IOS (iphone/ipad) & 2.0-RC1 IPsec.. It almost works.

TheLost

By following the other threads on this forum i've got an IPsec VPN setup on 2.0-RC1 that ALMOST works with an iPad.

I can connect…. but I can't hit anything on the LAN side.

My LAN uses 192.168.2.0/24
The VPN Mobile client uses 192.168.10.0/24

Here is a snippet of my IPsec log...

pr 11 13:21:50	racoon: INFO: Released port 0
Apr 11 13:21:50	racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 24.10.???.??[4500]-207.86.???.??[51536] spi:928c67e22be4d54c:6e718efd4779d6e0
Apr 11 13:21:49	racoon: INFO: purged ISAKMP-SA spi=928c67e22be4d54c:6e718efd4779d6e0:0000efd7.
Apr 11 13:21:49	racoon: INFO: purged IPsec-SA spi=41114208.
Apr 11 13:21:49	racoon: INFO: purging ISAKMP-SA spi=928c67e22be4d54c:6e718efd4779d6e0:0000efd7.
Apr 11 13:21:49	racoon: INFO: purged IPsec-SA proto_id=ESP spi=150558327.
Apr 11 13:21:49	racoon: INFO: generated policy, deleting it.
Apr 11 13:20:33	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.2.0/24[0] 192.168.10.1/32[0] proto=any dir=out"
Apr 11 13:20:33	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.10.1/32[0] 192.168.2.0/24[0] proto=any dir=in"
Apr 11 13:20:33	racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 24.10.???.??[500]->207.86.???.??[500] spi=150558327(0x8f95677)
Apr 11 13:20:33	racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 24.10.???.??[500]->207.86.???.??[500] spi=41114208(0x2735a60)
Apr 11 13:20:33	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Apr 11 13:20:33	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Apr 11 13:20:33	racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.10.1/32[0] 192.168.2.0/24[0] proto=any dir=in
Apr 11 13:20:33	racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 24.10.???.??[4500]<=>207.86.???.??[51536]
Apr 11 13:20:33	racoon: WARNING: Ignored attribute 28683
Apr 11 13:20:33	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Apr 11 13:20:33	racoon: INFO: login succeeded for user "Brian"
Apr 11 13:20:33	racoon: INFO: Using port 0
Apr 11 13:20:28	racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 24.10.???.??[4500]-207.86.???.??[51536] spi:928c67e22be4d54c:6e718efd4779d6e0
Apr 11 13:20:28	racoon: INFO: Sending Xauth request
Apr 11 13:20:28	racoon: INFO: NAT detected: PEER
Apr 11 13:20:28	racoon: [207.86.???.??] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Apr 11 13:20:28	racoon: INFO: NAT-D payload #1 doesn't match
Apr 11 13:20:28	racoon: [207.86.???.??] INFO: Hashing 207.86.???.??[51536] with algo #2
Apr 11 13:20:28	racoon: INFO: NAT-D payload #0 verified
Apr 11 13:20:28	racoon: [24.10.???.??] INFO: Hashing 24.10.???.??[4500] with algo #2
Apr 11 13:20:28	racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 207.86.???.??[51536]<->24.10.???.??[4500]
Apr 11 13:20:28	racoon: INFO: Adding xauth VID payload.
Apr 11 13:20:28	racoon: [24.10.???.??] INFO: Hashing 24.10.???.??[500] with algo #2
Apr 11 13:20:28	racoon: [207.86.???.??] INFO: Hashing 207.86.???.??[128] with algo #2
Apr 11 13:20:28	racoon: INFO: Adding remote and local NAT-D payloads.
Apr 11 13:20:28	racoon: [207.86.???.??] INFO: Selected NAT-T version: RFC 3947
Apr 11 13:20:28	racoon: INFO: received Vendor ID: DPD
Apr 11 13:20:28	racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Apr 11 13:20:28	racoon: INFO: received Vendor ID: RFC 3947
Apr 11 13:20:28	racoon: INFO: begin Aggressive mode.

And here is my racoon.conf:

# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
        adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
        isakmp 24.10.???.?? [500];
        isakmp_natt 24.10.???.?? [4500];
}

mode_cfg
{
        auth_source system;
        group_source system;
        pool_size 253;
        network4 192.168.10.1;
        netmask4 255.255.255.0;
        split_network include 192.168.2.0/24;
        dns4 192.168.2.2;
        banner "/var/etc/racoon.motd";
}

remote anonymous
{
        ph1id 1;
        exchange_mode aggressive;
        my_identifier address 24.10.???.??;
        peers_identifier fqdn "ipad vpn";
        ike_frag on;
        generate_policy = unique;
        initial_contact = off;
        nat_traversal = on;

        dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check claim;

        proposal
        {
                authentication_method xauth_psk_server;
                encryption_algorithm aes 256;
                hash_algorithm sha1;
                dh_group 2;
                lifetime time 28800 secs;
        }
}

sainfo   anonymous
{
        remoteid 1;
        encryption_algorithm aes 256;
        authentication_algorithm hmac_sha1;

        lifetime time 3600 secs;
        compression_algorithm deflate;
}

Any ideas why i cant hit anything on my local network?  Has anybody EVER got IPsec (on 2.0RC1) to work with an iOS device?

ericab

hmmm, im having issues connecting to anything at all. it seems i may have getten a stable connection to the pfSense box, but i cant access anything local, or remote.
ive been assigned an IP address; ive added F/W rules to the IPsec tab…. but still nothing.  wish i could help you. were all waiting on 'mlanner' from this post to give some insight.  http://forum.pfsense.org/index.php/topic,32319.msg182957.html#msg182957
:-\

ps; might be something to watch:  http://forum.pfsense.org/index.php/topic,35515.msg183597.html#msg183597

TheLost

I should also point out i have my firewall IPsec rules setup to allow all/any traffic.

