the private key and then configure VPN settings. Deploy it to iPhone and you should be set.

fredriksimon

Have got it working, but have one small problem. The iPhone asks for the users password the connecting the VPN. And theres no way to save it.  Do you have the same?

/Fredrik

azzido

Yes, that's a default behavior and it's controlled from the server side. You can add save_passwd directive to you racoon.conf file that will allow clients saving their password. Unfortunately pfSense does not let you control that on the UI so once you restart your pfSense box that setting will be lost and you will have to add it again.

jimp

Can you open a feature request ticket on redmine with more details about that option (like exactly where it goes in the config).

It may not make it into 2.0, but if it's easy/simple it would be nice to have. If not in 2.0 we can get it into 2.1 for sure.

azzido

Created it here: http://redmine.pfsense.org/issues/933

jimp

Saw that, looks perfect.

Doesn't look hard to acommodate, might be easy to add when someone with a few spare cycles can take a look.

azzido

I created a patch for this and while testing it found out that there is a catch with save_passwd option and iPhone (or should I say racoon because that's what iPhone uses as a client). It will only work if VPN configuration is created on iPhone manually; if it is deployed on iPhone using the 'iPhone configuration utility' profile user will always have to enter the password no matter if server allows saving passwords or not :(

jimp

Thanks for the patch. If nobody else commits it before tomorrow I'll work it in.

I might add that bit about the setting not being honored when deployed as an FAQ once the option is in.

jimp

Committed, thanks!
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/4178a1ddf67da87a1a86c5df9c3367aea6d3ae07

Note that I did change the wording slightly and added your caveat about iPhone client deployment.

azzido

Thanks Jim, I tested it with the new snap and it's working fine.

fredriksimon

I will also try the latest snapshot one day…

/Fredrik

somm15

I don't know if it's the correct place to write this.

Based on racoon.conf from a MacOSX server, I managed to configure an IPSec VPN with an IPad (and Macbook):
Mobile Clients
Nothing special

Phase 1
Auth Method: Mutual PSK + XAuth
Negociation method: agressive
My identifier: my_dyndns_address
Peer identifier: my_e_mail_address
Pre-shared key: put something
Proposal checking: claim
Encryption alg: AES 256
Hash alg: SHA1
DH Key group: 2
The rest is default

Phase 2
Mode: Tunnel
Local Network: LAN Subnet
Protocol: ESP
Encryption alg: everything but DES
Hash alg: both
PFS key group: off

2.0-BETA5 (i386)
built on Wed Jan 5 05:23:35 EST 2011

Add an accept all, any protocol, any… in the IPSec tab of the Firewall.

So far I'm connected I just can't ping anything (neither the pfSense, nor the other hosts)
But I'll find out...

spiritbreaker

Hi,

u need to provide more information like ipsec logs and Mac logs.

plz post u racoon.conf.

cya

somm15

Ok, no problem, I'll send everything tomorrow.
If you tell me where I can write it, I can write an "How to create a mobile client IPSec VPN for iPad/iPhone/iPodTouch" because… it's perfectly working...

My only issue is that the VPN subnet cannot overal at all with the local subnet.

My local subnet was "10.15.0.0/16" and I used "10.15.25.0/24" for the VPN clients… This is not working, apparently the VPN subnet cannot be included in the LAN one.

So now I used "10.15.16.0/24" for IPSec client and...it's perfect.

Hum, not really, it's pre-shared keys, Xauth based, no radius, no certificate... not state of the art security level.
However, I think that's what most user will configure. Easy to setup, no CA needed, no radius needed, ready in 10 minutes and still secure with a long pre-shared secret and complex user passwords.

somm15

Another VERY IMPORTANT paramter!

The user has to have the "User - System - Shell account access" effective privilege.
I just realize that if I create a user without this parameter, there is no way to connect it to the VPN.

louis-m

aha….. for the first time i have a connection thanks to that last bit of info.
i can't ping anything though. where is the subnet set? i see 2 places ie under mobile clients & phase 2
do they both have to match, be different and which one needs to be different to what subnets are on the router for lan/vlan?
i've tried a few combinations buut to no avail.

CeKMTL

First of all, let me greet everyone here, and I hope I can get some help from you on the same subject that you all had success, and that I sadly, can't seem to get it right… :( :'(

The usual suspects: Iphone 4.2.1 wants to connect via ipsec (cisco) to pfsense 2.0Beta5 (latest I could get this month).
First I did my tests from outside side WAN, then tried internal LAN, just to rule out any kind of weird problems with the DSL router.

My question, is if there's some kind of guide, step by step (coz iphone is very picky with the exact settings), on how to accomplish this feat?, and then once PSK works, I would like to move to the "big leagues" of the certs and have the iphone automagically connect and all that unspeakable black magic ;)

I've searched the forum, google and the usual suspects, but the info is lacking, or isn't exactly what I am searching for, that this topic seems to cover spot on.
Thank you for reading this, and I hope someone can help out this poor soul make his way (I've already pulled a lot of hair on this one...).

Carlos.