Pfsense as VPN for iPhone, halfway there.

BjornB

Ok, so I have set up an instance of pfsense to work as an VPN-server for my iPhone and also for laptops to connect to my fileserver. The primary use for the iPhone is to have a encrypted connection when using public wifi, and for the computer the primary usuage is to get access to the fileshare.

My setup looks like this.
Internet -> Wireless router -> LAN ->Freenas (virtuabox ->pfsense)
In other words, I have the Freenas running on a server (192.168.0.194), and that server then hosts a VirtuaBox that I run an instance of pfsense in (192.168.0.192).
The pfsense instance only has a WAN as far as its concerned, and from the Wireless router I have forwared the ports 4500 and 500 to the ip of pfsense.

After going through all the tutorials I have found regarding ipsec, I have managed to get the iphone to connect to my ipsec-tunnel. However, the iphone can only reach 192.168.0.192 (ei pfsense) on the inside of the Wireless router. I can reach the internet, but using any whatsmyip-sites reports the ip of the iphone given by my mobile provider, not the ip from my ISP. It seems like the trafic does not go through the Ipsec tunnel.

My racoon.conf looks like this

This file is automatically generated. Do not edit

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp 192.168.0.192 [500];
isakmp_natt 192.168.0.192 [4500];
}

mode_cfg
{
auth_source system;
group_source system;
pool_size 253;
network4 192.168.51.2;
netmask4 255.255.255.0;
split_network include 192.168.0.1/24;
dns4 192.168.0.1;
banner "/var/etc/racoon.motd";
save_passwd on;
}

remote anonymous
{
ph1id 1;
exchange_mode aggressive;
my_identifier address 192.168.0.192;
peers_identifier user_fqdn "XXXXX";
ike_frag on;
generate_policy = unique;
initial_contact = off;
nat_traversal = on;

dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check obey;
passive on;

proposal
{
authentication_method xauth_psk_server;
encryption_algorithm aes 128;
hash_algorithm sha1;
dh_group 2;
lifetime time 86400 secs;
}
}

sainfo  anonymous
{
remoteid 1;
encryption_algorithm aes 128;
authentication_algorithm hmac_sha1;

lifetime time 28800 secs;
compression_algorithm deflate;
}

setkey -D shows
192.168.0.192[4500] 95.199.21.101[4500]
esp-udp mode=any spi=58931595(0x0383398b) reqid=10(0x0000000a)
E: aes-cbc  3cf44f8f c04cf718 c2a8679d a01ba9c2 b487204d 225e3e3d fbb85c52 74961ccd
A: hmac-sha1  2919a4e7 ca3dc109 4048101d 65dc9303 2f40817a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 12 22:28:26 2012 current: Feb 12 22:29:22 2012
diff: 56(s) hard: 3600(s) soft: 2880(s)
last:                    hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=27668 refcnt=1
95.199.21.101[4500] 192.168.0.192[4500]
esp-udp mode=tunnel spi=141160709(0x0869f105) reqid=10(0x0000000a)
E: aes-cbc  47ea0473 44084cc0 6c926b9a 3cd2b9bf e41fd4ec 6fabe65b 4880124f e49372be
A: hmac-sha1  ac8a4b6b 3bb66727 cd401214 1bbaca84 1e33f014
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 12 22:28:26 2012 current: Feb 12 22:29:22 2012
diff: 56(s) hard: 3600(s) soft: 2880(s)
last:                    hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=27668 refcnt=1

Looking at the Ipsec status I get a yellow light, and there is no remote IP.

