IPAD IPSec VPN



  • I have created an IPSec mobile client tunnel for use with my iPAD, to my pfSesnse 2.0 RC3 system, the tunnel connects and passes traffic just fine.  However it doesn't appear to be passing the DNS information to the iPAD, I can connect if I know the IP Address of an internal server a packet capture on the IPSec interface shows no attempt if accessing an internal DNS domain name of a DNS lookup.  Is this an unfortunate limitation of the iPAD's (most likely iPhone as well) Cisco IPSec VPN implementation.  Or is there possibly an issue with pfSense sending out the DNS information?  I do have 2 internal servers setup to be sent to the clients.  Under the iPAD VPN status it just shows the connect time, the external IP of the pfSense box, and ther internal IP assigned to the client.  Unfortunately I have no other way that I know of to troubleshoot from the iPAD.
    Has anyone ran into this?  Or have any ideas about where I should look for the problem?


  • Rebel Alliance Developer Netgate

    So you do have checked "Provide a DNS server list to clients" under "Client Configuration" on the Mobile clients tab under VPN > IPsec? And you have a proper DNS server in there?

    I just received an iPod touch so I'll be looking at the IPsec setup here in the very near future. It's also possible that iOS just doesn't support DNS in that way, but it's hard to say unless someone else has seen that happen before.



  • Are you trying to do DNS dips for items internal to the network or just regular web surfing?  If it's regular web surfing while still connected, try turning off send all traffic.



  • Yes I do have the box checked to provide the list of DNS servers to clients, and 2 internal servers.  So yes its internal DNS that's not working, external DNS for websites continues to work on the iPAD, which tells me that its not trying to use the DNS servers I have told it to use via the IPSec configuration.


  • Rebel Alliance Developer Netgate

    I setup a VPN for my iPod Touch and it took the DNS and was respecting the value passed to the client. I did a tcpdump on the IPsec interface as I surfed the web over the VPN and I watched it make DNS requests to the DNS server I specified (not the one it obtained from DHCP) and it was working great.

    iOS 4.3.5 if that makes a difference.



  • I am beating my head against the wall trying to get an IPSec tunnel up between my iPad and pfsense.  I have tried many options and I continue to fail at Phase 1.  Can anyone point me to a proven recipe?

    Below is what I get in the system log:

    Aug 27 15:47:29 racoon: [Self]: INFO: respond new phase 1 negotiation: 65.87.63.24[500]<=>166.249.128.173[44895]
    Aug 27 15:47:29 racoon: INFO: begin Identity Protection mode.
    Aug 27 15:47:29 racoon: INFO: received Vendor ID: RFC 3947
    Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Aug 27 15:47:29 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Aug 27 15:47:29 racoon: INFO: received Vendor ID: CISCO-UNITY
    Aug 27 15:47:29 racoon: INFO: received Vendor ID: DPD
    Aug 27 15:47:29 racoon: [166.249.128.173] INFO: Selected NAT-T version: RFC 3947
    Aug 27 15:47:29 racoon: ERROR: no suitable proposal found.
    Aug 27 15:47:29 racoon: [166.249.128.173] ERROR: failed to get valid proposal.
    Aug 27 15:47:29 racoon: [166.249.128.173] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
    Aug 27 15:47:29 racoon: [166.249.128.173] ERROR: phase1 negotiation failed.

    I have included a copy of my phase 1 setup below.

    Thank you
    Bryan




  • I got it working.

    All of the information can be gathered from these two posts:

    http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

    http://forum.pfsense.org/index.php/topic,32319.0.html

    From the post above, it appears you need to put the users in the admin group, which is less than ideal.  You do not need to do this, you simply need to create a group with access to the IPSec XAuth Dialin and put the users in that group as shown below:

    ![Group Privilege for IP Sec.PNG](/public/imported_attachments/1/Group Privilege for IP Sec.PNG)
    ![Group Privilege for IP Sec.PNG_thumb](/public/imported_attachments/1/Group Privilege for IP Sec.PNG_thumb)


  • Rebel Alliance Developer Netgate



  • Working well for me too with iPad and iPod toutch using the doc in wiki
    But there is no option on iOS to get all traffic routed to the VPN ;(



  • Even if vpn server says tunnel everything through vpn connection?
    so the route would be 0.0.0.0 0.0.0.0 vpn-gateway on the machine itself


Log in to reply