IPSEC from Andoird ICS to pfsense 2 problem



  • Hi,
    I have a problem for configuration IPSEC from Android ICS to pfSense 2.0.1
    My error on IPSec log is this:

    May 11 10:40:00 racoon: [xxxxx] ERROR: phase1 negotiation failed.
    May 11 10:40:00 racoon: [xxxxx] ERROR: failed to process ph1 packet (side: 1, status: 4).
    May 11 10:40:00 racoon: [xxxxx] ERROR: couldn't find the pskey for xxxx.

    My configuration is this:

    pfSense side: menu VPN -> IPsec -> tab Mobile clients
    Enable ipsec mobile client support: checked
    User authentication: system
    provide a virtual IP address to clients: checked
    All other field is empty and no checked

    pfSense side: phase 1
    authentication method: Mutual PSK + Xauth
    Negotiation mode: main
    My identifier: My IP address
    Peer identifier: user distinguished name (example@mail.com)
    Pre-Shared Key: 12345678
    Policy generation: default
    Proposal Checking: obey
    Encryption alghorithm: AES 128 bits
    Hash algorithm: SHA1
    DH key group: 2
    Lifetime: 86400
    Nat Traversal: Enable
    Dead Peer Detection: enable (10 seconds, 5 retries)

    pfSense side: phase 2
    Mode: tunnel
    Local network: lan subnet
    Protocol: ESP
    encryption algorithms: only AES 128 bits
    Hash algorithms: SHA1
    PFS key group: off
    Lifetime: 28800

    On my android phone i select VPN type "IPsec Xauth PSK"

    Can you help me ?
    Manuel



  • Hi,

    do you find something for your problem ?

    I've got the some and it's not work to :'(
    i read this whith out succes : http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

    If no someone have i idea ?

    Thanks



  • i find and it's works :

    don't forget to create a user on pfsense allow to user "User - VPN - IPsec xauth Dialin" privilege.

    Android config :
    Name : as you wich
    Type IPsec Xauth PSK
    adresse: you adresse
    idenfiant IPsec:user@exemple.com
    key IPsec: the key you put on "Pre-Shared Key" in phase 1
    nothing else…



  • yes, now work ;)



  • question :

    when i am connecting with android to ipsec vpn i can't access to internet. its work for all my  LAN IPs but nothing for internet.

    I put my lan dns on my ipsec config but it's don't work to… :'(

    Any ideas ?



  • solve again :

    create an floating rule to allow tcp/udp 53 from ipsec interface.

    It's work but i don't understand what's an floating rule ?

    do you know ?

    thanks



  • Hi,

    need help, follow everything like the above threads..
    but my ICS still cannot connect to pfsense ipsec

    below is the log
    Jul 12 08:43:45 10.10.20.1 racoon: INFO: respond new phase 1 negotiation: x.x.x.x[500]<=>36.37.233.249[23187]
    Jul 12 08:43:45 10.10.20.1 racoon: INFO: begin Aggressive mode.
    Jul 12 08:43:45 10.10.20.1 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Jul 12 08:43:45 10.10.20.1 racoon: INFO: received Vendor ID: RFC 3947
    Jul 12 08:43:45 10.10.20.1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jul 12 08:43:45 10.10.20.1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: received Vendor ID: DPD
    Jul 12 08:43:46 10.10.20.1 racoon: [36.37.233.249] INFO: Selected NAT-T version: RFC 3947
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: Adding remote and local NAT-D payloads.
    Jul 12 08:43:46 10.10.20.1 racoon: [36.37.233.249] INFO: Hashing 36.37.233.249[23187] with algo #2 (NAT-T forced)
    Jul 12 08:43:46 10.10.20.1 racoon: [x.x.x.x] INFO: Hashing x.x.x.x[500] with algo #2 (NAT-T forced)
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: Adding xauth VID payload.
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: NAT-T: ports changed to: 36.37.233.249[24964]<->x.x.x.x[4500]
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: NAT-D payload #0 doesn't match
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: NAT-D payload #1 doesn't match
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: NAT detected: ME PEER
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: Sending Xauth request
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: ISAKMP-SA established x.x.x.x[4500]-36.37.233.249[24964] spi:e873490ee429fe8e:8d3f55d60b590232
    Jul 12 08:43:46 10.10.20.1 racoon: [36.37.233.249] INFO: received INITIAL-CONTACT
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: Using port 0
    Jul 12 08:43:46 10.10.20.1 racoon: INFO: login succeeded for user "test"

    could someone help me…

    on the other hand...my iPhone and iPad can connect perfectly


Locked