Why can't my iPhone connect using IPsec? (re: "User authentication failed.")



  • I'm having some trouble configuring IPsec with pfSense 2.0 with my iPhone 4 (iOS 4.1).

    Here's my iPhone settings:

    Description:  [Home]
    Server:   <my pfsense="" wan="" address="">Account:  [admin]
    Password:   <my pfsense="" admin="" password="">Use Certificate:  [Off]  (this is grayed out for some reason)
    Group Name:  [Test]
    Secret:  [123456]</my></my> 
    

    Here's the relevant (?) pfSense IPsec settings:

    Phase 1:
    Authentication method:  [Mutual PSK + Xauth]
    Negotiation mode:  [Aggressive]
    Peer identifier:  [Distinguished name]  [Test]
    Pre-Shared Key:  [123456]
    
    

    The iPhone says "User authentication failed." when I try to start the VPN.

    What am I doing wrong?  I've tried setting an IPsec PSK for my admin account and using that as my password but that doesn't work either.  I've also tried tons of combinations but can't seem to figure it out…

    Here's my IPsec log:

    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: respond new phase 1 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[33592]
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: begin Aggressive mode.
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: RFC 3947
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: CISCO-UNITY
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: received Vendor ID: DPD
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: WARNING: No ID match.
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Selected NAT-T version: RFC 3947
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Adding remote and local NAT-D payloads.
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Hashing XXX.XXX.XXX.XXX[33592] with algo #2
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Hashing XXX.XXX.XXX.XXX3[500] with algo #2
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Adding xauth VID payload.
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: NAT-T: ports changed to: XXX.XXX.XXX.XXX[33620]<->XXX.XXX.XXX.XXX[4500]
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Hashing XXX.XXX.XXX.XXX[4500] with algo #2
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: NAT-D payload #0 verified
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Hashing XXX.XXX.XXX.XXX[33620] with algo #2
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: NAT-D payload #1 doesn't match
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: NAT detected: PEER
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: Sending Xauth request
    Jan 17 03:05:47 racoon: [Mobile Phase 1]: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[4500]-XXX.XXX.XXX.XXX[33620] spi:ebc96609800d8793:2639a77c2acee43e
    Jan 17 03:05:48 racoon: [Mobile Phase 1]: ERROR: isakmp_cfg_config.port_pool == NULL
    Jan 17 03:05:48 racoon: [Mobile Phase 1]: ERROR: Port pool depleted
    Jan 17 03:05:48 racoon: [Mobile Phase 1]: INFO: login failed for user "admin"
    Jan 17 03:05:48 racoon: [Mobile Phase 1]: ERROR: mode config 6 from XXX.XXX.XXX.XXX[33620], but we have no ISAKMP-SA.
    Jan 17 03:05:48 racoon: [Mobile Phase 1]: ERROR: unknown Informational exchange received.


  • Rebel Alliance Developer Netgate

    As a test, see if adding the shell access permission to a user will let it connect.

    http://redmine.pfsense.org/issues/1202



  • I've finally figured it out.

    Apparently the "admin" account won't work for VPN access.  I had to add another account and make him a member of the admins group.  This added a default permission to access all Webcfg pages (which isn't applicable here) but that alone was enough to have it start working.

    Thanks for the help!


  • Rebel Alliance Developer Netgate

    The admin group also gives shell access, so that is sort of the same thing I said… though you don't want to give admin permissions to most users of your VPN of course, it may be different if this is all just for you. :-)



  • Yeah, I understand what you're saying.  In this case, the account is only for me…

    Does the admin group automatically grant any other permissions?  In the User Managed, when I added myself to the admin group it added that Webcfg permission but doesn't mention SSH or anything else.  So are these permissions automatically granted because of the group?  (If so, why isn't the Webcfg permission also automatic?)


  • Rebel Alliance Developer Netgate

    Yes, admin group gets all permissions, not just the GUI.



  • Tried this:

    Shell access granted on pfSense: Full access with iphone to my lan with IPsec.
    Shell access disabled on pfSense: Same. Full access to my lan.

    So shell access is not necessary. Snap is i386) built on Fri Jan 21 06:52:27 EST 2011


  • Rebel Alliance Developer Netgate

    Was that user a member of any groups?



  • I only created a user. Didn't assign any group nor effective rights. At my first tests i enabled shell-access to that user, but then disabled the granted rights.

    entry of /etc/passwd:
    funzkerl:*:2001:65534:na wer wohl?:/home/funzkerl:/sbin/nologin

    edit:
    no, after reboot of iphone no more connect to the IPsec. So i think the iphone caches in some way that userinfo. Holy crap!
    So my report was not at all the right thing. (Is it a windows-box??? ;)

    Conclusion: Shell-access has to be granted for connection via IPsec.



