IPSEC from Andoird ICS to pfsense 2 problem

ManuelRighi

Hi,
I have a problem for configuration IPSEC from Android ICS to pfSense 2.0.1
My error on IPSec log is this:

May 11 10:40:00 racoon: [xxxxx] ERROR: phase1 negotiation failed.
May 11 10:40:00 racoon: [xxxxx] ERROR: failed to process ph1 packet (side: 1, status: 4).
May 11 10:40:00 racoon: [xxxxx] ERROR: couldn't find the pskey for xxxx.

My configuration is this:

pfSense side: menu VPN -> IPsec -> tab Mobile clients
Enable ipsec mobile client support: checked
User authentication: system
provide a virtual IP address to clients: checked
All other field is empty and no checked

pfSense side: phase 1
authentication method: Mutual PSK + Xauth
Negotiation mode: main
My identifier: My IP address
Peer identifier: user distinguished name (example@mail.com)
Pre-Shared Key: 12345678
Policy generation: default
Proposal Checking: obey
Encryption alghorithm: AES 128 bits
Hash algorithm: SHA1
DH key group: 2
Lifetime: 86400
Nat Traversal: Enable
Dead Peer Detection: enable (10 seconds, 5 retries)

pfSense side: phase 2
Mode: tunnel
Local network: lan subnet
Protocol: ESP
encryption algorithms: only AES 128 bits
Hash algorithms: SHA1
PFS key group: off
Lifetime: 28800

On my android phone i select VPN type "IPsec Xauth PSK"

Can you help me ?
Manuel

eniot

Hi,

do you find something for your problem ?

I've got the some and it's not work to :'(
i read this whith out succes : http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

If no someone have i idea ?

Thanks

eniot

i find and it's works :

don't forget to create a user on pfsense allow to user "User - VPN - IPsec xauth Dialin" privilege.

Android config :
Name : as you wich
Type IPsec Xauth PSK
adresse: you adresse
idenfiant IPsec:user@exemple.com
key IPsec: the key you put on "Pre-Shared Key" in phase 1
nothing else…

ManuelRighi

yes, now work ;)

eniot

question :

when i am connecting with android to ipsec vpn i can't access to internet. its work for all my  LAN IPs but nothing for internet.

I put my lan dns on my ipsec config but it's don't work to… :'(

Any ideas ?

eniot

solve again :

create an floating rule to allow tcp/udp 53 from ipsec interface.

It's work but i don't understand what's an floating rule ?

do you know ?

thanks

cadywongso

Hi,

need help, follow everything like the above threads..
but my ICS still cannot connect to pfsense ipsec

below is the log
Jul 12 08:43:45 10.10.20.1 racoon: INFO: respond new phase 1 negotiation: x.x.x.x[500]<=>36.37.233.249[23187]
Jul 12 08:43:45 10.10.20.1 racoon: INFO: begin Aggressive mode.
Jul 12 08:43:45 10.10.20.1 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jul 12 08:43:45 10.10.20.1 racoon: INFO: received Vendor ID: RFC 3947
Jul 12 08:43:45 10.10.20.1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 12 08:43:45 10.10.20.1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 12 08:43:46 10.10.20.1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jul 12 08:43:46 10.10.20.1 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jul 12 08:43:46 10.10.20.1 racoon: INFO: received Vendor ID: CISCO-UNITY
Jul 12 08:43:46 10.10.20.1 racoon: INFO: received Vendor ID: DPD
Jul 12 08:43:46 10.10.20.1 racoon: [36.37.233.249] INFO: Selected NAT-T version: RFC 3947
Jul 12 08:43:46 10.10.20.1 racoon: INFO: Adding remote and local NAT-D payloads.
Jul 12 08:43:46 10.10.20.1 racoon: [36.37.233.249] INFO: Hashing 36.37.233.249[23187] with algo #2 (NAT-T forced)
Jul 12 08:43:46 10.10.20.1 racoon: [x.x.x.x] INFO: Hashing x.x.x.x[500] with algo #2 (NAT-T forced)
Jul 12 08:43:46 10.10.20.1 racoon: INFO: Adding xauth VID payload.
Jul 12 08:43:46 10.10.20.1 racoon: INFO: NAT-T: ports changed to: 36.37.233.249[24964]<->x.x.x.x[4500]
Jul 12 08:43:46 10.10.20.1 racoon: INFO: NAT-D payload #0 doesn't match
Jul 12 08:43:46 10.10.20.1 racoon: INFO: NAT-D payload #1 doesn't match
Jul 12 08:43:46 10.10.20.1 racoon: INFO: NAT detected: ME PEER
Jul 12 08:43:46 10.10.20.1 racoon: INFO: Sending Xauth request
Jul 12 08:43:46 10.10.20.1 racoon: INFO: ISAKMP-SA established x.x.x.x[4500]-36.37.233.249[24964] spi:e873490ee429fe8e:8d3f55d60b590232
Jul 12 08:43:46 10.10.20.1 racoon: [36.37.233.249] INFO: received INITIAL-CONTACT
Jul 12 08:43:46 10.10.20.1 racoon: INFO: Using port 0
Jul 12 08:43:46 10.10.20.1 racoon: INFO: login succeeded for user "test"

could someone help me…

on the other hand...my iPhone and iPad can connect perfectly