IPSec NAT-T not work for iPad



  • Hi,

    I can successful setup pfsense 2.01 + ipsec with iPad client. Everything was fine except when I changed the NAT-T option from disable to force.

    My ipad simply could not connect the the pfsense IPsec server. On he ipad side, I got an "Negotiation with the VPN server failed", while on the pfsense side, I got :

    Dec 17 12:53:55 racoon: [Self]: INFO: respond new phase 1 negotiation: x.x.x.x500<=>x.x.x.x416
    Dec 17 12:53:55 racoon: INFO: begin Aggressive mode.
    Dec 17 12:53:55 racoon: INFO: received Vendor ID: RFC 3947
    Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Dec 17 12:53:55 racoon: INFO: received Vendor ID: CISCO-UNITY
    Dec 17 12:53:55 racoon: INFO: received Vendor ID: DPD
    Dec 17 12:53:55 racoon: [x.x.x.x] INFO: Selected NAT-T version: RFC 3947
    Dec 17 12:53:55 racoon: INFO: Adding remote and local NAT-D payloads.
    Dec 17 12:53:55 racoon: [x.x.x.x] INFO: Hashing x.x.x.x416 with algo #2 (NAT-T forced)
    Dec 17 12:53:55 racoon: [Self]: [x.x.x.x] INFO: Hashing x.x.x.x500 with algo #2 (NAT-T forced)
    Dec 17 12:53:55 racoon: INFO: Adding xauth VID payload.
    Dec 17 12:54:45 racoon: ERROR: phase1 negotiation failed due to time up. 8bf9798df84feaab:aae7d6c48a2c2c0d

    Can anyone help me to correct his ?



  • I do not know which instructions you are using.

    I am using this:

    http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

    It works fine for tunneling, but I'm unable to access my internal network. Maybe it will help you out. If you figure out how to access the intranet side please let me know.



  • Yesterday I setup my iPad to our 2.01 and I can login to our office. But I can't exchange a single package with the LAN…

    This is what I see in the IPsec log:

    
    Dec 19 09:50:35 	racoon: ERROR: pfkey ADD failed: Invalid argument
    Dec 19 09:50:35 	racoon: ERROR: pfkey UPDATE failed: Invalid argument
    Dec 19 09:50:35 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
    Dec 19 09:50:35 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Dec 19 09:50:35 	racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 10.10.115.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    Dec 19 09:50:35 	racoon: [Self]: INFO: respond new phase 2 negotiation: XXX.91.YY.41[4500]<=>80.187.106.225[26197]
    Dec 19 09:50:34 	racoon: WARNING: Ignored attribute 28683
    Dec 19 09:50:34 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Dec 19 09:50:32 	racoon: INFO: login succeeded for user "mirco"
    Dec 19 09:50:32 	racoon: INFO: Using port 0
    Dec 19 09:50:20 	racoon: [Self]: INFO: ISAKMP-SA established XXX.91.YY.41[4500]-80.187.106.225[26197] spi:82161d7a2a95cc61:cf66e0881b9324d2
    Dec 19 09:50:20 	racoon: INFO: Sending Xauth request
    Dec 19 09:50:20 	racoon: INFO: NAT detected: ME PEER
    Dec 19 09:50:20 	racoon: [80.187.106.225] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    Dec 19 09:50:20 	racoon: INFO: NAT-D payload #1 doesn't match
    Dec 19 09:50:20 	racoon: INFO: NAT-D payload #0 doesn't match
    Dec 19 09:50:20 	racoon: [Self]: INFO: NAT-T: ports changed to: 80.187.106.225[26197]<->XXX.91.YY.41[4500]
    Dec 19 09:50:19 	racoon: INFO: Adding xauth VID payload.
    Dec 19 09:50:19 	racoon: [Self]: [XXX.91.YY.41] INFO: Hashing XXX.91.YY.41[500] with algo #2 (NAT-T forced)
    Dec 19 09:50:19 	racoon: [80.187.106.225] INFO: Hashing 80.187.106.225[500] with algo #2 (NAT-T forced)
    Dec 19 09:50:19 	racoon: INFO: Adding remote and local NAT-D payloads.
    Dec 19 09:50:19 	racoon: [80.187.106.225] INFO: Selected NAT-T version: RFC 3947
    Dec 19 09:50:19 	racoon: INFO: received Vendor ID: DPD
    Dec 19 09:50:19 	racoon: INFO: received Vendor ID: CISCO-UNITY
    Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Dec 19 09:50:19 	racoon: INFO: received Vendor ID: RFC 3947
    Dec 19 09:50:19 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Dec 19 09:50:19 	racoon: INFO: begin Aggressive mode.
    Dec 19 09:50:19 	racoon: [Self]: INFO: respond new phase 1 negotiation: XXX.91.YY.41[500]<=>80.187.106.225[500]
    Dec 19 09:49:58 	racoon: INFO: Released port 0
    Dec 19 09:49:58 	racoon: [Self]: INFO: ISAKMP-SA deleted XXX.91.YY.41[4500]-192.168.115.253[4500] spi:4eeff2d9004bf1d5:d1a4149da651122f
    Dec 19 09:49:58 	racoon: INFO: deleting a generated policy.
    Dec 19 09:49:58 	racoon: INFO: purged ISAKMP-SA spi=4eeff2d9004bf1d5:d1a4149da651122f:000034a2.
    Dec 19 09:49:58 	racoon: INFO: purging ISAKMP-SA spi=4eeff2d9004bf1d5:d1a4149da651122f:000034a2.
    
    

    And the filter log does only recognise my iPad because our Zarafa Server is trying to access it on the old extern 3G-IP

    When trying to test the connection by accessing an internal Webserver by IP all I get is a timeout… And yes I've setup an any<>any rule for the IPsec interface!

    Greetz
    Mircsicz

    Edit: I followed this Doc: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 and as I'm on an ALIX I suffer from the glxsb driver prob from this thread: http://forum.pfsense.org/index.php/topic,56289.0.html so after disabling glxsb it work's as expected...


Locked