IPSEC & SIP registering through VPN on iPhone

moh10ly

After successfully creating and configuring my IPSEC vpn and was able to connect to my local LAN, i'm having some issues with IPSEC VPN on iPhone as it sometimes work and other times it doesn't.

When I first connect i get the following :

Sep 5 09:39:42 racoon: [Self]: INFO: respond new phase 1 negotiation: 92.x.95.x[500]<=>188.58.2.94[15639]
Sep 5 09:39:42 racoon: INFO: begin Aggressive mode.
Sep 5 09:39:42 racoon: INFO: received Vendor ID: RFC 3947
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Sep 5 09:39:42 racoon: INFO: received Vendor ID: CISCO-UNITY
Sep 5 09:39:42 racoon: INFO: received Vendor ID: DPD
Sep 5 09:39:42 racoon: [188.58.2.94] INFO: Selected NAT-T version: RFC 3947
Sep 5 09:39:42 racoon: INFO: Adding remote and local NAT-D payloads.
Sep 5 09:39:42 racoon: [188.58.2.94] INFO: Hashing 188.58.2.94[15639] with algo #2 (NAT-T forced)
Sep 5 09:39:42 racoon: [Self]: [92.x.95.x] INFO: Hashing 92.x.95.x[500] with algo #2 (NAT-T forced)
Sep 5 09:39:42 racoon: INFO: Adding xauth VID payload.
Sep 5 09:39:43 racoon: [Self]: INFO: NAT-T: ports changed to: 188.58.2.94[15604]<->92.x.95.x[4500]
Sep 5 09:39:43 racoon: INFO: NAT-D payload #0 doesn't match
Sep 5 09:39:43 racoon: INFO: NAT-D payload #1 doesn't match
Sep 5 09:39:43 racoon: [188.58.2.94] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Sep 5 09:39:43 racoon: INFO: NAT detected: ME PEER
Sep 5 09:39:43 racoon: INFO: Sending Xauth request
Sep 5 09:39:43 racoon: [Self]: INFO: ISAKMP-SA established 92.x.95.x[4500]-188.58.2.94[15604] spi:565009b806b53ba5:15884ff281fe3f4f
Sep 5 09:39:43 racoon: INFO: Using port 0
Sep 5 09:39:43 racoon: INFO: login succeeded for user "ipsec"
Sep 5 09:39:44 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Sep 5 09:39:44 racoon: ERROR: Cannot open "/etc/motd"
Sep 5 09:39:44 racoon: WARNING: Ignored attribute 28683
Sep 5 09:39:46 racoon: [Self]: INFO: respond new phase 2 negotiation: 92.x.95.x[4500]<=>188.58.2.94[15604]
Sep 5 09:39:46 racoon: INFO: no policy found, try to generate the policy : 172.16.254.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Sep 5 09:39:46 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Sep 5 09:39:46 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Sep 5 09:39:46 racoon: [Self]: INFO: IPsec-SA established: ESP 92.x.95.x[500]->188.58.2.94[500] spi=11382647(0xadaf77)
Sep 5 09:39:46 racoon: [Self]: INFO: IPsec-SA established: ESP 92.x.95.x[500]->188.58.2.94[500] spi=163623664(0x9c0b2f0)

Then it takes around 2 minutes until it tries to connect (using Bria on iPhone for SIP Register) and it starts connecting.

Later on if I leave my iPhone for a while (5mins) and get back to bria app, the phone can't register and the same issue happens but this time it won't work at all until I restart the Racoon service on Pfsense.

Is there anyway to find out what's causing this issue?

here's my Phase1 configuration.

Authentication method   Mutual PSK + Xauth

Negotiation mode Aggressive

My identifier My IP address
Peer identifier   Distinguished Name : Name

Pre-Shared Key

Policy Generation default

Proposal Checking default

Encryption algorithm   AES 128bits

Hash algorithm SHA1

DH key group = 2

Lifetime 28800 seconds

Advanced Options
NAT Traversal   Force

Dead Peer Detection Enabled

10 seconds
Delay between requesting peer acknowledgement.

5 retries
Number of consecutive failures allowed before disconnect.

here's my Phase2 configuration.

Mode tunnel
Local Network Type:= Network
Address 192.168.1.0/24

Phase 2 proposal (SA/Key Exchange)

Protocol ESP
ESP is encryption, AH is authentication only
Encryption algorithms
AES   128bits

Hash algorithms SHA1

PFS key group =  off
3600
Lifetime seconds

–
My Mobile Clients configuration.

Extended Authentication (Xauth)
User Authentication Source:    System
Group Authentication Source:    System
Client Configuration (mode-cfg)
Virtual Address Pool
Provide a virtual IP address to clients
Network:    /  172.16.254.0/24
Network List Unticked
Save Xauth Password Ticked

DNS Default Domain
192.168.1.5 <my internal="" dns<br="">DNS Servers
Provide a DNS server list to clients
Server #1:  external DNS
Nothing else selected below</my>

moh10ly

I got it solved  ;D ;D ;D in phase 1 in advanced option I switched NAT Traversal from forced to Enabled.
then disabled Dead Peer Detection.

I have also used 3DES for Encryption algorithm now my mobile is connected to VPN 24/7 and is not DC at all.