The logs when I log in looks like this:
Feb 12 22:34:07 racoon: [Self]: INFO: respond new phase 1 negotiation: 192.168.0.192[500]<=>95.199.21.101[500]
Feb 12 22:34:07 racoon: INFO: begin Aggressive mode.
Feb 12 22:34:07 racoon: INFO: received Vendor ID: RFC 3947
Feb 12 22:34:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Feb 12 22:34:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Feb 12 22:34:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Feb 12 22:34:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Feb 12 22:34:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Feb 12 22:34:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Feb 12 22:34:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 12 22:34:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 12 22:34:07 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 12 22:34:07 racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 12 22:34:07 racoon: INFO: received Vendor ID: DPD
Feb 12 22:34:07 racoon: [95.199.21.101] INFO: Selected NAT-T version: RFC 3947
Feb 12 22:34:07 racoon: INFO: Adding remote and local NAT-D payloads.
Feb 12 22:34:07 racoon: [95.199.21.101] INFO: Hashing 95.199.21.101[500] with algo #2
Feb 12 22:34:07 racoon: [Self]: [192.168.0.192] INFO: Hashing 192.168.0.192[500] with algo #2
Feb 12 22:34:07 racoon: INFO: Adding xauth VID payload.
Feb 12 22:34:07 racoon: [Self]: INFO: NAT-T: ports changed to: 95.199.21.101[4500]<->192.168.0.192[4500]
Feb 12 22:34:07 racoon: [Self]: [192.168.0.192] INFO: Hashing 192.168.0.192[4500] with algo #2
Feb 12 22:34:07 racoon: INFO: NAT-D payload #0 doesn't match
Feb 12 22:34:07 racoon: [95.199.21.101] INFO: Hashing 95.199.21.101[4500] with algo #2
Feb 12 22:34:07 racoon: INFO: NAT-D payload #1 doesn't match
Feb 12 22:34:07 racoon: [95.199.21.101] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Feb 12 22:34:07 racoon: INFO: NAT detected: ME PEER
Feb 12 22:34:07 racoon: INFO: Sending Xauth request
Feb 12 22:34:07 racoon: [Self]: INFO: ISAKMP-SA established 192.168.0.192[4500]-95.199.21.101[4500] spi:786199106c41bc2c:90dfa69a87064c4c
Feb 12 22:34:08 racoon: INFO: Using port 0
Feb 12 22:34:08 racoon: INFO: login succeeded for user "XXX"
Feb 12 22:34:08 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Feb 12 22:34:08 racoon: WARNING: Ignored attribute 28683
Feb 12 22:34:08 racoon: [Self]: INFO: respond new phase 2 negotiation: 192.168.0.192[4500]<=>95.199.21.101[4500]
Feb 12 22:34:08 racoon: INFO: no policy found, try to generate the policy : 192.168.51.2/32[0] 192.168.0.1/24[0] proto=any dir=in
Feb 12 22:34:08 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Feb 12 22:34:08 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Feb 12 22:34:08 racoon: [Self]: INFO: IPsec-SA established: ESP 192.168.0.192[500]->95.199.21.101[500] spi=26153292(0x18f114c)
Feb 12 22:34:08 racoon: [Self]: INFO: IPsec-SA established: ESP 192.168.0.192[500]->95.199.21.101[500] spi=15192398(0xe7d14e)

I've set up a firewall rule to allow all trafic on the ipsec network
ID Proto Source Port Destination Port Gateway Queue Schedule Description

• • • • • • none

I'm quite upset of my inner nerd for not getting this to work. Can someone help me out or point me to the right direction for further knowledge?
/Best regards, Björn

marcoteixeira

Hi,

I've managed to get a setup working with CISCO vpn client. So if you follow my steps, it should work with iPhone (cisco) native client.
Don't bother testing it behind LAN interface… It didn't work for me.
Follow this link, and next time RTFM please.

http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0#Mobile_Clients

Regards
Marco

BjornB

Hi Marco, I appreciate the time you took to reply to me, however the link you provided me with was one of the tutorials I have used already. There is something else wrong, and I am not able to deduct it myself what's wrong with my setup.

If you have by looking at the config or reading the description any other idéa whats wrong, I'd very much appreciate the feedback.

/Best regards, Björn

BjornB

Ok, so noone else have any advice on whats might be wrong?

Can the reason I only have a WAN interface connected to the pfSense-box mix things up? (and WAN here is actually a private ip-address behind a firewall).

Are there special routing stuff I should do to make the tunnel traffic go out on the WAN-side of the box, and be able to access resources behind the normal firewall, and also the internet but still through the ipsec-tunnel?

/Best regards, Björn

kapara

I got it to work on 2.01 but very bizarre results.  Whatismyip.com shows the wan ip on the remote network.  I can only see one address though which is 192.168.2.12 on the remote network.  All other IP's are not accessible.  I followed the directions to the letter.  I think that pfsense is just not compatible yet with iPhone…....

spudgunman

I have also set up IPSec p2 builds but no traffic flows for me at all. Found some bug reports about this but cans find definitive info.. Also lost as to why some have no issues …same code everywhere? I also followed the offical wiki on setup.

Is this actually working or not? I'm lost.

kapara

As I said I think you can assume that it is not supported.  It is a shame since sprint blocks PPTP on 3G but does not block IPSec.

spudgunman

Uhhh well that is incorrect, it's just xauth IPSec and the Cisco client boys have issues as well so it's not…not supported there are issues I think...

I can make split tunnel work fine but no traffic into firewall.