Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IOS roadwarrior configuration using IPsec?

    IPsec
    6
    9
    8263
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iUser last edited by

      I would like to form an IPsec tunnel between my iOS v4.3 devices and my home firewall and route all traffic during this VPN-session via my home firewall both to the internal network and the internet.

      I'm able to get a partial IPsec tunnel up by following the howto here "http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558" and "http://www.huijgen.com/tunnel/" but I don't get any traffic moving anywhere except directly to the internet directly over 3G from my iPad past the whole tunnel. It looks like the tunnel goes up on my pfsense box and comes straight down in a few seconds whereas my iOS devices happily think they have a tunnel active indefinitely.

      Below the 10.100.100.0/24 is the vnp-client care-of-IP-address and the 192.168.1.0/24 is the internal home network.

      
      Mar 23 23:00:44	racoon: INFO: purged IPsec-SA proto_id=ESP spi=245982240.
      Mar 23 23:00:44	racoon: INFO: deleting a generated policy.
      Mar 23 23:00:41	racoon: [Self]: INFO: IPsec-SA established: ESP xxx.aaa.112.226[500]->yyy.bbb.112.226[500] spi=181848391(0xad6c947)
      Mar 23 23:00:41	racoon: [Self]: INFO: IPsec-SA established: ESP xxx.aaa.112.226[500]->yyy.bbb.112.226[500] spi=5924082(0x5a64f2)
      Mar 23 23:00:41	racoon: [Self]: INFO: initiate new phase 2 negotiation: xxx.aaa.112.226[500]<=>yyy.bbb.112.226[500]
      Mar 23 23:00:40	racoon: [Self]: INFO: IPsec-SA established: ESP xxx.aaa.112.226[500]->yyy.bbb.112.226[500] spi=245982240(0xea96420)
      Mar 23 23:00:40	racoon: [Self]: INFO: IPsec-SA established: ESP xxx.aaa.112.226[500]->yyy.bbb.112.226[500] spi=46648778(0x2c7cdca)
      Mar 23 23:00:40	racoon: INFO: no policy found, try to generate the policy : 10.100.100.1/32[0] 192.168.1.0/24[0] proto=any dir=in
      Mar 23 23:00:40	racoon: [Self]: INFO: respond new phase 2 negotiation: xxx.aaa.112.226[500]<=>yyy.bbb.112.226[500]
      Mar 23 23:00:40	racoon: WARNING: Ignored attribute 28683
      Mar 23 23:00:40	racoon: ERROR: Cannot open "/etc/motd"
      Mar 23 23:00:40	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
      Mar 23 23:00:40	racoon: INFO: login succeeded for user "vpnuser"
      Mar 23 23:00:40	racoon: INFO: Using port 0
      Mar 23 23:00:39	racoon: [Self]: INFO: ISAKMP-SA established xxx.aaa.112.226[500]-yyy.bbb.112.226[500] spi:7fad2359ca74df42:122af39befaa12bd
      Mar 23 23:00:39	racoon: INFO: Sending Xauth request
      Mar 23 23:00:39	racoon: INFO: NAT not detected
      Mar 23 23:00:39	racoon: [yyy.bbb.112.226] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
      Mar 23 23:00:39	racoon: INFO: NAT-D payload #1 verified
      Mar 23 23:00:39	racoon: [yyy.bbb.112.226] INFO: Hashing yyy.bbb.112.226[500] with algo #2
      Mar 23 23:00:39	racoon: INFO: NAT-D payload #0 verified
      Mar 23 23:00:39	racoon: [Self]: [xxx.aaa.112.226] INFO: Hashing xxx.aaa.112.226[500] with algo #2
      Mar 23 23:00:38	racoon: INFO: Adding xauth VID payload.
      Mar 23 23:00:38	racoon: [Self]: [xxx.aaa.112.226] INFO: Hashing xxx.aaa.112.226[500] with algo #2
      Mar 23 23:00:38	racoon: [yyy.bbb.112.226] INFO: Hashing yyy.bbb.112.226[500] with algo #2
      Mar 23 23:00:38	racoon: INFO: Adding remote and local NAT-D payloads.
      Mar 23 23:00:38	racoon: [yyy.bbb.112.226] INFO: Selected NAT-T version: RFC 3947
      Mar 23 23:00:38	racoon: INFO: received Vendor ID: DPD
      Mar 23 23:00:38	racoon: INFO: received Vendor ID: CISCO-UNITY
      Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
      Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
      Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
      Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
      Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
      Mar 23 23:00:38	racoon: INFO: received Vendor ID: RFC 3947
      Mar 23 23:00:38	racoon: INFO: begin Aggressive mode.
      Mar 23 23:00:38	racoon: [Self]: INFO: respond new phase 1 negotiation: xxx.aaa.112.226[500]<=>yyy.bbb.112.226[500]
      
      

      Is anyone writing a howto on configuring something like this for iOS devices?

