IPsec and iPhone, log ok, status not



  • Hi everyone, i have a problem

    here is the IPsec log

    Apr 15 12:03:01 	racoon: [Self]: INFO: respond new phase 1 negotiation: 93.111.xxx.xxx[500]<=>90.152.xxx.xxx[500]
    Apr 15 12:03:01 	racoon: INFO: begin Aggressive mode.
    Apr 15 12:03:01 	racoon: INFO: received Vendor ID: RFC 3947
    Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Apr 15 12:03:01 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Apr 15 12:03:01 	racoon: INFO: received Vendor ID: CISCO-UNITY
    Apr 15 12:03:01 	racoon: INFO: received Vendor ID: DPD
    Apr 15 12:03:01 	racoon: [90.152.xxx.xxx] INFO: Selected NAT-T version: RFC 3947
    Apr 15 12:03:01 	racoon: INFO: Adding remote and local NAT-D payloads.
    Apr 15 12:03:01 	racoon: [90.152.xxx.xxx] INFO: Hashing 90.152.xxx.xxx[500] with algo #2
    Apr 15 12:03:01 	racoon: [Self]: [93.111.xxx.xxx] INFO: Hashing 93.111.xxx.xxx[500] with algo #2
    Apr 15 12:03:01 	racoon: INFO: Adding xauth VID payload.
    Apr 15 12:03:01 	racoon: [Self]: [93.111.xxx.xxx] INFO: Hashing 93.111.xxx.xxx[500] with algo #2
    Apr 15 12:03:01 	racoon: INFO: NAT-D payload #0 verified
    Apr 15 12:03:01 	racoon: [90.152.xxx.xxx] INFO: Hashing 90.152.xxx.xxx[500] with algo #2
    Apr 15 12:03:01 	racoon: INFO: NAT-D payload #1 verified
    Apr 15 12:03:01 	racoon: [90.152.xxx.xxx] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Apr 15 12:03:01 	racoon: INFO: NAT not detected
    Apr 15 12:03:01 	racoon: INFO: Sending Xauth request
    Apr 15 12:03:01 	racoon: [Self]: INFO: ISAKMP-SA established 93.111.xxx.xxx[500]-90.152.xxx.xxx[500] spi:e25f606eb0f84cea:b3df85f0e64d0817
    Apr 15 12:03:01 	racoon: INFO: Using port 0
    Apr 15 12:03:01 	racoon: INFO: login succeeded for user "iphone"
    Apr 15 12:03:02 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Apr 15 12:03:02 	racoon: WARNING: Ignored attribute 28683
    Apr 15 12:03:02 	racoon: [Self]: INFO: respond new phase 2 negotiation: 93.111.xxx.xxx[500]<=>90.152.xxx.xxx[500]
    Apr 15 12:03:02 	racoon: INFO: no policy found, try to generate the policy : 192.168.103.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    Apr 15 12:03:02 	racoon: [Self]: INFO: IPsec-SA established: ESP 93.111.xxx.xxx[500]->90.152.xxx.xxx[500] spi=74895336(0x476cfe8)
    Apr 15 12:03:02 	racoon: [Self]: INFO: IPsec-SA established: ESP 93.111.xxx.xxx[500]->90.152.xxx.xxx[500] spi=48561409(0x2e4fd01)
    

    The only error i can see is "Apr 15 12:03:01 racoon: [90.152.xxx.xxx] ERROR: notification INITIAL-CONTACT received in aggressive exchange." The VPN connection on the iPhone is also working. I am able to connect to the pfsense webgui with the phone. Everything is working, only the symbol is not green. Maybe a bug?

    Pfsense version is the current 2.0 release

    Thanks for any help!



  • no answer? ???



  • @pfsenseuser3:

    no answer? ???

    STF ;-)

    http://forum.pfsense.org/index.php/topic,35621.0.html (links to other relevant threads in this one)

    Many many threads about iOS ipsec not working, we're all trying to figure out how to get it to work. Wanna jump in and help with the effort?



  • but for me it´s working. as i wrote in my last post i can connect to the pfsense webgui and also ping the pfsense device. The only thing which is not working is the status symbol on the "ipsec status page". It should be green if the vpn connection is open. it´s not critical, but it would be nice if this would work.



  • your already a ways ahead of most of us.



  • @ericab: with one device it´s also not working for me… and i found out that it has something to do with my provider. The iphones where it is working are using T-Mobile Austria Business as provider. The other device is using A1 (Austrian provider, private contract). A few minutes ago i made a support question to A1 if they are blocking the ESP-UDP protocol.. so let´s se what they answer.



  • there is no such thing like a esp/udp-protocol. either your isp is blocking esp traffic (most likely), or some udp ports. that´s why mankind invented nat-traversal, which i.e for ipsec encasuplates the Encapsulating Security Payload in udp-"datagrams", so that we can avoid this problem.



  • ok, but pfsense shows me in the protocol section "ESP-UDP".. nat-traversal is enabled.

    edit: ah, NAT-T forced is the right solution for me ;)



  • like i said, many providers and home routers are blocking esp-traffic, therefore nat-traversal could be a solution. since many networks like hotels, etc.. doesnt allow any traffic appart from http(s) via a proxy, even nat-t would fail. i know of a company which does ipsec over https, like you could do openvpn over https, encapsulating the payload in a ssl-header for avoiding these problems, but how this works exactly, i have no idea..
    Glad that's running for you..


Locked