IOS (iphone/ipad) & 2.0-RC1 IPsec.. It almost works.



  • By following the other threads on this forum i've got an IPsec VPN setup on 2.0-RC1 that ALMOST works with an iPad.

    I can connect…. but I can't hit anything on the LAN side.

    My LAN uses 192.168.2.0/24
    The VPN Mobile client uses 192.168.10.0/24

    Here is a snippet of my IPsec log...

    
    pr 11 13:21:50	racoon: INFO: Released port 0
    Apr 11 13:21:50	racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 24.10.???.??[4500]-207.86.???.??[51536] spi:928c67e22be4d54c:6e718efd4779d6e0
    Apr 11 13:21:49	racoon: INFO: purged ISAKMP-SA spi=928c67e22be4d54c:6e718efd4779d6e0:0000efd7.
    Apr 11 13:21:49	racoon: INFO: purged IPsec-SA spi=41114208.
    Apr 11 13:21:49	racoon: INFO: purging ISAKMP-SA spi=928c67e22be4d54c:6e718efd4779d6e0:0000efd7.
    Apr 11 13:21:49	racoon: INFO: purged IPsec-SA proto_id=ESP spi=150558327.
    Apr 11 13:21:49	racoon: INFO: generated policy, deleting it.
    Apr 11 13:20:33	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.2.0/24[0] 192.168.10.1/32[0] proto=any dir=out"
    Apr 11 13:20:33	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.10.1/32[0] 192.168.2.0/24[0] proto=any dir=in"
    Apr 11 13:20:33	racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 24.10.???.??[500]->207.86.???.??[500] spi=150558327(0x8f95677)
    Apr 11 13:20:33	racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 24.10.???.??[500]->207.86.???.??[500] spi=41114208(0x2735a60)
    Apr 11 13:20:33	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
    Apr 11 13:20:33	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Apr 11 13:20:33	racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.10.1/32[0] 192.168.2.0/24[0] proto=any dir=in
    Apr 11 13:20:33	racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 24.10.???.??[4500]<=>207.86.???.??[51536]
    Apr 11 13:20:33	racoon: WARNING: Ignored attribute 28683
    Apr 11 13:20:33	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Apr 11 13:20:33	racoon: INFO: login succeeded for user "Brian"
    Apr 11 13:20:33	racoon: INFO: Using port 0
    Apr 11 13:20:28	racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 24.10.???.??[4500]-207.86.???.??[51536] spi:928c67e22be4d54c:6e718efd4779d6e0
    Apr 11 13:20:28	racoon: INFO: Sending Xauth request
    Apr 11 13:20:28	racoon: INFO: NAT detected: PEER
    Apr 11 13:20:28	racoon: [207.86.???.??] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Apr 11 13:20:28	racoon: INFO: NAT-D payload #1 doesn't match
    Apr 11 13:20:28	racoon: [207.86.???.??] INFO: Hashing 207.86.???.??[51536] with algo #2
    Apr 11 13:20:28	racoon: INFO: NAT-D payload #0 verified
    Apr 11 13:20:28	racoon: [24.10.???.??] INFO: Hashing 24.10.???.??[4500] with algo #2
    Apr 11 13:20:28	racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 207.86.???.??[51536]<->24.10.???.??[4500]
    Apr 11 13:20:28	racoon: INFO: Adding xauth VID payload.
    Apr 11 13:20:28	racoon: [24.10.???.??] INFO: Hashing 24.10.???.??[500] with algo #2
    Apr 11 13:20:28	racoon: [207.86.???.??] INFO: Hashing 207.86.???.??[128] with algo #2
    Apr 11 13:20:28	racoon: INFO: Adding remote and local NAT-D payloads.
    Apr 11 13:20:28	racoon: [207.86.???.??] INFO: Selected NAT-T version: RFC 3947
    Apr 11 13:20:28	racoon: INFO: received Vendor ID: DPD
    Apr 11 13:20:28	racoon: INFO: received Vendor ID: CISCO-UNITY
    Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Apr 11 13:20:28	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Apr 11 13:20:28	racoon: INFO: received Vendor ID: RFC 3947
    Apr 11 13:20:28	racoon: INFO: begin Aggressive mode.
    
