• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IOS roadwarrior configuration using IPsec?

Scheduled Pinned Locked Moved IPsec
9 Posts 6 Posters 8.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I
    iUser
    last edited by Mar 23, 2011, 9:19 PM

    I would like to form an IPsec tunnel between my iOS v4.3 devices and my home firewall and route all traffic during this VPN-session via my home firewall both to the internal network and the internet.

    I'm able to get a partial IPsec tunnel up by following the howto here "http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558" and "http://www.huijgen.com/tunnel/" but I don't get any traffic moving anywhere except directly to the internet directly over 3G from my iPad past the whole tunnel. It looks like the tunnel goes up on my pfsense box and comes straight down in a few seconds whereas my iOS devices happily think they have a tunnel active indefinitely.

    Below the 10.100.100.0/24 is the vnp-client care-of-IP-address and the 192.168.1.0/24 is the internal home network.

    
    Mar 23 23:00:44	racoon: INFO: purged IPsec-SA proto_id=ESP spi=245982240.
    Mar 23 23:00:44	racoon: INFO: deleting a generated policy.
    Mar 23 23:00:41	racoon: [Self]: INFO: IPsec-SA established: ESP xxx.aaa.112.226[500]->yyy.bbb.112.226[500] spi=181848391(0xad6c947)
    Mar 23 23:00:41	racoon: [Self]: INFO: IPsec-SA established: ESP xxx.aaa.112.226[500]->yyy.bbb.112.226[500] spi=5924082(0x5a64f2)
    Mar 23 23:00:41	racoon: [Self]: INFO: initiate new phase 2 negotiation: xxx.aaa.112.226[500]<=>yyy.bbb.112.226[500]
    Mar 23 23:00:40	racoon: [Self]: INFO: IPsec-SA established: ESP xxx.aaa.112.226[500]->yyy.bbb.112.226[500] spi=245982240(0xea96420)
    Mar 23 23:00:40	racoon: [Self]: INFO: IPsec-SA established: ESP xxx.aaa.112.226[500]->yyy.bbb.112.226[500] spi=46648778(0x2c7cdca)
    Mar 23 23:00:40	racoon: INFO: no policy found, try to generate the policy : 10.100.100.1/32[0] 192.168.1.0/24[0] proto=any dir=in
    Mar 23 23:00:40	racoon: [Self]: INFO: respond new phase 2 negotiation: xxx.aaa.112.226[500]<=>yyy.bbb.112.226[500]
    Mar 23 23:00:40	racoon: WARNING: Ignored attribute 28683
    Mar 23 23:00:40	racoon: ERROR: Cannot open "/etc/motd"
    Mar 23 23:00:40	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Mar 23 23:00:40	racoon: INFO: login succeeded for user "vpnuser"
    Mar 23 23:00:40	racoon: INFO: Using port 0
    Mar 23 23:00:39	racoon: [Self]: INFO: ISAKMP-SA established xxx.aaa.112.226[500]-yyy.bbb.112.226[500] spi:7fad2359ca74df42:122af39befaa12bd
    Mar 23 23:00:39	racoon: INFO: Sending Xauth request
    Mar 23 23:00:39	racoon: INFO: NAT not detected
    Mar 23 23:00:39	racoon: [yyy.bbb.112.226] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Mar 23 23:00:39	racoon: INFO: NAT-D payload #1 verified
    Mar 23 23:00:39	racoon: [yyy.bbb.112.226] INFO: Hashing yyy.bbb.112.226[500] with algo #2
    Mar 23 23:00:39	racoon: INFO: NAT-D payload #0 verified
    Mar 23 23:00:39	racoon: [Self]: [xxx.aaa.112.226] INFO: Hashing xxx.aaa.112.226[500] with algo #2
    Mar 23 23:00:38	racoon: INFO: Adding xauth VID payload.
    Mar 23 23:00:38	racoon: [Self]: [xxx.aaa.112.226] INFO: Hashing xxx.aaa.112.226[500] with algo #2
    Mar 23 23:00:38	racoon: [yyy.bbb.112.226] INFO: Hashing yyy.bbb.112.226[500] with algo #2
    Mar 23 23:00:38	racoon: INFO: Adding remote and local NAT-D payloads.
    Mar 23 23:00:38	racoon: [yyy.bbb.112.226] INFO: Selected NAT-T version: RFC 3947
    Mar 23 23:00:38	racoon: INFO: received Vendor ID: DPD
    Mar 23 23:00:38	racoon: INFO: received Vendor ID: CISCO-UNITY
    Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Mar 23 23:00:38	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Mar 23 23:00:38	racoon: INFO: received Vendor ID: RFC 3947
    Mar 23 23:00:38	racoon: INFO: begin Aggressive mode.
    Mar 23 23:00:38	racoon: [Self]: INFO: respond new phase 1 negotiation: xxx.aaa.112.226[500]<=>yyy.bbb.112.226[500]
    
    

    Is anyone writing a howto on configuring something like this for iOS devices?

