IPSec NAT-T not work for iPad

chuchusteve

Hi,

I can successful setup pfsense 2.01 + ipsec with iPad client. Everything was fine except when I changed the NAT-T option from disable to force.

My ipad simply could not connect the the pfsense IPsec server. On he ipad side, I got an "Negotiation with the VPN server failed", while on the pfsense side, I got :

Dec 17 12:53:55 racoon: [Self]: INFO: respond new phase 1 negotiation: x.x.x.x500<=>x.x.x.x416
Dec 17 12:53:55 racoon: INFO: begin Aggressive mode.
Dec 17 12:53:55 racoon: INFO: received Vendor ID: RFC 3947
Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Dec 17 12:53:55 racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 17 12:53:55 racoon: INFO: received Vendor ID: DPD
Dec 17 12:53:55 racoon: [x.x.x.x] INFO: Selected NAT-T version: RFC 3947
Dec 17 12:53:55 racoon: INFO: Adding remote and local NAT-D payloads.
Dec 17 12:53:55 racoon: [x.x.x.x] INFO: Hashing x.x.x.x416 with algo #2 (NAT-T forced)
Dec 17 12:53:55 racoon: [Self]: [x.x.x.x] INFO: Hashing x.x.x.x500 with algo #2 (NAT-T forced)
Dec 17 12:53:55 racoon: INFO: Adding xauth VID payload.
Dec 17 12:54:45 racoon: ERROR: phase1 negotiation failed due to time up. 8bf9798df84feaab:aae7d6c48a2c2c0d

Can anyone help me to correct his ?

bmmcwhirt

I do not know which instructions you are using.

I am using this:

http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

It works fine for tunneling, but I'm unable to access my internal network. Maybe it will help you out. If you figure out how to access the intranet side please let me know.

mircsicz

Yesterday I setup my iPad to our 2.01 and I can login to our office. But I can't exchange a single package with the LAN…

This is what I see in the IPsec log:

Dec 19 09:50:35 	racoon: ERROR: pfkey ADD failed: Invalid argument
Dec 19 09:50:35 	racoon: ERROR: pfkey UPDATE failed: Invalid argument
Dec 19 09:50:35 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Dec 19 09:50:35 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Dec 19 09:50:35 	racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 10.10.115.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Dec 19 09:50:35 	racoon: [Self]: INFO: respond new phase 2 negotiation: XXX.91.YY.41[4500]<=>80.187.106.225[26197]
Dec 19 09:50:34 	racoon: WARNING: Ignored attribute 28683
Dec 19 09:50:34 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Dec 19 09:50:32 	racoon: INFO: login succeeded for user "mirco"
Dec 19 09:50:32 	racoon: INFO: Using port 0
Dec 19 09:50:20 	racoon: [Self]: INFO: ISAKMP-SA established XXX.91.YY.41[4500]-80.187.106.225[26197] spi:82161d7a2a95cc61:cf66e0881b9324d2
Dec 19 09:50:20 	racoon: INFO: Sending Xauth request
Dec 19 09:50:20 	racoon: INFO: NAT detected: ME PEER
Dec 19 09:50:20 	racoon: [80.187.106.225] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Dec 19 09:50:20 	racoon: INFO: NAT-D payload #1 doesn't match
Dec 19 09:50:20 	racoon: INFO: NAT-D payload #0 doesn't match
Dec 19 09:50:20 	racoon: [Self]: INFO: NAT-T: ports changed to: 80.187.106.225[26197]<->XXX.91.YY.41[4500]
Dec 19 09:50:19 	racoon: INFO: Adding xauth VID payload.
Dec 19 09:50:19 	racoon: [Self]: [XXX.91.YY.41] INFO: Hashing XXX.91.YY.41[500] with algo #2 (NAT-T forced)
Dec 19 09:50:19 	racoon: [80.187.106.225] INFO: Hashing 80.187.106.225[500] with algo #2 (NAT-T forced)
Dec 19 09:50:19 	racoon: INFO: Adding remote and local NAT-D payloads.
Dec 19 09:50:19 	racoon: [80.187.106.225] INFO: Selected NAT-T version: RFC 3947
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: DPD
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: RFC 3947
Dec 19 09:50:19 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Dec 19 09:50:19 	racoon: INFO: begin Aggressive mode.
Dec 19 09:50:19 	racoon: [Self]: INFO: respond new phase 1 negotiation: XXX.91.YY.41[500]<=>80.187.106.225[500]
Dec 19 09:49:58 	racoon: INFO: Released port 0
Dec 19 09:49:58 	racoon: [Self]: INFO: ISAKMP-SA deleted XXX.91.YY.41[4500]-192.168.115.253[4500] spi:4eeff2d9004bf1d5:d1a4149da651122f
Dec 19 09:49:58 	racoon: INFO: deleting a generated policy.
Dec 19 09:49:58 	racoon: INFO: purged ISAKMP-SA spi=4eeff2d9004bf1d5:d1a4149da651122f:000034a2.
Dec 19 09:49:58 	racoon: INFO: purging ISAKMP-SA spi=4eeff2d9004bf1d5:d1a4149da651122f:000034a2.

And the filter log does only recognise my iPad because our Zarafa Server is trying to access it on the old extern 3G-IP

When trying to test the connection by accessing an internal Webserver by IP all I get is a timeout… And yes I've setup an any<>any rule for the IPsec interface!

Greetz
Mircsicz

Edit: I followed this Doc: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 and as I'm on an ALIX I suffer from the glxsb driver prob from this thread: http://forum.pfsense.org/index.php/topic,56289.0.html so after disabling glxsb it work's as expected...