IPSEC & SIP registering through VPN on iPhone



  • After successfully creating and configuring my IPSEC vpn and was able to connect to my local LAN, i'm having some issues with IPSEC VPN on iPhone as it sometimes work and other times it doesn't.

    When I first connect i get the following :

    Sep 5 09:39:42 racoon: [Self]: INFO: respond new phase 1 negotiation: 92.x.95.x[500]<=>188.58.2.94[15639]
    Sep 5 09:39:42 racoon: INFO: begin Aggressive mode.
    Sep 5 09:39:42 racoon: INFO: received Vendor ID: RFC 3947
    Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Sep 5 09:39:42 racoon: INFO: received Vendor ID: CISCO-UNITY
    Sep 5 09:39:42 racoon: INFO: received Vendor ID: DPD
    Sep 5 09:39:42 racoon: [188.58.2.94] INFO: Selected NAT-T version: RFC 3947
    Sep 5 09:39:42 racoon: INFO: Adding remote and local NAT-D payloads.
    Sep 5 09:39:42 racoon: [188.58.2.94] INFO: Hashing 188.58.2.94[15639] with algo #2 (NAT-T forced)
    Sep 5 09:39:42 racoon: [Self]: [92.x.95.x] INFO: Hashing 92.x.95.x[500] with algo #2 (NAT-T forced)
    Sep 5 09:39:42 racoon: INFO: Adding xauth VID payload.
    Sep 5 09:39:43 racoon: [Self]: INFO: NAT-T: ports changed to: 188.58.2.94[15604]<->92.x.95.x[4500]
    Sep 5 09:39:43 racoon: INFO: NAT-D payload #0 doesn't match
    Sep 5 09:39:43 racoon: INFO: NAT-D payload #1 doesn't match
    Sep 5 09:39:43 racoon: [188.58.2.94] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Sep 5 09:39:43 racoon: INFO: NAT detected: ME PEER
    Sep 5 09:39:43 racoon: INFO: Sending Xauth request
    Sep 5 09:39:43 racoon: [Self]: INFO: ISAKMP-SA established 92.x.95.x[4500]-188.58.2.94[15604] spi:565009b806b53ba5:15884ff281fe3f4f
    Sep 5 09:39:43 racoon: INFO: Using port 0
    Sep 5 09:39:43 racoon: INFO: login succeeded for user "ipsec"
    Sep 5 09:39:44 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Sep 5 09:39:44 racoon: ERROR: Cannot open "/etc/motd"
    Sep 5 09:39:44 racoon: WARNING: Ignored attribute 28683
    Sep 5 09:39:46 racoon: [Self]: INFO: respond new phase 2 negotiation: 92.x.95.x[4500]<=>188.58.2.94[15604]
    Sep 5 09:39:46 racoon: INFO: no policy found, try to generate the policy : 172.16.254.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    Sep 5 09:39:46 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Sep 5 09:39:46 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
    Sep 5 09:39:46 racoon: [Self]: INFO: IPsec-SA established: ESP 92.x.95.x[500]->188.58.2.94[500] spi=11382647(0xadaf77)
    Sep 5 09:39:46 racoon: [Self]: INFO: IPsec-SA established: ESP 92.x.95.x[500]->188.58.2.94[500] spi=163623664(0x9c0b2f0)

    Then it takes around 2 minutes until it tries to connect (using Bria on iPhone for SIP Register) and it starts connecting.

    Later on if I leave my iPhone for a while (5mins) and get back to bria app, the phone can't register and the same issue happens but this time it won't work at all until I restart the Racoon service on Pfsense.

    Is there anyway to find out what's causing this issue?

    here's my Phase1 configuration.

    Authentication method   Mutual PSK + Xauth

    Negotiation mode Aggressive

    My identifier My IP address
    Peer identifier   Distinguished Name : Name

    Pre-Shared Key

    Policy Generation default

    Proposal Checking default

    Encryption algorithm   AES 128bits

    Hash algorithm SHA1

    DH key group = 2

    Lifetime 28800 seconds

    Advanced Options
    NAT Traversal   Force

    Dead Peer Detection Enabled

    10 seconds
    Delay between requesting peer acknowledgement.

    5 retries
    Number of consecutive failures allowed before disconnect.

    here's my Phase2 configuration.

    Mode tunnel
    Local Network Type:= Network
    Address 192.168.1.0/24

    Phase 2 proposal (SA/Key Exchange)

    Protocol ESP
    ESP is encryption, AH is authentication only
    Encryption algorithms
    AES   128bits

    Hash algorithms SHA1

    PFS key group =  off
    3600
    Lifetime seconds


    My Mobile Clients configuration.

    Extended Authentication (Xauth)
    User Authentication Source:    System
    Group Authentication Source:    System
    Client Configuration (mode-cfg)
    Virtual Address Pool
    Provide a virtual IP address to clients
    Network:    /  172.16.254.0/24
    Network List Unticked
    Save Xauth Password Ticked

    DNS Default Domain
    192.168.1.5 <my internal="" dns<br="">DNS Servers
    Provide a DNS server list to clients
    Server #1:  external DNS
    Nothing else selected below</my>



  • I got it solved  ;D ;D ;D in phase 1 in advanced option I switched NAT Traversal from forced to Enabled.
    then disabled Dead Peer Detection.

    I have also used 3DES for Encryption algorithm now my mobile is connected to VPN 24/7 and is not DC at all.


Locked