    

    And here is my racoon.conf:

    
    # This file is automatically generated. Do not edit
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    listen
    {
            adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
            isakmp 24.10.???.?? [500];
            isakmp_natt 24.10.???.?? [4500];
    }
    
    mode_cfg
    {
            auth_source system;
            group_source system;
            pool_size 253;
            network4 192.168.10.1;
            netmask4 255.255.255.0;
            split_network include 192.168.2.0/24;
            dns4 192.168.2.2;
            banner "/var/etc/racoon.motd";
    }
    
    remote anonymous
    {
            ph1id 1;
            exchange_mode aggressive;
            my_identifier address 24.10.???.??;
            peers_identifier fqdn "ipad vpn";
            ike_frag on;
            generate_policy = unique;
            initial_contact = off;
            nat_traversal = on;
    
            dpd_delay = 10;
            dpd_maxfail = 5;
            support_proxy on;
            proposal_check claim;
    
            proposal
            {
                    authentication_method xauth_psk_server;
                    encryption_algorithm aes 256;
                    hash_algorithm sha1;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
    }
    
    sainfo   anonymous
    {
            remoteid 1;
            encryption_algorithm aes 256;
            authentication_algorithm hmac_sha1;
    
            lifetime time 3600 secs;
            compression_algorithm deflate;
    }
    
    

    Any ideas why i cant hit anything on my local network?  Has anybody EVER got IPsec (on 2.0RC1) to work with an iOS device?



  • hmmm, im having issues connecting to anything at all. it seems i may have getten a stable connection to the pfSense box, but i cant access anything local, or remote.
    ive been assigned an IP address; ive added F/W rules to the IPsec tab…. but still nothing.  wish i could help you. were all waiting on 'mlanner' from this post to give some insight.  http://forum.pfsense.org/index.php/topic,32319.msg182957.html#msg182957
    :-\

    ps; might be something to watch:  http://forum.pfsense.org/index.php/topic,35515.msg183597.html#msg183597



  • I should also point out i have my firewall IPsec rules setup to allow all/any traffic.

    I'm going to call BS on anybody that says they have it working…  ;D



  • I'm able to connect to our LAN via iPhone, but when the VPN is activated I can't use the Internet like www.google.com :/



  • @szop:

    I'm able to connect to our LAN via iPhone, but when the VPN is activated I can't use the Internet like www.google.com :/

    Can you post your setup?  I'd like to compare mine with yours.





  • @szop:

    I used this guide: http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

    Cheers

    Using that same setup i still can't access anything on my internal network…  can you?



  • After spending a few days on this I've given up  :-[ (for now)..

    I ended up building a VM using Debian & Openswan to create a L2TP/IPsec vpn server i can use with my iPhone/iPad. I may try again once 2.0 goes final or somebody actually posts a working solution…  but for now i have a working VPN.



  • yeah i think i'm going to opt in for that approach too;

    did you by chance use a how-to available online that i could reference also to help setting it up on my debian box ?



  • @ericab:

    yeah i think i'm going to opt in for that approach too;

    did you by chance use a how-to available online that i could reference also to help setting it up on my debian box ?

    Here is a quick little write up i did for a friend.. PM me if you need any help.
    http://www.lostbyte.com/projects/l2tpipsec-vpn-for-ios/



  • @TheLost:

    After spending a few days on this I've given up  :-[ (for now)..[url=http://www.ebelow.com/ipad-2-case-iPad2case-iPad-2-cases.html]ipad 2 cases
    ipad2  cases leather
    iPad2 case
    I ended up building a VM using Debian & Openswan to create a L2TP/IPsec vpn server i can use with my iPhone/iPad. I may try again once 2.0 goes final or somebody actually posts a working solution…  but for now i have a working VPN.

    did you by chance use a how-to available online that i could reference also to help setting it up on my debian box ?



  • @szop try to make a nat rule for outbound traffic from your ipsec-ip-pool on your wan interface.



  • also working for me with this guide -> http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

    iphone 4
    iOS: 4.3.2
    LAN SUBNET: 192.168.1.0/24

    i can hit everything at the LAN side. Only the internet (www.google.at as example) is not working, but i think this is a feature for security.. So nobody could go throug your internet connection in your vpn.



  • @pfsenseuser3 do you have a nat rule for outbound traffic from your ipsec-ip-pool on your wan interface? Without this Rule, you IPSec-Client will try to connect to outbound (i.e. internet) with their local ipsec-pool-adresses and doesn't get translated to the wan interfaces address. This means almost every outbound request you send will be dropped by servers configured not to accept traffic from local networks. By adding this Rule, every outbound traffic wlll be translated to your wan interfaces address, this should solve your problem accessing i.e. the internet.



  • @eazydor: thx for your tip ;)

    here is a screen from the rule which i have enabled.. i think there is something wrong  ???

