Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec & IPhone again

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfreakh
      last edited by

      Hi folks,

      i searched the forum and google, but it's hopeless. I set up pfsense 2.0.1 and a IPhone4S with iOS 5.0.1 and i didn't get working. The connection can be established und i'm authenticated, but i can't reach any target neither on the LAN nor outside in the internet.

      xx.xx.xx.xx is my WAN ip.
      yy.yy.yy.yy is my iphone 3G ip.
      10.99.99.0/24 is my virtual address pool for mobile clients
      192.168.111.0/24 is the LAN network
      i'va also declared a any-any rule on the firewall.

      |
      ########################################################################

      $ cat /var/etc/racoon.conf

      This file is automatically generated. Do not edit

      path pre_shared_key "/var/etc/psk.txt";

      path certificate  "/var/etc";

      listen
      {
      adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
      isakmp xx.xx.xx.xx [500];
      isakmp_natt xx.xx.xx.xx [4500];
      }

      mode_cfg
      {
      auth_source system;
      group_source system;
      pool_size 253;
      network4 10.99.99.1;
      netmask4 255.255.255.0;
      dns4 8.8.8.8;
      save_passwd on;
      }

      remote anonymous
      {
      ph1id 1;
      exchange_mode aggressive;
      my_identifier address xx.xx.xx.xx;
      peers_identifier fqdn "vpnusers";
      ike_frag on;
      generate_policy = unique;
      initial_contact = off;
      nat_traversal = force;

      dpd_delay = 10;
      dpd_maxfail = 5;
      support_proxy on;
      proposal_check obey;
      passive on;

      proposal
      {
      authentication_method xauth_psk_server;
      encryption_algorithm aes 128;
      hash_algorithm sha1;
      dh_group 2;
      lifetime time 86400 secs;
      }
      }

      sainfo  anonymous
      {
      remoteid 1;
      encryption_algorithm aes 128;
      authentication_algorithm hmac_sha1;

      lifetime time 28800 secs;
      compression_algorithm deflate;
      }

      ########################################################################

      $ setkey -D
      xx.xx.xx.xx[4500] yy.yy.yy.yy[62250]
      esp-udp mode=any spi=208123248(0x0c67b570) reqid=1(0x00000001)
      E: aes-cbc  e22b34a7 9c3f1cb6 98d31f86 b6fea37c db3f4f09 a785ae13 a1c80be1 13418357
      A: hmac-sha1  70056e85 c0cbdeff 50e4da2c bd3a9b91 d55d99bb
      seq=0x00000000 replay=4 flags=0x00000000 state=mature
      created: Jan  5 19:38:17 2012 current: Jan  5 19:39:43 2012
      diff: 86(s) hard: 3600(s) soft: 2880(s)
      last:                    hard: 0(s) soft: 0(s)
      current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
      allocated: 0 hard: 0 soft: 0
      sadb_seq=1 pid=58908 refcnt=1
      yy.yy.yy.yy[62250] xx.xx.xx.xx[4500]
      esp-udp mode=tunnel spi=196545923(0x0bb70d83) reqid=1(0x00000001)
      E: aes-cbc  ddbfd649 4f78a641 38359365 25ba1e7c 544c4372 969366a2 5b8166e1 d14c89b7
      A: hmac-sha1  93e94b10 318cbdd9 6b82be0b a1cdd507 a194048b
      seq=0x00000000 replay=4 flags=0x00000000 state=mature
      created: Jan  5 19:38:17 2012 current: Jan  5 19:39:43 2012
      diff: 86(s) hard: 3600(s) soft: 2880(s)
      last:                    hard: 0(s) soft: 0(s)
      current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
      allocated: 0 hard: 0 soft: 0
      sadb_seq=0 pid=58908 refcnt=1

      ########################################################################

      $ setkey -DP
      192.168.111.0/24[any] 192.168.111.1[any] 255
      in none
      spid=10 seq=3 pid=60451
      refcnt=1
      10.99.99.1[any] 0.0.0.0/0[any] 255
      in ipsec
      esp/tunnel/yy.yy.yy.yy-xx.xx.xx.xx/unique:1
      created: Jan  5 19:38:17 2012  lastused: Jan  5 19:38:17 2012
      lifetime: 3600(s) validtime: 0(s)
      spid=11 seq=2 pid=60451
      refcnt=1
      192.168.111.1[any] 192.168.111.0/24[any] 255
      out none
      spid=9 seq=1 pid=60451
      refcnt=1
      0.0.0.0/0[any] 10.99.99.1[any] 255
      out ipsec
      esp/tunnel/xx.xx.xx.xx-yy.yy.yy.yy/unique:1
      created: Jan  5 19:38:17 2012  lastused: Jan  5 19:38:17 2012
      lifetime: 3600(s) validtime: 0(s)
      spid=12 seq=0 pid=60451
      refcnt=1

