Visual Guide to Configuring IPSec VPN using RSA + Xauth and iOS Roadwarriors

twaldorf

OK - now I changed something on my data option. For 2 Euros per month I was able to get a "real" public IP address instead of a natted one! Looks better now in logs - but still I'm not able to finish phase1:

Mar 13 11:35:32 	racoon: ERROR: phase1 negotiation failed due to time up. a95cd60e000c4680:7446a7a497024226
Mar 13 11:34:42 	racoon: INFO: Adding remote and local NAT-D payloads.
Mar 13 11:34:42 	racoon: [Self]: [WAN-IP] INFO: Hashing WAN-IP[500] with algo #2
Mar 13 11:34:42 	racoon: [212.23.116.66] INFO: Hashing 212.23.116.66[500] with algo #2
Mar 13 11:34:42 	racoon: INFO: NAT not detected
Mar 13 11:34:42 	racoon: INFO: NAT-D payload #1 verified
Mar 13 11:34:42 	racoon: [212.23.116.66] INFO: Hashing 212.23.116.66[500] with algo #2
Mar 13 11:34:42 	racoon: INFO: NAT-D payload #0 verified
Mar 13 11:34:42 	racoon: [Self]: [WAN-IP] INFO: Hashing WAN-IP[500] with algo #2
Mar 13 11:34:41 	racoon: INFO: Adding xauth VID payload.
Mar 13 11:34:41 	racoon: [212.23.116.66] INFO: Selected NAT-T version: RFC 3947
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: DPD
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Mar 13 11:34:41 	racoon: INFO: received Vendor ID: RFC 3947
Mar 13 11:34:41 	racoon: INFO: begin Identity Protection mode.
Mar 13 11:34:41 	racoon: [Self]: INFO: respond new phase 1 negotiation: WAN-IP[500]<=>212.23.116.66[500]

Now I can see also another problem (?) in system-logs:

Mar 13 11:34:29 	php: /vpn_ipsec.php: Could not determine VPN endpoint for 'MUVPN (Apple iOS)'
Mar 13 11:34:05 	php: /vpn_ipsec_phase1.php: Could not determine VPN endpoint for 'MUVPN (Apple iOS)'
Mar 13 11:33:55 	php: /vpn_ipsec_phase1.php: Reload MUVPN (Apple iOS) tunnel(s)

What means this error?

EDIT: The error above is gone since I changed the server-certificate to use IP instead of domain name. I still run in phase1 timeout without any other error.

azzido

Disable NAT traversal and check if that makes any difference.

catfish99

Once the issues have been troubleshooted, I'd suggest adding these step-by-step docs to the PfSense wiki

twaldorf

I suggest also adding these step-by-step docs to the PfSense wiki.

Also there is no need to wait for my (I'm sure) special personal problems:

I just tried it with another iPhone (same model / same iOS Version / same modem version) and there it works like a charm!
On this second iPhone it works with 3G and also direct out of the company networks WLAN.
On my iPhone WLAN and 3G doesn't work.

So it must have something to do with my iPhone. But I have no idea what this can be!  ???

twaldorf

OK - I think I know the problem now.

I found other guys on the internet who have VPN problems like me (timeout) after untethered jailbreak of iOS 5.01 - and that's the big difference between my iPhone and the other one. Just to make clear: I have a neverlocked iPhone direct from Apple-Store and use the jailbreak for IT related software which is not available in AppStore (e.g. SSH). So i never hacked baseband or something like that. But it seems that the untethered jailbreak itself breaks VPN functions!

azzido

Glad to hear it is working.

twaldorf

There is only one last thing, which is a little bit annoying:

If I uncheck the box with "Provide login banner to clients", there comes an empty login banner up. Is there no possibility to completly disable the banner? I use VPN on demand and so I have to click all the time on "OK" on the iPhone…

azzido

If you are talking about the message 'VPN Connection' with buttons OK and disconnect that iOS shows after connection is established then I don't think there is a way to disable that.

hagak

Thanks for the guide using it and iphone Configuration utility I was able to setup my iphone with VPN on demand, which is a slick feature with one issue.  I can not figure out how to make it save my password.  Everytime I connect to the VPN it prompts for the user password.  It appears if you create the VPN connection on the phone manually via this guide it will save the user password, however if you do it via the iphone configuration utility I do not see a way to save the password.

Any ideas?

twaldorf

@hagak:

Thanks for the guide using it and iphone Configuration utility I was able to setup my iphone with VPN on demand, which is a slick feature with one issue.  I can not figure out how to make it save my password.  Everytime I connect to the VPN it prompts for the user password.  It appears if you create the VPN connection on the phone manually via this guide it will save the user password, however if you do it via the iphone configuration utility I do not see a way to save the password.

Any ideas?

Create an unsigned .mobileconfig and edit it with any text editor. Add these two lines behind the XAuthName-Block:

<key>XAuthPassword</key> 
<string>Your Password</string>

Best regards,

Thorsten

hagak

Sweet will give that a shot this info.  Odd that if the configs support such a feature that the tool would not have the interface to use it.  Course Apple is known for lack of options.

twaldorf

@hagak:

Odd that if the configs support such a feature that the tool would not have the interface to use it.  Course Apple is known for lack of options.

I think it's just because everybody could read the password as clear text…

hagak

@twaldorf:

@hagak:

Odd that if the configs support such a feature that the tool would not have the interface to use it.  Course Apple is known for lack of options.

I think it's just because everybody could read the password as clear text…

Well there are ways they could encrypt the password to at least make it more difficult to see.

hagak

@twaldorf:

Create an unsigned .mobileconfig and edit it with any text editor. Add these two lines behind the XAuthName-Block:

<key>XAuthPassword</key> 
<string>Your Password</string>

Best regards,

Thorsten

This did not seem to work.  I assume after I edit the file I open the file with iphone configurator to load it on the iphone.

hagak

If I export the conf back out the added lines are not there

hagak

I figured it out:)

You need to email the mobileconfig file to your phone and install it via the email on the phone.  Success.

seattle-it

For whatever reason, racoon segfaults when I run RSA+Xauth after the client sends back the XAUTH_USER_PASSWORD. This doesn't happen with PSK+Xauth oddly. >:(