    Uploaded with ImageShack.us

    @ALL: read this post from me -> http://forum.pfsense.org/index.php/topic,35783.msg186413.html#msg186413 (maybe a solution for VPN and iOS devices ;) )



  • I've tested your hint with outbound NAT which resulted in a complete inaccessibility of LAN and WAN. So i think thats wrong. I can see in the firewall-log only connections to my pfsense, but nothing goes out anymore. So i reviewed my settings regard to IPSEC and found out that at "IPSEC:Mobile clients" disabling the entry "Provide a list of accessible networks to clients" i get connected with LAN accessibility but no WAN.

    Reenabling "Provide a list of accessible networks to clients" resulted in full WAN-access via the IPSEC-tunnel.

    So no outbound-NAT is necessary. Only the "IPSEC any to any" rule and at WAN-side i have an "ESP to any" rule.

    Hope that helps getting a fully working Mobile IPSEC connection.

    edit: I have allowed ports 4500 and 500 UDP incoming from WAN, which i forgot to mention. sorry.



  • @_igor_ are you still able to connect to your lan subnet?

    @pfsenseuser3 you should set your outbound nat mode to manual.



  • @igor when i set "provide accesible networks" i do lose my default route over the tunnel and the client talk directly to the wan since their default route is set to the lan-gateway. this means no traffic to wan at all is routed trough your tunnel. that your client has established a connection and can talk to outbound doesnt mean directly that the traffic is passing your tunnel interface. apart from that i dont believe that theres right and wrong, rather than suitable or not. would you please take a look a you routing table when connected?



  • still waiting on a full HOWTO so it can be stickied…..



  • @ericab can i help you with somewhat? i believe that theres no tutorial because mobile ipsec works perfectly since months now and everything you need to know to get a basic setup up and running you can find here in this forum.. but anyway, a clean and simple tutorial would decrease the amount of questions asked multiple times. that´s right..



  • @eazydor:

    @ericab can i help you with somewhat? i believe that theres no tutorial because mobile ipsec works perfectly since months now and everything you need to know to get a basic setup up and running you can find here in this forum.. but anyway, a clean and simple tutorial would decrease the amount of questions asked multiple times. that´s right..

    Apr 27 13:52:30 	racoon: ERROR: phase1 negotiation failed due to time up. 2b7c6d4c52e83eaa:77011e493f4e7949
    Apr 27 13:51:49 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[1880] (1).
    Apr 27 13:51:46 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[1880] (1).
    Apr 27 13:51:43 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[1880] (1).
    Apr 27 13:51:40 	racoon: INFO: Adding xauth VID payload.
    Apr 27 13:51:40 	racoon: INFO: received Vendor ID: DPD
    Apr 27 13:51:40 	racoon: INFO: received Vendor ID: CISCO-UNITY
    Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Apr 27 13:51:40 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Apr 27 13:51:40 	racoon: INFO: received Vendor ID: RFC 3947
    Apr 27 13:51:40 	racoon: INFO: begin Aggressive mode.
    

    this is the holdup now.



  • please provide more information. can't help you like that.



  • not sure where to start; what info would you need ?

    i bet the problem is with "Proposal Checking"
    mines set at default. is that what it should be ?



  • depends on the client you´re using. since the topic is about ios, yes proposal checking for ios-devices can be set to default. if you want you can describe your setup, configs, etc and i will take a look, but otherwise i cant help you.



  • hi eazydor

    here is how ive got my IPSec server setup:

    Overview:

    Mobile Clients:

    http://dl.dropbox.com/u/66962/IPSec-pfSense/mobile-clients.jpg

    Phase 1:

    Phase 2:

    now;
    when i switch the listening interface for the ipsec server to my WIFI interface;
    i can connect just fine, but no traffic passes. my wifi network is 192.168.3.0
    it assigns me 192.168.4.1, which is right.

    when i switch the interface to WAN;
    (ive got the firewall rules setup properly to allow UDP 500/4500 on WAN)
    (also have * * * * *; pass all on the IPSec firewall tab.)
    the syslog shows the log from my previous post;
    so not only does it not pass traffic, it wont even connect when listening on the WAN interface.

    not sure if it matters, or if this may be the problem, but my wan interface is actually connected to another upstream router. (dont ask)
    the pfsense box's WAN IP is on the DMZ of the upstream router, and the upstream router IS set to port forward ports 500, and 4500 UDP to pfsense WAN address; aka 192.168.1.142

    Internet –-----> Cable Modem -------> Router (its local LAN is 192.168.1.1/24)--------> (wan address is 192.168.1.142) pfSense --------> my local LAN (192.168.2.0/24)



