IPsec & IPhone again



  • Hi folks,

    i searched the forum and google, but it's hopeless. I set up pfsense 2.0.1 and a IPhone4S with iOS 5.0.1 and i didn't get working. The connection can be established und i'm authenticated, but i can't reach any target neither on the LAN nor outside in the internet.

    xx.xx.xx.xx is my WAN ip.
    yy.yy.yy.yy is my iphone 3G ip.
    10.99.99.0/24 is my virtual address pool for mobile clients
    192.168.111.0/24 is the LAN network
    i'va also declared a any-any rule on the firewall.

    |
    ########################################################################

    $ cat /var/etc/racoon.conf

    This file is automatically generated. Do not edit

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    listen
    {
    adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    isakmp xx.xx.xx.xx [500];
    isakmp_natt xx.xx.xx.xx [4500];
    }

    mode_cfg
    {
    auth_source system;
    group_source system;
    pool_size 253;
    network4 10.99.99.1;
    netmask4 255.255.255.0;
    dns4 8.8.8.8;
    save_passwd on;
    }

    remote anonymous
    {
    ph1id 1;
    exchange_mode aggressive;
    my_identifier address xx.xx.xx.xx;
    peers_identifier fqdn "vpnusers";
    ike_frag on;
    generate_policy = unique;
    initial_contact = off;
    nat_traversal = force;

    dpd_delay = 10;
    dpd_maxfail = 5;
    support_proxy on;
    proposal_check obey;
    passive on;

    proposal
    {
    authentication_method xauth_psk_server;
    encryption_algorithm aes 128;
    hash_algorithm sha1;
    dh_group 2;
    lifetime time 86400 secs;
    }
    }

    sainfo  anonymous
    {
    remoteid 1;
    encryption_algorithm aes 128;
    authentication_algorithm hmac_sha1;

    lifetime time 28800 secs;
    compression_algorithm deflate;
    }

    ########################################################################

    $ setkey -D
    xx.xx.xx.xx[4500] yy.yy.yy.yy[62250]
    esp-udp mode=any spi=208123248(0x0c67b570) reqid=1(0x00000001)
    E: aes-cbc  e22b34a7 9c3f1cb6 98d31f86 b6fea37c db3f4f09 a785ae13 a1c80be1 13418357
    A: hmac-sha1  70056e85 c0cbdeff 50e4da2c bd3a9b91 d55d99bb
    seq=0x00000000 replay=4 flags=0x00000000 state=mature
    created: Jan  5 19:38:17 2012 current: Jan  5 19:39:43 2012
    diff: 86(s) hard: 3600(s) soft: 2880(s)
    last:                    hard: 0(s) soft: 0(s)
    current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
    allocated: 0 hard: 0 soft: 0
    sadb_seq=1 pid=58908 refcnt=1
    yy.yy.yy.yy[62250] xx.xx.xx.xx[4500]
    esp-udp mode=tunnel spi=196545923(0x0bb70d83) reqid=1(0x00000001)
    E: aes-cbc  ddbfd649 4f78a641 38359365 25ba1e7c 544c4372 969366a2 5b8166e1 d14c89b7
    A: hmac-sha1  93e94b10 318cbdd9 6b82be0b a1cdd507 a194048b
    seq=0x00000000 replay=4 flags=0x00000000 state=mature
    created: Jan  5 19:38:17 2012 current: Jan  5 19:39:43 2012
    diff: 86(s) hard: 3600(s) soft: 2880(s)
    last:                    hard: 0(s) soft: 0(s)
    current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
    allocated: 0 hard: 0 soft: 0
    sadb_seq=0 pid=58908 refcnt=1

    ########################################################################

    $ setkey -DP
    192.168.111.0/24[any] 192.168.111.1[any] 255
    in none
    spid=10 seq=3 pid=60451
    refcnt=1
    10.99.99.1[any] 0.0.0.0/0[any] 255
    in ipsec
    esp/tunnel/yy.yy.yy.yy-xx.xx.xx.xx/unique:1
    created: Jan  5 19:38:17 2012  lastused: Jan  5 19:38:17 2012
    lifetime: 3600(s) validtime: 0(s)
    spid=11 seq=2 pid=60451
    refcnt=1
    192.168.111.1[any] 192.168.111.0/24[any] 255
    out none
    spid=9 seq=1 pid=60451
    refcnt=1
    0.0.0.0/0[any] 10.99.99.1[any] 255
    out ipsec
    esp/tunnel/xx.xx.xx.xx-yy.yy.yy.yy/unique:1
    created: Jan  5 19:38:17 2012  lastused: Jan  5 19:38:17 2012
    lifetime: 3600(s) validtime: 0(s)
    spid=12 seq=0 pid=60451
    refcnt=1

