Why can't my iPhone connect using IPsec? (re: "User authentication failed.")

sofakng · Jan 17, 2011, 3:10 AM

I'm having some trouble configuring IPsec with pfSense 2.0 with my iPhone 4 (iOS 4.1).

Here's my iPhone settings:

Description:  [Home]
Server:   <my pfsense="" wan="" address="">Account:  [admin]
Password:   <my pfsense="" admin="" password="">Use Certificate:  [Off]  (this is grayed out for some reason)
Group Name:  [Test]
Secret:  [123456]</my></my>

Here's the relevant (?) pfSense IPsec settings:

Phase 1:
Authentication method:  [Mutual PSK + Xauth]
Negotiation mode:  [Aggressive]
Peer identifier:  [Distinguished name]  [Test]
Pre-Shared Key:  [123456]

The iPhone says "User authentication failed." when I try to start the VPN.

What am I doing wrong? I've tried setting an IPsec PSK for my admin account and using that as my password but that doesn't work either. I've also tried tons of combinations but can't seem to figure it out…

Here's my IPsec log:

Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: respond new phase 1 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[33592]
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: begin Aggressive mode.
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: RFC 3947
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: CISCO-UNITY
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: DPD
Jan 17 03:05:47 racoon: [Mobile Phase 1]: WARNING: No ID match.
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Selected NAT-T version: RFC 3947
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Adding remote and local NAT-D payloads.
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Hashing XXX.XXX.XXX.XXX[33592] with algo #2
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Hashing XXX.XXX.XXX.XXX3[500] with algo #2
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Adding xauth VID payload.
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: NAT-T: ports changed to: XXX.XXX.XXX.XXX[33620]<->XXX.XXX.XXX.XXX[4500]
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Hashing XXX.XXX.XXX.XXX[4500] with algo #2
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: NAT-D payload #0 verified
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Hashing XXX.XXX.XXX.XXX[33620] with algo #2
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: NAT-D payload #1 doesn't match
Jan 17 03:05:47 racoon: [Mobile Phase 1]: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: NAT detected: PEER
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Sending Xauth request
Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[4500]-XXX.XXX.XXX.XXX[33620] spi:ebc96609800d8793:2639a77c2acee43e
Jan 17 03:05:48 racoon: [Mobile Phase 1]: ERROR: isakmp_cfg_config.port_pool == NULL
Jan 17 03:05:48 racoon: [Mobile Phase 1]: ERROR: Port pool depleted
Jan 17 03:05:48 racoon: [Mobile Phase 1]: INFO: login failed for user "admin"
Jan 17 03:05:48 racoon: [Mobile Phase 1]: ERROR: mode config 6 from XXX.XXX.XXX.XXX[33620], but we have no ISAKMP-SA.
Jan 17 03:05:48 racoon: [Mobile Phase 1]: ERROR: unknown Informational exchange received.

jimp · Jan 17, 2011, 5:50 PM

As a test, see if adding the shell access permission to a user will let it connect.

http://redmine.pfsense.org/issues/1202

sofakng · Jan 17, 2011, 6:28 PM

I've finally figured it out.

Apparently the "admin" account won't work for VPN access. I had to add another account and make him a member of the admins group. This added a default permission to access all Webcfg pages (which isn't applicable here) but that alone was enough to have it start working.

Thanks for the help!

jimp · Jan 17, 2011, 6:31 PM

The admin group also gives shell access, so that is sort of the same thing I said… though you don't want to give admin permissions to most users of your VPN of course, it may be different if this is all just for you. :-)

sofakng · Jan 17, 2011, 6:47 PM

Yeah, I understand what you're saying. In this case, the account is only for me…

Does the admin group automatically grant any other permissions? In the User Managed, when I added myself to the admin group it added that Webcfg permission but doesn't mention SSH or anything else. So are these permissions automatically granted because of the group? (If so, why isn't the Webcfg permission also automatic?)

jimp · Jan 17, 2011, 6:52 PM

Yes, admin group gets all permissions, not just the GUI.

_igor_ · Jan 22, 2011, 2:30 PM

Tried this:

Shell access granted on pfSense: Full access with iphone to my lan with IPsec.
Shell access disabled on pfSense: Same. Full access to my lan.