  • @ericab try this:

    disable provide network list
    enable nat traversal

    under firewall - nat - outbound

    set to manual
    create new rule
    if wan
    proto any
    src network 192.168.3.0/24 (assuming your wifi is your local network)
    src port blank
    dst not enable inverse option
    dst type any
    dst port blank
    trans addr if adress
    save & apply



  • eazydor;

    well something has changed, im not sure if its progress… here is the new log after applying your settings:

    Apr 27 19:49:19 	racoon: ERROR: phase1 negotiation failed due to time up. feabee14d99e6364:991e2e9cbef177e2
    Apr 27 19:49:09 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
    Apr 27 19:48:59 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
    Apr 27 19:48:49 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
    Apr 27 19:48:39 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
    Apr 27 19:48:38 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
    Apr 27 19:48:38 	racoon: NOTIFY: the packet is retransmitted by 192.168.1.142[500] (1).
    Apr 27 19:48:35 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
    Apr 27 19:48:35 	racoon: NOTIFY: the packet is retransmitted by 192.168.1.142[500] (1).
    Apr 27 19:48:32 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
    Apr 27 19:48:32 	racoon: NOTIFY: the packet is retransmitted by 192.168.1.142[500] (1).
    Apr 27 19:48:29 	racoon: [Self]: [192.168.1.142] ERROR: ignore the packet, received unexpecting payload type 1.
    Apr 27 19:48:29 	racoon: INFO: Adding xauth VID payload.
    Apr 27 19:48:29 	racoon: [Self]: [192.168.1.142] INFO: Hashing 192.168.1.142[500] with algo #2
    Apr 27 19:48:29 	racoon: [Self]: [192.168.1.142] INFO: Hashing 192.168.1.142[500] with algo #2
    Apr 27 19:48:29 	racoon: INFO: Adding remote and local NAT-D payloads.
    Apr 27 19:48:29 	racoon: [Self]: [192.168.1.142] INFO: Selected NAT-T version: RFC 3947
    Apr 27 19:48:29 	racoon: INFO: received Vendor ID: DPD
    Apr 27 19:48:29 	racoon: INFO: received Vendor ID: CISCO-UNITY
    Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Apr 27 19:48:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Apr 27 19:48:29 	racoon: INFO: received Vendor ID: RFC 3947
    Apr 27 19:48:29 	racoon: INFO: begin Aggressive mode.
    Apr 27 19:48:29 	racoon: [Self]: INFO: respond new phase 1 negotiation: 192.168.1.142[500]<=>192.168.1.142[500]
    

    192.168.1.142 is my WAN address.

    but whats this :  ERROR: ignore the packet, received unexpecting payload type 1.



  • i have tested your setup with my recommendations and it works flawlessly, at least for me and many people in this forum who have reported the same about this config. furthermore can't i see theoretically why it shouldn't work. so i think i can't help you further than that..



  • eventually you could try to force nat traversal.. see if that helps.. what ios version are you on?



  • eazydor;

    ill try forcing nat-t

    ios v 4.3.0;  ipad2.

    possibly i should just give up and hope for a jailbreak so i can get openvpn on it. argg



  • i know. ipsec can be hurt so bad. while openvpn is flying so light.. but these money making morons at cupertino will never let us run this natively.



  • eazydor: your right, with network list enable it routes dircty to wan. shit. No traffic to wan via the tunnel. Outbound nat doesn't work here too. I loose all connect, including the lan access is dead.
    without the outbound nat entry:
    What i see is that all traffic ends at the pfsense-lan. DNS is seen at the firewall-log, but no answer is getting back to the phone. hmmm
    A traceroute from phone via the tunnel ends without any answer.
    ping is the same. i can ping all lan-clients, but wan is inaccessible.



  • the problem, why i added this nat rule, was that ipsec-clients where talking to wan with their local ipsec-pool addresses. the servers obviously dropped the request since the origin was a private ip. this meant that every outbound traffic wasn't translated to the wan address and the server you´re connecting to doesnt know where to send the packet back. try doing a tcpdump on your wan interface/address and you should see clients doing request with their local ipsec-ip's and not getting replys. after you set the rule correctly you should see the same but clients doing request with the address of your wan interface and getting replys. if you can see the replys, the address translation is working and everything should be fine.



  • clearly no. When i set up the nat forwarding, i instantly loose completely all access to the pfsense. I don't know why but tested that 3 times with same end. I'll try to setup the whole pfsense newly and try again.


Locked