Does IPSEC in pfSense 2.0 work with the iPhone?



  • I've been searching on the forum and it looks like IPSEC in pfSense 1.2.3 doesn't work with the iPhone.  Is this true?

    If so, does the current beta of pfSense 2.0 work with IPSEC and the iPhone?

    I believe PPTP works with the iPhone but I've heard it's not very secure but I don't know very much about VPNs, yet.

    Thanks for any advice!



  • yes, pf 2.0 works great with iphone. Please search for that, you'll find all infos about that in the 2.0 beta forum or here too. Search for "IPSEC roadwarrior".



  • I have been searching around the forums the last few hours I can not find anything that helps me understand how to setup a IPSec VPN to a iPhone.  I looked and searched Road Warrior and it does not work for me.  I am not sure what to paste here to get help if there is a config dump or somthing that will aide in helping me.  I have tried to setup a L2TP connection however now after the 3rd time of trying this now it will not even contact my pfsense wall.  I am running the most current 2.0 RC1 release.  Could someone point me in the right way to get this setup and get to a point where I can list some output.

    Sorry I am discouraged after trying this all day today and not being any closer to fixing it.



  • I tried one last post before I take a break:
    http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

    I got all the way down to the bottom and the iPhone says "User Authentication Failed."

    on the pfsense it says under IPSec log:

    racoon: [Self]: INFO: respond new phase 1 negotiation: HOMEIP[500]<=>WORKIP[9196]
    Mar 31 15:58:44	racoon: INFO: begin Aggressive mode.
    Mar 31 15:58:44	racoon: INFO: received Vendor ID: RFC 3947
    Mar 31 15:58:44	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Mar 31 15:58:44	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Mar 31 15:58:44	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Mar 31 15:58:44	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Mar 31 15:58:44	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Mar 31 15:58:44	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Mar 31 15:58:44	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Mar 31 15:58:44	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Mar 31 15:58:44	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Mar 31 15:58:44	racoon: INFO: received Vendor ID: CISCO-UNITY
    Mar 31 15:58:44	racoon: INFO: received Vendor ID: DPD
    Mar 31 15:58:44	racoon: [WORKIP] INFO: Selected NAT-T version: RFC 3947
    Mar 31 15:58:44	racoon: INFO: Adding remote and local NAT-D payloads.
    Mar 31 15:58:44	racoon: [WORKIP] INFO: Hashing WORKIP[9196] with algo #2
    Mar 31 15:58:44	racoon: [Self]: [HOMEIP] INFO: Hashing HOMEIP[500] with algo #2
    Mar 31 15:58:44	racoon: INFO: Adding xauth VID payload.
    Mar 31 15:58:44	racoon: [Self]: INFO: NAT-T: ports changed to: WORKIP[9206]<->HOMEIP[4500]
    Mar 31 15:58:44	racoon: [Self]: [HOMEIP] INFO: Hashing HOMEIP[4500] with algo #2
    Mar 31 15:58:44	racoon: INFO: NAT-D payload #0 verified
    Mar 31 15:58:44	racoon: [WORKIP] INFO: Hashing WORKIP[9206] with algo #2
    Mar 31 15:58:44	racoon: INFO: NAT-D payload #1 doesn't match
    Mar 31 15:58:44	racoon: [WORKIP] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Mar 31 15:58:44	racoon: INFO: NAT detected: PEER
    Mar 31 15:58:44	racoon: INFO: Sending Xauth request
    Mar 31 15:58:44	racoon: [Self]: INFO: ISAKMP-SA established HOMEIP[4500]-WORKIP[9206] spi:00acc0dd998ac72d:4f1c0cd2bc0b1f6b
    Mar 31 15:58:44	racoon: INFO: Using port 0
    Mar 31 15:58:44	racoon: INFO: Released port 0
    Mar 31 15:58:44	racoon: INFO: login failed for user "ryan"
    Mar 31 15:58:44	racoon: ERROR: Attempt to release an unallocated address (port 0)
    Mar 31 15:58:45	racoon: ERROR: mode config 6 from WORKIP[9206], but we have no ISAKMP-SA.
    Mar 31 15:58:45	racoon: [WORKIP] ERROR: unknown Informational exchange received.
    


  • Got it to connect finaly with this post:
    http://forum.pfsense.org/index.php/topic,32319.0.html

    I added VPN Shell access to the user i was using in the IPSec config.  Now I have the iphone on a diffrent network 192.168.197.0/24 than my main network 192.168.196.0/24.  I need to figure out how to route the traffic from the 192.168.197.0/24 network to my 192.168.196.0/24 network.  This all pivots around the setting in the VPN:Ipsec:Mobile under Client configuration (mode-cfg) virtual address pool.  Provide a virtual IP address to clients.

    Because you put in a different network you need a route to your lan network.  I am not sure how to make a route to the lan with pfsense(I am a cisco guy).  Almost need to setup a virtual interface and have a gateway address?  Any advice?

    Attached a screenshot of the settings I have.



Locked