    I've searched the forums, google and bing extensively and came out fairly empty handed - only the article above and comments along the lines of "search for roadwarrior and iphone" which comes more or less empty back btw.

    Any ideas what could be wrong?

    1 Reply Last reply Reply Quote 0
    • P
      p0ddie
      last edited by Apr 5, 2011, 9:22 AM

      A lot of these questions on the formus here. This thread http://forum.pfsense.org/index.php/topic,32319.msg181260.html#msg181260 seems the most promising one. One user claims to be working on a manual with screenshots, let's hope he will have it done soon :-)

      1 Reply Last reply Reply Quote 0
      • G
        getrav
        last edited by Apr 7, 2011, 3:30 AM

        I used the following guide to get me thru the initial setup:
        http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

        I got it working and I can connect to pfsense internal ip address (SSH & HTTPS) but nothing else.

        I have set the firewall rules to allow 500 & 4500 on WAN
        I have set the firewall rules to allow * on ipsec

        here is my racoon.conf

        # This file is automatically generated. Do not edit
        path pre_shared_key "/var/etc/psk.txt";
        
        path certificate  "/var/etc";
        
        listen
        {
                adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
                isakmp 173.56.67.22 [500];
                isakmp_natt 173.56.67.22 [4500];
        }
        
        mode_cfg
        {
                auth_source system;
                group_source system;
                pool_size 253;
                network4 192.168.10.1;
                netmask4 255.255.255.0;
                dns4 4.4.4.4;
                dns4 8.8.8.8;
                wins4 192.168.1.230;
                default_domain "silkcrafts.local";
                split_dns "silkcrafts.local";
                save_passwd on;
        }
        
        remote anonymous
        {
                ph1id 1;
                exchange_mode aggressive;
                my_identifier address 173.56.67.22;
                peers_identifier fqdn "iOStunnel";
                ike_frag on;
                generate_policy = unique;
                initial_contact = off;
                nat_traversal = on;
        
                dpd_delay = 10;
                dpd_maxfail = 5;
                support_proxy on;
                proposal_check claim;
        
                proposal
                {
                        authentication_method xauth_psk_server;
                        encryption_algorithm aes 256;
                        hash_algorithm sha1;
                        dh_group 2;
                        lifetime time 28800 secs;
                }
        }
        
        sainfo   anonymous
        {
                remoteid 1;
                encryption_algorithm aes 256, 3des;
                authentication_algorithm hmac_sha1;
        
                lifetime time 3600 secs;
                compression_algorithm deflate;
        }
        
        

        Here is my ipsec.log

        Apr  6 23:24:29 pfSense racoon: INFO: respond new phase 1 negotiation: 173.56.67.22[500]<=>71.167.40.48[500]
        Apr  6 23:24:29 pfSense racoon: INFO: begin Aggressive mode.
        Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: RFC 3947
        Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
        Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
        Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
        Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
        Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
        Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
        Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
        Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
        Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
        Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: CISCO-UNITY
        Apr  6 23:24:29 pfSense racoon: INFO: received Vendor ID: DPD
        Apr  6 23:24:29 pfSense racoon: [71.167.40.48] INFO: Selected NAT-T version: RFC 3947
        Apr  6 23:24:29 pfSense racoon: INFO: Adding remote and local NAT-D payloads.
        Apr  6 23:24:29 pfSense racoon: [71.167.40.48] INFO: Hashing 71.167.40.48[500] with algo #2
        Apr  6 23:24:29 pfSense racoon: [173.56.67.22] INFO: Hashing 173.56.67.22[500] with algo #2
        Apr  6 23:24:29 pfSense racoon: INFO: Adding xauth VID payload.
        Apr  6 23:24:29 pfSense racoon: INFO: NAT-T: ports changed to: 71.167.40.48[4500]<->173.56.67.22[4500]
        Apr  6 23:24:29 pfSense racoon: [173.56.67.22] INFO: Hashing 173.56.67.22[4500] with algo #2
        Apr  6 23:24:29 pfSense racoon: INFO: NAT-D payload #0 verified
        Apr  6 23:24:29 pfSense racoon: [71.167.40.48] INFO: Hashing 71.167.40.48[4500] with algo #2
        Apr  6 23:24:29 pfSense racoon: INFO: NAT-D payload #1 doesn't match
        Apr  6 23:24:29 pfSense racoon: [71.167.40.48] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
        Apr  6 23:24:29 pfSense racoon: INFO: NAT detected: PEER
        Apr  6 23:24:29 pfSense racoon: INFO: Sending Xauth request
        Apr  6 23:24:29 pfSense racoon: INFO: ISAKMP-SA established 173.56.67.22[4500]-71.167.40.48[4500] spi:69ee848a8b67814d:038f56bf8a1989a8
        Apr  6 23:24:29 pfSense racoon: INFO: Using port 0
        Apr  6 23:24:29 pfSense racoon: INFO: login succeeded for user "rshah"
        Apr  6 23:24:30 pfSense racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
        Apr  6 23:24:30 pfSense racoon: ERROR: Cannot open "/etc/motd"
        Apr  6 23:24:30 pfSense racoon: WARNING: Ignored attribute 28683
        Apr  6 23:24:30 pfSense racoon: INFO: respond new phase 2 negotiation: 173.56.67.22[4500]<=>71.167.40.48[4500]
        Apr  6 23:24:30 pfSense racoon: INFO: no policy found, try to generate the policy : 192.168.10.1/32[0] 0.0.0.0/0[0] proto=any dir=in
        Apr  6 23:24:30 pfSense racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
        Apr  6 23:24:30 pfSense racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
        Apr  6 23:24:30 pfSense racoon: INFO: IPsec-SA established: ESP 173.56.67.22[500]->71.167.40.48[500] spi=10475519(0x9fd7ff)
        Apr  6 23:24:30 pfSense racoon: INFO: IPsec-SA established: ESP 173.56.67.22[500]->71.167.40.48[500] spi=170260883(0xa25f993)
        Apr  6 23:24:30 pfSense racoon: ERROR: such policy does not already exist: "192.168.10.1/32[0] 0.0.0.0/0[0] proto=any dir=in"
        Apr  6 23:24:30 pfSense racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.10.1/32[0] proto=any dir=out"
        
