IOS (iphone/ipad) & 2.0-RC1 IPsec.. It almost works.
-
I'm able to connect to our LAN via iPhone, but when the VPN is activated I can't use the Internet like www.google.com :/
-
I'm able to connect to our LAN via iPhone, but when the VPN is activated I can't use the Internet like www.google.com :/
Can you post your setup? I'd like to compare mine with yours.
-
I used this guide: http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558
Cheers
-
I used this guide: http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558
Cheers
Using that same setup i still can't access anything on my internal network… can you?
-
After spending a few days on this I've given up :-[ (for now)..
I ended up building a VM using Debian & Openswan to create a L2TP/IPsec vpn server i can use with my iPhone/iPad. I may try again once 2.0 goes final or somebody actually posts a working solution… but for now i have a working VPN.
-
yeah i think i'm going to opt in for that approach too;
did you by chance use a how-to available online that i could reference also to help setting it up on my debian box ?
-
yeah i think i'm going to opt in for that approach too;
did you by chance use a how-to available online that i could reference also to help setting it up on my debian box ?
Here is a quick little write up i did for a friend.. PM me if you need any help.
http://www.lostbyte.com/projects/l2tpipsec-vpn-for-ios/ -
After spending a few days on this I've given up :-[ (for now)..[url=http://www.ebelow.com/ipad-2-case-iPad2case-iPad-2-cases.html]ipad 2 cases
ipad2 cases leather
iPad2 case
I ended up building a VM using Debian & Openswan to create a L2TP/IPsec vpn server i can use with my iPhone/iPad. I may try again once 2.0 goes final or somebody actually posts a working solution… but for now i have a working VPN.did you by chance use a how-to available online that i could reference also to help setting it up on my debian box ?
-
@szop try to make a nat rule for outbound traffic from your ipsec-ip-pool on your wan interface.
-
also working for me with this guide -> http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558
iphone 4
iOS: 4.3.2
LAN SUBNET: 192.168.1.0/24i can hit everything at the LAN side. Only the internet (www.google.at as example) is not working, but i think this is a feature for security.. So nobody could go throug your internet connection in your vpn.
-
@pfsenseuser3 do you have a nat rule for outbound traffic from your ipsec-ip-pool on your wan interface? Without this Rule, you IPSec-Client will try to connect to outbound (i.e. internet) with their local ipsec-pool-adresses and doesn't get translated to the wan interfaces address. This means almost every outbound request you send will be dropped by servers configured not to accept traffic from local networks. By adding this Rule, every outbound traffic wlll be translated to your wan interfaces address, this should solve your problem accessing i.e. the internet.
-
@eazydor: thx for your tip ;)
here is a screen from the rule which i have enabled.. i think there is something wrong ???
Uploaded with ImageShack.us
@ALL: read this post from me -> http://forum.pfsense.org/index.php/topic,35783.msg186413.html#msg186413 (maybe a solution for VPN and iOS devices ;) )
-
I've tested your hint with outbound NAT which resulted in a complete inaccessibility of LAN and WAN. So i think thats wrong. I can see in the firewall-log only connections to my pfsense, but nothing goes out anymore. So i reviewed my settings regard to IPSEC and found out that at "IPSEC:Mobile clients" disabling the entry "Provide a list of accessible networks to clients" i get connected with LAN accessibility but no WAN.
Reenabling "Provide a list of accessible networks to clients" resulted in full WAN-access via the IPSEC-tunnel.
So no outbound-NAT is necessary. Only the "IPSEC any to any" rule and at WAN-side i have an "ESP to any" rule.
Hope that helps getting a fully working Mobile IPSEC connection.
edit: I have allowed ports 4500 and 500 UDP incoming from WAN, which i forgot to mention. sorry.
-
@_igor_ are you still able to connect to your lan subnet?
@pfsenseuser3 you should set your outbound nat mode to manual.
-
@igor when i set "provide accesible networks" i do lose my default route over the tunnel and the client talk directly to the wan since their default route is set to the lan-gateway. this means no traffic to wan at all is routed trough your tunnel. that your client has established a connection and can talk to outbound doesnt mean directly that the traffic is passing your tunnel interface. apart from that i dont believe that theres right and wrong, rather than suitable or not. would you please take a look a you routing table when connected?
-
still waiting on a full HOWTO so it can be stickied…..
-
@ericab can i help you with somewhat? i believe that theres no tutorial because mobile ipsec works perfectly since months now and everything you need to know to get a basic setup up and running you can find here in this forum.. but anyway, a clean and simple tutorial would decrease the amount of questions asked multiple times. that´s right..
-
@ericab can i help you with somewhat? i believe that theres no tutorial because mobile ipsec works perfectly since months now and everything you need to know to get a basic setup up and running you can find here in this forum.. but anyway, a clean and simple tutorial would decrease the amount of questions asked multiple times. that´s right..
Apr 27 13:52:30 racoon: ERROR: phase1 negotiation failed due to time up. 2b7c6d4c52e83eaa:77011e493f4e7949 Apr 27 13:51:49 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[1880] (1). Apr 27 13:51:46 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[1880] (1). Apr 27 13:51:43 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[1880] (1). Apr 27 13:51:40 racoon: INFO: Adding xauth VID payload. Apr 27 13:51:40 racoon: INFO: received Vendor ID: DPD Apr 27 13:51:40 racoon: INFO: received Vendor ID: CISCO-UNITY Apr 27 13:51:40 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Apr 27 13:51:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Apr 27 13:51:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Apr 27 13:51:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Apr 27 13:51:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Apr 27 13:51:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Apr 27 13:51:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Apr 27 13:51:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Apr 27 13:51:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Apr 27 13:51:40 racoon: INFO: received Vendor ID: RFC 3947 Apr 27 13:51:40 racoon: INFO: begin Aggressive mode.this is the holdup now.
-
please provide more information. can't help you like that.
-
not sure where to start; what info would you need ?
i bet the problem is with "Proposal Checking"
mines set at default. is that what it should be ?