      ########################################################################

      any idea, what's wrong here?
      |

      1 Reply Last reply Reply Quote 0
      • P
        pfreakh
        last edited by

        ah… and here is the corresponding logfile (in reverse order)

        Jan 5 19:58:27 racoon: [Self]: INFO: IPsec-SA established: ESP xx.xx.xx.xx[500]->yy.yy.yy.yy[500] spi=207831302(0xc634106)
        Jan 5 19:58:27 racoon: [Self]: INFO: IPsec-SA established: ESP xx.xx.xx.xx[500]->yy.yy.yy.yy[500] spi=265900516(0xfd951e4)
        Jan 5 19:58:27 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
        Jan 5 19:58:27 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
        Jan 5 19:58:27 racoon: INFO: no policy found, try to generate the policy : 10.99.99.1/32[0] 0.0.0.0/0[0] proto=any dir=in
        Jan 5 19:58:27 racoon: [Self]: INFO: respond new phase 2 negotiation: xx.xx.xx.xx[4500]<=>yy.yy.yy.yy[34899]
        Jan 5 19:58:27 racoon: WARNING: Ignored attribute 28683
        Jan 5 19:58:27 racoon: ERROR: Cannot open "/etc/motd"
        Jan 5 19:58:27 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
        Jan 5 19:58:27 racoon: INFO: login succeeded for user "sd"
        Jan 5 19:58:27 racoon: INFO: Using port 0
        Jan 5 19:58:27 racoon: [Self]: INFO: ISAKMP-SA established xx.xx.xx.xx[4500]-yy.yy.yy.yy[34899] spi:932af71bd9257a38:7f4869f340ecb4d4
        Jan 5 19:58:27 racoon: INFO: Sending Xauth request
        Jan 5 19:58:27 racoon: INFO: NAT detected: ME PEER
        Jan 5 19:58:27 racoon: [yy.yy.yy.yy] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
        Jan 5 19:58:27 racoon: INFO: NAT-D payload #1 doesn't match
        Jan 5 19:58:27 racoon: INFO: NAT-D payload #0 doesn't match
        Jan 5 19:58:27 racoon: [Self]: INFO: NAT-T: ports changed to: yy.yy.yy.yy[34899]<->xx.xx.xx.xx[4500]
        Jan 5 19:58:26 racoon: INFO: Adding xauth VID payload.
        Jan 5 19:58:26 racoon: [Self]: [xx.xx.xx.xx] INFO: Hashing xx.xx.xx.xx[500] with algo #2 (NAT-T forced)
        Jan 5 19:58:26 racoon: [yy.yy.yy.yy] INFO: Hashing yy.yy.yy.yy[500] with algo #2 (NAT-T forced)
        Jan 5 19:58:26 racoon: INFO: Adding remote and local NAT-D payloads.
        Jan 5 19:58:26 racoon: [yy.yy.yy.yy] INFO: Selected NAT-T version: RFC 3947
        Jan 5 19:58:26 racoon: INFO: received Vendor ID: DPD
        Jan 5 19:58:26 racoon: INFO: received Vendor ID: CISCO-UNITY
        Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
        Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
        Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
        Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
        Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
        Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
        Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
        Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
        Jan 5 19:58:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
        Jan 5 19:58:26 racoon: INFO: received Vendor ID: RFC 3947
        Jan 5 19:58:26 racoon: INFO: begin Aggressive mode.
        Jan 5 19:58:26 racoon: [Self]: INFO: respond new phase 1 negotiation: xx.xx.xx.xx[500]<=>yy.yy.yy.yy[500]

        1 Reply Last reply Reply Quote 0
        • C
          craigduff
          last edited by

          Check your firewall rules.

          Kind Regards,
          Craig

          1 Reply Last reply Reply Quote 0
          • P
            pfreakh
            last edited by

            on ipsec interface:

            ID Proto Source Port Destination Port Gateway Queue Schedule Description

                      • none   all - all

            is there anything else to do?
            i've also tried a floating rule… same result.

            1 Reply Last reply Reply Quote 0
            • C
              craigduff
              last edited by

              Can you tell me what App your using for the Iphone? I also have the iphone but not tried it. Maybe i could try and mirror what you problem is and give you an update?

              Kind Regards,
              Craig

              1 Reply Last reply Reply Quote 0
              • M
                MrLurch
                last edited by

                Maybe your 3G provider is blocking Ipsec traffic? Most 3g providers use some kind of proxy for web traffic and ports for VPN are most of the time blocked. You can also try to connect with your wifi connection (if you have one) to see if your config is ok.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.