  • sofakng,

    Can you provide a quick re-cap of the settings you used to successfully get your iPhone to connect? I've followed some of the tutorials I've found here in the forums and elsewhere … although I haven't found one specific to iDevices. I've mostly been able to get it to work, except for that pesky "User authentication failed" at the very end. And, the user I'm testing with is in the admin group with shell access. So close, yet so far away ...

    Any details and clues would be greatly appreciated.

    Thanks in advance.



  • +1 here for a comprehensive short but thorough guide on how to get iOS devices to work with IPSEC. Have been trying the scattered how-to's on the forum, but no luck so far. Maybe a decent, "official"  faq article would be in order, with screenshots and everything? Thanks! :-)




  • Rebel Alliance Developer Netgate

    I'd be happy to write up a tutorial if someone were to give me an iPad/iPad 2. Sadly, I can't document something I don't have access to… :-)



  • jimp,

    I can't provide an iPad, but I'd be happy to contribute to a "bounty." Alternatively, I would consider contributing an iPod Touch. I know that's not as fun as an iPad, but for all intents and purposes when it comes to iDevice testing and documentation, it should work just fine.



  • A guide might not be all it takes. I might be wrong, hopefully I am, but it might be worth looking into this before handing out ipods.
    http://forum.pfsense.org/index.php/topic,34135.0.html

    It all depends where the other thread takes us. If it's only me having that problem I will put some more time into figuring it out (settings seems to work, it "just" randomly fails). If it turns out to be a configuration issue and if a guide is all it takes I'd be happy to write it (without the donation) when I get it to work.



  • I got it working … finally. I made some mods based on igor's link. I'll write it all up and post it. Maybe it can be added to the wiki.

    fredriks: I don't think it's as simple matter of "handing out iPods." I know jimp and a bunch of other contributors are spending a lot of time working on pfSense -- free for everyone -- and if a iPod = creating good documentation of an issue I (and others) couldn't solve myself, then I think an iPod is a small amount to contribute. As it is, I've solved it and will contribute the documentation myself in a few days instead of an iDevice. Again, for free to the pfSense community. :)


  • Rebel Alliance Developer Netgate

    I was half kidding about the donation bit. :-)

    Chris has an iPhone, as do some other devs, and I think one of them may at least have access to an iPad, but it's one thing to have it and another thing to document it.

    I currently don't have any iOS devices, but that may change in time. Perhaps we'll hold the 2.0 release hostage until we all get iPad 2's. ;-)

    /kidding
    //I think
    ///2 for 2!



  • hey, any updates on this ?

    id love for an ipsec HOWTO. (im a bit lost here)

    tommorow i am buying an ipad2  ;D



  • I was wondering, why there are no privileges that can be assigned for IPSec dialin in the user-manager…
    would make things easyer in this case, right ?


  • Rebel Alliance Developer Netgate

    yes, we need to make a permission for IPsec VPN yet. It doesn't exist now, but it will before 2.0 is released.



  • @ericab:

    hey, any updates on this ?

    id love for an ipsec HOWTO. (im a bit lost here)

    tommorow i am buying an ipad2  ;D

    bump.



  • bump  ???



  • ericab:

    https://portal.pfsense.org/index.php/support-subscription

    or wait until they have time to implement this feature.

    Roy…



  • I followed the detailed tutorial linked -igor- in previous page. I nearly got it to work, but it fails with this error (in pfSense logs):

    racoon: ERROR: phase1 negotiation failed due to time up  [some long hash here]

    I'm going to try with same setup but OS X 10.6.6 as the VPN client. I've been waiting for quite some time to get reliable secure VPN from OS X back to pfSense. I've gotten PPTP to work some times, but not reliably and I've heard the security is weak.



  • For what it's worth, I've had good luck with OpenVPN and 10.6.6, using Viscosity as the client. Not sure if OpenVPN is considered secure enough for you, but it's been relibale and effective for me.

    –Rook



  • I need to try it more, but I think it will work fine, this setup, with OS X even if not iPhone. I tested it today and it brought up the connection but immediately Snort blocked the IP I was on. I'll report back once I adjust the Snort rule tuning and can test it again. I've never tried Viscosity, only Tunnelblick which I wasn't crazy about.



  • I did have to adjust some firewall rules, specifically (if I recall right) explicitly allowing traffic from VPN clients to WAN. OpenVPN Wizard took care of most of the rest of it, though I did set it up with an earlier beta. Didn't take too much trial and error to get the basics working well.

    I'm pretty pleased with Viscosity as a VPN client. I had used the Cisco client for OS X as well as Shimo in the past. I prefer the UI, logging, and connection info provided by Viscocity than those others. Like Shimo it runs as a menu item with a detail screen you can pop open if the need arises. It's not free, but not too expensive either ($9). Looks like Shimo supports OpenVPN now as well, but I wasn't a huge fan of the UI in the (older) version I used to run to connect to a CiscoVPN for a former job. Hated the logging and connection detail views. It might be better now, that was a few years back. Either way, it is more expensive at €16 (but handles more VPN connection types).