      I've searched the forums, google and bing extensively and came out fairly empty handed - only the article above and comments along the lines of "search for roadwarrior and iphone" which comes more or less empty back btw.

      Any ideas what could be wrong?

      1 Reply Last reply Reply Quote 0
      • P
        p0ddie last edited by

        A lot of these questions on the formus here. This thread http://forum.pfsense.org/index.php/topic,32319.msg181260.html#msg181260 seems the most promising one. One user claims to be working on a manual with screenshots, let's hope he will have it done soon :-)

        1 Reply Last reply Reply Quote 0
        • G
          getrav last edited by

          I used the following guide to get me thru the initial setup:
          http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

          I got it working and I can connect to pfsense internal ip address (SSH & HTTPS) but nothing else.

          I have set the firewall rules to allow 500 & 4500 on WAN
          I have set the firewall rules to allow * on ipsec

          here is my racoon.conf

          # This file is automatically generated. Do not edit
          path pre_shared_key "/var/etc/psk.txt";
          
          path certificate  "/var/etc";
          
          listen
          {
                  adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
                  isakmp 173.56.67.22 [500];
                  isakmp_natt 173.56.67.22 [4500];
          }
          
          mode_cfg
          {
                  auth_source system;
                  group_source system;
                  pool_size 253;
                  network4 192.168.10.1;
                  netmask4 255.255.255.0;
                  dns4 4.4.4.4;
                  dns4 8.8.8.8;
                  wins4 192.168.1.230;
                  default_domain "silkcrafts.local";
                  split_dns "silkcrafts.local";
                  save_passwd on;
          }
          
          remote anonymous
          {
                  ph1id 1;
                  exchange_mode aggressive;
                  my_identifier address 173.56.67.22;
                  peers_identifier fqdn "iOStunnel";
                  ike_frag on;
                  generate_policy = unique;
                  initial_contact = off;
                  nat_traversal = on;
          
                  dpd_delay = 10;
                  dpd_maxfail = 5;
                  support_proxy on;
                  proposal_check claim;
          
                  proposal
                  {
                          authentication_method xauth_psk_server;
                          encryption_algorithm aes 256;
                          hash_algorithm sha1;
                          dh_group 2;
                          lifetime time 28800 secs;
                  }
          }
          
          sainfo   anonymous
          {
                  remoteid 1;
                  encryption_algorithm aes 256, 3des;
                  authentication_algorithm hmac_sha1;
          
                  lifetime time 3600 secs;
                  compression_algorithm deflate;
          }
          
          

          Here is my ipsec.log

          Apr  6 23:24:29 pfSense racoon: INFO: respond new phase 1 negotiation: 173.56.67.22[500]<=>71.167.40.48[500]
          Apr  6 23:24:29 pfSense racoon: INFO: begin Aggressive mode.
          Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: RFC 3947
          Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
          Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
          Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
          Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
          Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
          Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
          Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
          Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
          Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
          Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: CISCO-UNITY
          Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: DPD
          Apr  6 23:24:29 pfSense racoon: [71.167.40.48] INFO: Selected NAT-T version: RFC 3947
          Apr  6 23:24:29 pfSense racoon: INFO: Adding remote and local NAT-D payloads.
          Apr  6 23:24:29 pfSense racoon: [71.167.40.48] INFO: Hashing 71.167.40.48[500] with algo #2
          Apr  6 23:24:29 pfSense racoon: [173.56.67.22] INFO: Hashing 173.56.67.22[500] with algo #2
          Apr  6 23:24:29 pfSense racoon: INFO: Adding xauth VID payload.
          Apr  6 23:24:29 pfSense racoon: INFO: NAT-T: ports changed to: 71.167.40.48[4500]<->173.56.67.22[4500]
          Apr  6 23:24:29 pfSense racoon: [173.56.67.22] INFO: Hashing 173.56.67.22[4500] with algo #2
          Apr  6 23:24:29 pfSense racoon: INFO: NAT-D payload #0 verified
          Apr  6 23:24:29 pfSense racoon: [71.167.40.48] INFO: Hashing 71.167.40.48[4500] with algo #2
          Apr  6 23:24:29 pfSense racoon: INFO: NAT-D payload #1 doesn't match
          Apr  6 23:24:29 pfSense racoon: [71.167.40.48] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
          Apr  6 23:24:29 pfSense racoon: INFO: NAT detected: PEER
          Apr  6 23:24:29 pfSense racoon: INFO: Sending Xauth request
          Apr  6 23:24:29 pfSense racoon: INFO: ISAKMP-SA established 173.56.67.22[4500]-71.167.40.48[4500] spi:69ee848a8b67814d:038f56bf8a1989a8
          Apr  6 23:24:29 pfSense racoon: INFO: Using port 0
          Apr  6 23:24:29 pfSense racoon: INFO: login succeeded for user "rshah"
          Apr  6 23:24:30 pfSense racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
          Apr  6 23:24:30 pfSense racoon: ERROR: Cannot open "/etc/motd"
          Apr  6 23:24:30 pfSense racoon: WARNING: Ignored attribute 28683
          Apr  6 23:24:30 pfSense racoon: INFO: respond new phase 2 negotiation: 173.56.67.22[4500]<=>71.167.40.48[4500]
          Apr  6 23:24:30 pfSense racoon: INFO: no policy found, try to generate the policy : 192.168.10.1/32[0] 0.0.0.0/0[0] proto=any dir=in
          Apr  6 23:24:30 pfSense racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
          Apr  6 23:24:30 pfSense racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
          Apr  6 23:24:30 pfSense racoon: INFO: IPsec-SA established: ESP 173.56.67.22[500]->71.167.40.48[500] spi=10475519(0x9fd7ff)
          Apr  6 23:24:30 pfSense racoon: INFO: IPsec-SA established: ESP 173.56.67.22[500]->71.167.40.48[500] spi=170260883(0xa25f993)
          Apr  6 23:24:30 pfSense racoon: ERROR: such policy does not already exist: "192.168.10.1/32[0] 0.0.0.0/0[0] proto=any dir=in"
          Apr  6 23:24:30 pfSense racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.10.1/32[0] proto=any dir=out"
          