        
        1 Reply Last reply Reply Quote 0
        • M
          mayhem
          last edited by Jun 28, 2011, 1:20 AM

          Hey mate,

          Any luck getting this up and running with full tunnelling capabilities?
          If I wish to attempt this I need to upgrade to version 2? Currently running 1.2-RELEASE

          Cheers!

          1 Reply Last reply Reply Quote 0
          • P
            p0ddie
            last edited by Jun 28, 2011, 11:37 AM

            If I wish to attempt this I need to upgrade to version 2?

            2.x is a must as 1.2 does not support mobile ipsec with nat-t and all (as far as I understand).

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by Jun 28, 2011, 3:55 PM

              You might try the config that works for Android phones (search the doc wiki for android vpn)

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • I
                iUser
                last edited by Aug 1, 2011, 8:11 PM

                Thanks for suggestions - result still nil  :'(

                I tried to adapt the Android wiki entries for the iPhone with no different results - I seem to be connected on the phone, there are SAD's and SPD's thou the IPsec connection does not show an IP address for the Destination in incoming (or it shows 0.0.0.0/0) and the same for Source in outgoing.

                Don't get traffic going anywhere and the iPhone seems to route traffic locally past the VPN-tunnel too since google is accessible even thou the tunnel reports 0 bytes of data.

                I'm giving up on this until someone comes up with a coherent howto on how to achieve a sane, complete road warrior IPsec configuration with routes both to the internal LAN as well as the Internet via the IPsec tunnel server from my mobile.

                1 Reply Last reply Reply Quote 0
                • N
                  ninja76
                  last edited by Aug 2, 2011, 2:09 PM

                  iUser,

                  It took me a lot of trying this and that but I finally got it working with iPads and iPhones.  If you are connecting but not passing traffic then it is more then likely a phase 2 policy problem.  Check out my phase 2 settings for mobile users ( see attached screenshot).  The Local Network part is where I found the problem to be. It helps to verify with a pc client (I use Shrew).  Also be sure that all setting match up!

                  phase2.JPG
                  phase2.JPG_thumb

                  1 Reply Last reply Reply Quote 0
                  • P
                    p0ddie
                    last edited by Aug 5, 2011, 9:48 AM

                    After a few days of testing I can say I have it running reliably now, too. I can connect with my iPad, iPhone and with the built in Cisco IPSec client in OS X with the setup found in the previously mentioned post (http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558)

                    As my effort to contribute for this to become a wiki entry, here are the two screenshots of the firewall rules I needed to get traffic flowing after I succeeded in connectiong via IPSec:

                    The first screenshot is a floating rule, passing all traffic from the ipsec interface to my lan interface (which happens to be a bridge of two interfaces, so it is called LANBRIDGE, but you might wanna just use your default "LAN" interface).

                    The second screenshot is the firewall rule in the ipsec tab of the firewall. I think it gets created by default, but if not, then set it up as I did, it works :)

                    ![Bildschirmfoto 2011-08-05 um 11.40.11.png](/public/imported_attachments/1/Bildschirmfoto 2011-08-05 um 11.40.11.png)
                    ![Bildschirmfoto 2011-08-05 um 11.40.11.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2011-08-05 um 11.40.11.png_thumb)
                    ![Bildschirmfoto 2011-08-05 um 11.40.11.png](/public/imported_attachments/1/Bildschirmfoto 2011-08-05 um 11.40.11.png)
                    ![Bildschirmfoto 2011-08-05 um 11.40.11.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2011-08-05 um 11.40.11.png_thumb)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received