    As for iOS, correct there's nothing official but I have tried out and verified an OpenVPN client available for jailbroken phones via Cydia called GuizmOVPN. €5, but has a 7 day free trial to make sure things work. See more here:
    http://www.guizmovpn.com/

    Anyway, hope some of that helped someone…

    --Rook



  • @Rook:

    I did have to adjust some firewall rules, specifically (if I recall right) explicitly allowing traffic from VPN clients to WAN. OpenVPN Wizard took care of most of the rest of it, though I did set it up with an earlier beta. Didn't take too much trial and error to get the basics working well.

    I'm pretty pleased with Viscosity as a VPN client. I had used the Cisco client for OS X as well as Shimo in the past. I prefer the UI, logging, and connection info provided by Viscocity than those others. Like Shimo it runs as a menu item with a detail screen you can pop open if the need arises. It's not free, but not too expensive either ($9). Looks like Shimo supports OpenVPN now as well, but I wasn't a huge fan of the UI in the (older) version I used to run to connect to a CiscoVPN for a former job. Hated the logging and connection detail views. It might be better now, that was a few years back. Either way, it is more expensive at €16 (but handles more VPN connection types).

    As for iOS, correct there's nothing official but I have tried out and verified an OpenVPN client available for jailbroken phones via Cydia called GuizmOVPN. €5, but has a 7 day free trial to make sure things work. See more here:
    http://www.guizmovpn.com/

    Anyway, hope some of that helped someone…

    --Rook

    Rook, thanks for that, im going to look into guizmovpn, as soon as i can jailbreak my ipad2 (finally got one!).
    in the meantime, i would love it (and even be willing to paypal you some $ for your troubles if you could help me ((or even write a howto so others could read it aswell)) if you'd write a step-by step for allowing my ipad to connect to my pfSense 2.0 RC, IPSec server. ive had no luck sofar. :/

    -ericab



  • Haven't tried setting up IPSec yet… and no iPad... but if I get some time I'll give it a go with the smaller iDevices. I wouldn't pin your hopes on me though– relatively new to pfSense, started with 1.2.3 and then quickly started using the 2.0 betas, and just trial/error'd my way through the base setup(s), then some of the firewall tweaking, snort, squid, traffic shaping, then OpenVPN.

    That said, if I do get the time and make some headway, I'll write something up. Least I can do for all the help I've had here reading through the posts.

    --Rook



  • I'm almost done with my write-up. I'll take some screenshots and verify that everything works correctly in the coming days. Stay tuned.



  • @mlanner:

    I'm almost done with my write-up. I'll take some screenshots and verify that everything works correctly in the coming days. Stay tuned.

    Excellent… thanks mlanner. Much better idea than me trying to do the same / from scratch (especially with no pressing need on my end to get the thing figured out and working).

    --Rook



  • beautiful thanks for that !  :D



  • Hi,

    eagerly awaiting the manual to set up iOS devices with IPSEC.

    Concerning OS X and VPN, I have some infos to contribute… I grew to like using OpenVPN with Viscosity on OS X. Viscosity is pretty and OpenVPN runs at user level, so it is a little easier on the system. But: Yes, Viscosity is cheap (9$), but not free. Using the OpenVPN export wizard in pfsense, setting up OpenVPN users on OS X is a matter of seconds, it really is that easy.

    Before using pfsense (so about 3-4 months ago) I happily used IPSecuritas (www.lobotomo.com) as a free (0$, Racoon-based) IPSEC client for my routers. I rolled out quite a few users with quite a few routers with IPSecuritas, is seriously rocks (not as pretty as Viscosity though).

    So, once we get the iOS dial in straight, I will see if I can contribute in documenting setting up normal IPSEC with a Mac and IPSecuritas. There is a M0n0wall wizard for IPSecuritas, but since pfsense 2 and m0n0wall differ quite a lot, I wasn't really successful yet. Didn't try as hard though, as currently OpenVPN works just fine to dial in to my pfsense box.



  • Can you point to this m0n0 wizard?



  • I'm having the problem with xauth seeming to happen before the SA is established.  Is there an easy way to apply the patch referenced http://forum.pfsense.org/index.php/topic,34135.0.html?  If I slow down the processing by enabling about 10 debugs or speed up the link it works.

    Anybody have any other idea?  I'd love to figure out what's actually happening here but any workaround that will work would be great (except using PSK, I need certificates).

    thanks



  • @ermal:

    Can you point to this m0n0 wizard?

    Sure, here you go: http://www.lobotomo.com/products/IPSecuritas/howto/m0n0wall HOWTO.pdf



  • hey mlanner;
    any luck on your write up ? ive had absolutely no luck connecting with my ipad/iphone  ::)



  • I'm also interested in this tutorial!



  • any updates? :-)



  • i hope soon ! ive been checking this thread twice daily.
    mlanner hasnt been active here since march 21st…


Locked