    ########################################################################

    any idea, what's wrong here?
    |



  • ah… and here is the corresponding logfile (in reverse order)

    Jan 5 19:58:27 racoon: [Self]: INFO: IPsec-SA established: ESP xx.xx.xx.xx[500]->yy.yy.yy.yy[500] spi=207831302(0xc634106)
    Jan 5 19:58:27 racoon: [Self]: INFO: IPsec-SA established: ESP xx.xx.xx.xx[500]->yy.yy.yy.yy[500] spi=265900516(0xfd951e4)
    Jan 5 19:58:27 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
    Jan 5 19:58:27 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Jan 5 19:58:27 racoon: INFO: no policy found, try to generate the policy : 10.99.99.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    Jan 5 19:58:27 racoon: [Self]: INFO: respond new phase 2 negotiation: xx.xx.xx.xx[4500]<=>yy.yy.yy.yy[34899]
    Jan 5 19:58:27 racoon: WARNING: Ignored attribute 28683
    Jan 5 19:58:27 racoon: ERROR: Cannot open "/etc/motd"
    Jan 5 19:58:27 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Jan 5 19:58:27 racoon: INFO: login succeeded for user "sd"
    Jan 5 19:58:27 racoon: INFO: Using port 0
    Jan 5 19:58:27 racoon: [Self]: INFO: ISAKMP-SA established xx.xx.xx.xx[4500]-yy.yy.yy.yy[34899] spi:932af71bd9257a38:7f4869f340ecb4d4
    Jan 5 19:58:27 racoon: INFO: Sending Xauth request
    Jan 5 19:58:27 racoon: INFO: NAT detected: ME PEER
    Jan 5 19:58:27 racoon: [yy.yy.yy.yy] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Jan 5 19:58:27 racoon: INFO: NAT-D payload #1 doesn't match
    Jan 5 19:58:27 racoon: INFO: NAT-D payload #0 doesn't match
    Jan 5 19:58:27 racoon: [Self]: INFO: NAT-T: ports changed to: yy.yy.yy.yy[34899]<->xx.xx.xx.xx[4500]
    Jan 5 19:58:26 racoon: INFO: Adding xauth VID payload.
    Jan 5 19:58:26 racoon: [Self]: [xx.xx.xx.xx] INFO: Hashing xx.xx.xx.xx[500] with algo #2 (NAT-T forced)
    Jan 5 19:58:26 racoon: [yy.yy.yy.yy] INFO: Hashing yy.yy.yy.yy[500] with algo #2 (NAT-T forced)
    Jan 5 19:58:26 racoon: INFO: Adding remote and local NAT-D payloads.
    Jan 5 19:58:26 racoon: [yy.yy.yy.yy] INFO: Selected NAT-T version: RFC 3947
    Jan 5 19:58:26 racoon: INFO: received Vendor ID: DPD
    Jan 5 19:58:26 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Jan 5 19:58:26 racoon: INFO: received Vendor ID: RFC 3947
    Jan 5 19:58:26 racoon: INFO: begin Aggressive mode.
    Jan 5 19:58:26 racoon: [Self]: INFO: respond new phase 1 negotiation: xx.xx.xx.xx[500]<=>yy.yy.yy.yy[500]



  • Check your firewall rules.



  • on ipsec interface:

    ID Proto Source Port Destination Port Gateway Queue Schedule Description

              • none   all - all

    is there anything else to do?
    i've also tried a floating rule… same result.



  • Can you tell me what App your using for the Iphone? I also have the iphone but not tried it. Maybe i could try and mirror what you problem is and give you an update?



  • Maybe your 3G provider is blocking Ipsec traffic? Most 3g providers use some kind of proxy for web traffic and ports for VPN are most of the time blocked. You can also try to connect with your wifi connection (if you have one) to see if your config is ok.


Locked