Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC & SIP registering through VPN on iPhone

    IPsec
    1
    2
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      moh10ly
      last edited by

      After successfully creating and configuring my IPSEC vpn and was able to connect to my local LAN, i'm having some issues with IPSEC VPN on iPhone as it sometimes work and other times it doesn't.

      When I first connect i get the following :

      Sep 5 09:39:42 racoon: [Self]: INFO: respond new phase 1 negotiation: 92.x.95.x[500]<=>188.58.2.94[15639]
      Sep 5 09:39:42 racoon: INFO: begin Aggressive mode.
      Sep 5 09:39:42 racoon: INFO: received Vendor ID: RFC 3947
      Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
      Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
      Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
      Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
      Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
      Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Sep 5 09:39:42 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Sep 5 09:39:42 racoon: INFO: received Vendor ID: CISCO-UNITY
      Sep 5 09:39:42 racoon: INFO: received Vendor ID: DPD
      Sep 5 09:39:42 racoon: [188.58.2.94] INFO: Selected NAT-T version: RFC 3947
      Sep 5 09:39:42 racoon: INFO: Adding remote and local NAT-D payloads.
      Sep 5 09:39:42 racoon: [188.58.2.94] INFO: Hashing 188.58.2.94[15639] with algo #2 (NAT-T forced)
      Sep 5 09:39:42 racoon: [Self]: [92.x.95.x] INFO: Hashing 92.x.95.x[500] with algo #2 (NAT-T forced)
      Sep 5 09:39:42 racoon: INFO: Adding xauth VID payload.
      Sep 5 09:39:43 racoon: [Self]: INFO: NAT-T: ports changed to: 188.58.2.94[15604]<->92.x.95.x[4500]
      Sep 5 09:39:43 racoon: INFO: NAT-D payload #0 doesn't match
      Sep 5 09:39:43 racoon: INFO: NAT-D payload #1 doesn't match
      Sep 5 09:39:43 racoon: [188.58.2.94] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
      Sep 5 09:39:43 racoon: INFO: NAT detected: ME PEER
      Sep 5 09:39:43 racoon: INFO: Sending Xauth request
      Sep 5 09:39:43 racoon: [Self]: INFO: ISAKMP-SA established 92.x.95.x[4500]-188.58.2.94[15604] spi:565009b806b53ba5:15884ff281fe3f4f
      Sep 5 09:39:43 racoon: INFO: Using port 0
      Sep 5 09:39:43 racoon: INFO: login succeeded for user "ipsec"
      Sep 5 09:39:44 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
      Sep 5 09:39:44 racoon: ERROR: Cannot open "/etc/motd"
      Sep 5 09:39:44 racoon: WARNING: Ignored attribute 28683
      Sep 5 09:39:46 racoon: [Self]: INFO: respond new phase 2 negotiation: 92.x.95.x[4500]<=>188.58.2.94[15604]
      Sep 5 09:39:46 racoon: INFO: no policy found, try to generate the policy : 172.16.254.1/32[0] 0.0.0.0/0[0] proto=any dir=in
      Sep 5 09:39:46 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
      Sep 5 09:39:46 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
      Sep 5 09:39:46 racoon: [Self]: INFO: IPsec-SA established: ESP 92.x.95.x[500]->188.58.2.94[500] spi=11382647(0xadaf77)
      Sep 5 09:39:46 racoon: [Self]: INFO: IPsec-SA established: ESP 92.x.95.x[500]->188.58.2.94[500] spi=163623664(0x9c0b2f0)

      Then it takes around 2 minutes until it tries to connect (using Bria on iPhone for SIP Register) and it starts connecting.

      Later on if I leave my iPhone for a while (5mins) and get back to bria app, the phone can't register and the same issue happens but this time it won't work at all until I restart the Racoon service on Pfsense.

      Is there anyway to find out what's causing this issue?

      here's my Phase1 configuration.

      Authentication method   Mutual PSK + Xauth

      Negotiation mode Aggressive

      My identifier My IP address
      Peer identifier   Distinguished Name : Name

      Pre-Shared Key

      Policy Generation default

      Proposal Checking default

      Encryption algorithm   AES 128bits

      Hash algorithm SHA1

      DH key group = 2

      Lifetime 28800 seconds

      Advanced Options
      NAT Traversal   Force

      Dead Peer Detection Enabled

      10 seconds
      Delay between requesting peer acknowledgement.

      5 retries
      Number of consecutive failures allowed before disconnect.

      here's my Phase2 configuration.

      Mode tunnel
      Local Network Type:= Network
      Address 192.168.1.0/24

      Phase 2 proposal (SA/Key Exchange)

      Protocol ESP
      ESP is encryption, AH is authentication only
      Encryption algorithms
      AES   128bits

      Hash algorithms SHA1

      PFS key group =  off
      3600
      Lifetime seconds

      –
      My Mobile Clients configuration.

      Extended Authentication (Xauth)
      User Authentication Source:    System
      Group Authentication Source:    System
      Client Configuration (mode-cfg)
      Virtual Address Pool
      Provide a virtual IP address to clients
      Network:    /  172.16.254.0/24
      Network List Unticked
      Save Xauth Password Ticked

      DNS Default Domain
      192.168.1.5 <my internal="" dns<br="">DNS Servers
      Provide a DNS server list to clients
      Server #1:  external DNS
      Nothing else selected below</my>

      Power is Knowledge.

      1 Reply Last reply Reply Quote 0
      • M
        moh10ly
        last edited by

        I got it solved  ;D ;D ;D in phase 1 in advanced option I switched NAT Traversal from forced to Enabled.
        then disabled Dead Peer Detection.

        I have also used 3DES for Encryption algorithm now my mobile is connected to VPN 24/7 and is not DC at all.

        Power is Knowledge.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.