          
          1 Reply Last reply Reply Quote 0
          • M
            mayhem last edited by

            Hey mate,

            Any luck getting this up and running with full tunnelling capabilities?
            If I wish to attempt this I need to upgrade to version 2? Currently running 1.2-RELEASE

            Cheers!

            1 Reply Last reply Reply Quote 0
            • P
              p0ddie last edited by

              If I wish to attempt this I need to upgrade to version 2?

              2.x is a must as 1.2 does not support mobile ipsec with nat-t and all (as far as I understand).

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                You might try the config that works for Android phones (search the doc wiki for android vpn)

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • I
                  iUser last edited by

                  Thanks for suggestions - result still nil  :'(

                  I tried to adapt the Android wiki entries for the iPhone with no different results - I seem to be connected on the phone, there are SAD's and SPD's thou the IPsec connection does not show an IP address for the Destination in incoming (or it shows 0.0.0.0/0) and the same for Source in outgoing.

                  Don't get traffic going anywhere and the iPhone seems to route traffic locally past the VPN-tunnel too since google is accessible even thou the tunnel reports 0 bytes of data.

                  I'm giving up on this until someone comes up with a coherent howto on how to achieve a sane, complete road warrior IPsec configuration with routes both to the internal LAN as well as the Internet via the IPsec tunnel server from my mobile.

                  1 Reply Last reply Reply Quote 0
                  • N
                    ninja76 last edited by

                    iUser,

                    It took me a lot of trying this and that but I finally got it working with iPads and iPhones.  If you are connecting but not passing traffic then it is more then likely a phase 2 policy problem.  Check out my phase 2 settings for mobile users ( see attached screenshot).  The Local Network part is where I found the problem to be. It helps to verify with a pc client (I use Shrew).  Also be sure that all setting match up!


                    1 Reply Last reply Reply Quote 0
                    • P
                      p0ddie last edited by

                      After a few days of testing I can say I have it running reliably now, too. I can connect with my iPad, iPhone and with the built in Cisco IPSec client in OS X with the setup found in the previously mentioned post (http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558)

                      As my effort to contribute for this to become a wiki entry, here are the two screenshots of the firewall rules I needed to get traffic flowing after I succeeded in connectiong via IPSec:

                      The first screenshot is a floating rule, passing all traffic from the ipsec interface to my lan interface (which happens to be a bridge of two interfaces, so it is called LANBRIDGE, but you might wanna just use your default "LAN" interface).

                      The second screenshot is the firewall rule in the ipsec tab of the firewall. I think it gets created by default, but if not, then set it up as I did, it works :)

                      ![Bildschirmfoto 2011-08-05 um 11.40.11.png](/public/imported_attachments/1/Bildschirmfoto 2011-08-05 um 11.40.11.png)
                      ![Bildschirmfoto 2011-08-05 um 11.40.11.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2011-08-05 um 11.40.11.png_thumb)
                      ![Bildschirmfoto 2011-08-05 um 11.40.11.png](/public/imported_attachments/1/Bildschirmfoto 2011-08-05 um 11.40.11.png)
                      ![Bildschirmfoto 2011-08-05 um 11.40.11.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2011-08-05 um 11.40.11.png_thumb)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post