I'm going to call BS on anybody that says they have it working…  ;D

szop

I'm able to connect to our LAN via iPhone, but when the VPN is activated I can't use the Internet like www.google.com :/

TheLost

@szop:

I'm able to connect to our LAN via iPhone, but when the VPN is activated I can't use the Internet like www.google.com :/

Can you post your setup?  I'd like to compare mine with yours.

szop

I used this guide: http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

Cheers

TheLost

@szop:

I used this guide: http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

Cheers

Using that same setup i still can't access anything on my internal network…  can you?

TheLost

After spending a few days on this I've given up  :-[ (for now)..

I ended up building a VM using Debian & Openswan to create a L2TP/IPsec vpn server i can use with my iPhone/iPad. I may try again once 2.0 goes final or somebody actually posts a working solution…  but for now i have a working VPN.

ericab

yeah i think i'm going to opt in for that approach too;

did you by chance use a how-to available online that i could reference also to help setting it up on my debian box ?

TheLost

@ericab:

yeah i think i'm going to opt in for that approach too;

did you by chance use a how-to available online that i could reference also to help setting it up on my debian box ?

Here is a quick little write up i did for a friend.. PM me if you need any help.
http://www.lostbyte.com/projects/l2tpipsec-vpn-for-ios/

Ladtkow

@TheLost:

After spending a few days on this I've given up  :-[ (for now)..[url=http://www.ebelow.com/ipad-2-case-iPad2case-iPad-2-cases.html]ipad 2 cases
ipad2  cases leather
iPad2 case
I ended up building a VM using Debian & Openswan to create a L2TP/IPsec vpn server i can use with my iPhone/iPad. I may try again once 2.0 goes final or somebody actually posts a working solution…  but for now i have a working VPN.

did you by chance use a how-to available online that i could reference also to help setting it up on my debian box ?

eazydor

@szop try to make a nat rule for outbound traffic from your ipsec-ip-pool on your wan interface.

pfsenseuser3

also working for me with this guide -> http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

iphone 4
iOS: 4.3.2
LAN SUBNET: 192.168.1.0/24

i can hit everything at the LAN side. Only the internet (www.google.at as example) is not working, but i think this is a feature for security.. So nobody could go throug your internet connection in your vpn.

eazydor

@pfsenseuser3 do you have a nat rule for outbound traffic from your ipsec-ip-pool on your wan interface? Without this Rule, you IPSec-Client will try to connect to outbound (i.e. internet) with their local ipsec-pool-adresses and doesn't get translated to the wan interfaces address. This means almost every outbound request you send will be dropped by servers configured not to accept traffic from local networks. By adding this Rule, every outbound traffic wlll be translated to your wan interfaces address, this should solve your problem accessing i.e. the internet.

pfsenseuser3

@eazydor: thx for your tip ;)

here is a screen from the rule which i have enabled.. i think there is something wrong  ???

Uploaded with ImageShack.us

@ALL: read this post from me -> http://forum.pfsense.org/index.php/topic,35783.msg186413.html#msg186413 (maybe a solution for VPN and iOS devices ;) )

_igor_

I've tested your hint with outbound NAT which resulted in a complete inaccessibility of LAN and WAN. So i think thats wrong. I can see in the firewall-log only connections to my pfsense, but nothing goes out anymore. So i reviewed my settings regard to IPSEC and found out that at "IPSEC:Mobile clients" disabling the entry "Provide a list of accessible networks to clients" i get connected with LAN accessibility but no WAN.

Reenabling "Provide a list of accessible networks to clients" resulted in full WAN-access via the IPSEC-tunnel.

So no outbound-NAT is necessary. Only the "IPSEC any to any" rule and at WAN-side i have an "ESP to any" rule.

Hope that helps getting a fully working Mobile IPSEC connection.

edit: I have allowed ports 4500 and 500 UDP incoming from WAN, which i forgot to mention. sorry.

eazydor

@_igor_ are you still able to connect to your lan subnet?

@pfsenseuser3 you should set your outbound nat mode to manual.

eazydor

@igor when i set "provide accesible networks" i do lose my default route over the tunnel and the client talk directly to the wan since their default route is set to the lan-gateway. this means no traffic to wan at all is routed trough your tunnel. that your client has established a connection and can talk to outbound doesnt mean directly that the traffic is passing your tunnel interface. apart from that i dont believe that theres right and wrong, rather than suitable or not. would you please take a look a you routing table when connected?

ericab

still waiting on a full HOWTO so it can be stickied…..

eazydor

@ericab can i help you with somewhat? i believe that theres no tutorial because mobile ipsec works perfectly since months now and everything you need to know to get a basic setup up and running you can find here in this forum.. but anyway, a clean and simple tutorial would decrease the amount of questions asked multiple times. that´s right..