So shell access is not necessary. Snap is i386) built on Fri Jan 21 06:52:27 EST 2011

jimp · Jan 22, 2011, 2:32 PM

Was that user a member of any groups?

_igor_ · Jan 22, 2011, 4:27 PM

I only created a user. Didn't assign any group nor effective rights. At my first tests i enabled shell-access to that user, but then disabled the granted rights.

entry of /etc/passwd:
funzkerl:*:2001:65534:na wer wohl?:/home/funzkerl:/sbin/nologin

edit:
no, after reboot of iphone no more connect to the IPsec. So i think the iphone caches in some way that userinfo. Holy crap!
So my report was not at all the right thing. (Is it a windows-box??? ;)

Conclusion: Shell-access has to be granted for connection via IPsec.

mlanner · Mar 8, 2011, 2:35 AM

sofakng,

Can you provide a quick re-cap of the settings you used to successfully get your iPhone to connect? I've followed some of the tutorials I've found here in the forums and elsewhere … although I haven't found one specific to iDevices. I've mostly been able to get it to work, except for that pesky "User authentication failed" at the very end. And, the user I'm testing with is in the admin group with shell access. So close, yet so far away ...

Any details and clues would be greatly appreciated.

Thanks in advance.

p0ddie · Mar 8, 2011, 7:40 AM

+1 here for a comprehensive short but thorough guide on how to get iOS devices to work with IPSEC. Have been trying the scattered how-to's on the forum, but no luck so far. Maybe a decent, "official" faq article would be in order, with screenshots and everything? Thanks! :-)

_igor_ · Mar 8, 2011, 10:02 AM

Here is a really good entry: http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

jimp · Mar 8, 2011, 1:19 PM

I'd be happy to write up a tutorial if someone were to give me an iPad/iPad 2. Sadly, I can't document something I don't have access to… :-)

mlanner · Mar 8, 2011, 4:45 PM

jimp,

I can't provide an iPad, but I'd be happy to contribute to a "bounty." Alternatively, I would consider contributing an iPod Touch. I know that's not as fun as an iPad, but for all intents and purposes when it comes to iDevice testing and documentation, it should work just fine.

fredriks · Mar 8, 2011, 5:08 PM

A guide might not be all it takes. I might be wrong, hopefully I am, but it might be worth looking into this before handing out ipods.
http://forum.pfsense.org/index.php/topic,34135.0.html

It all depends where the other thread takes us. If it's only me having that problem I will put some more time into figuring it out (settings seems to work, it "just" randomly fails). If it turns out to be a configuration issue and if a guide is all it takes I'd be happy to write it (without the donation) when I get it to work.

mlanner · Mar 8, 2011, 5:44 PM

I got it working … finally. I made some mods based on igor's link. I'll write it all up and post it. Maybe it can be added to the wiki.

fredriks: I don't think it's as simple matter of "handing out iPods." I know jimp and a bunch of other contributors are spending a lot of time working on pfSense -- free for everyone -- and if a iPod = creating good documentation of an issue I (and others) couldn't solve myself, then I think an iPod is a small amount to contribute. As it is, I've solved it and will contribute the documentation myself in a few days instead of an iDevice. Again, for free to the pfSense community. :)

jimp · Mar 8, 2011, 6:22 PM

I was half kidding about the donation bit. :-)

Chris has an iPhone, as do some other devs, and I think one of them may at least have access to an iPad, but it's one thing to have it and another thing to document it.

I currently don't have any iOS devices, but that may change in time. Perhaps we'll hold the 2.0 release hostage until we all get iPad 2's. ;-)

/kidding
//I think
///2 for 2!

ericab · Mar 10, 2011, 8:22 PM

hey, any updates on this ?

id love for an ipsec HOWTO. (im a bit lost here)

tommorow i am buying an ipad2 ;D

trendchiller · Mar 11, 2011, 8:04 PM

I was wondering, why there are no privileges that can be assigned for IPSec dialin in the user-manager…
would make things easyer in this case, right ?

jimp · Mar 11, 2011, 8:37 PM

yes, we need to make a permission for IPsec VPN yet. It doesn't exist now, but it will before 2.0 is released.