Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec NAT-T not work for iPad

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chuchusteve
      last edited by

      Hi,

      I can successful setup pfsense 2.01 + ipsec with iPad client. Everything was fine except when I changed the NAT-T option from disable to force.

      My ipad simply could not connect the the pfsense IPsec server. On he ipad side, I got an "Negotiation with the VPN server failed", while on the pfsense side, I got :

      Dec 17 12:53:55 racoon: [Self]: INFO: respond new phase 1 negotiation: x.x.x.x500<=>x.x.x.x416
      Dec 17 12:53:55 racoon: INFO: begin Aggressive mode.
      Dec 17 12:53:55 racoon: INFO: received Vendor ID: RFC 3947
      Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
      Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
      Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
      Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
      Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
      Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Dec 17 12:53:55 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Dec 17 12:53:55 racoon: INFO: received Vendor ID: CISCO-UNITY
      Dec 17 12:53:55 racoon: INFO: received Vendor ID: DPD
      Dec 17 12:53:55 racoon: [x.x.x.x] INFO: Selected NAT-T version: RFC 3947
      Dec 17 12:53:55 racoon: INFO: Adding remote and local NAT-D payloads.
      Dec 17 12:53:55 racoon: [x.x.x.x] INFO: Hashing x.x.x.x416 with algo #2 (NAT-T forced)
      Dec 17 12:53:55 racoon: [Self]: [x.x.x.x] INFO: Hashing x.x.x.x500 with algo #2 (NAT-T forced)
      Dec 17 12:53:55 racoon: INFO: Adding xauth VID payload.
      Dec 17 12:54:45 racoon: ERROR: phase1 negotiation failed due to time up. 8bf9798df84feaab:aae7d6c48a2c2c0d

      Can anyone help me to correct his ?

      1 Reply Last reply Reply Quote 0
      • B
        bmmcwhirt
        last edited by

        I do not know which instructions you are using.

        I am using this:

        http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

        It works fine for tunneling, but I'm unable to access my internal network. Maybe it will help you out. If you figure out how to access the intranet side please let me know.

        1 Reply Last reply Reply Quote 0
        • M
          mircsicz
          last edited by

          Yesterday I setup my iPad to our 2.01 and I can login to our office. But I can't exchange a single package with the LAN…

          This is what I see in the IPsec log:

          
Dec 19 09:50:35 	racoon: ERROR: pfkey ADD failed: Invalid argument
Dec 19 09:50:35 	racoon: ERROR: pfkey UPDATE failed: Invalid argument
Dec 19 09:50:35 	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Dec 19 09:50:35 	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Dec 19 09:50:35 	racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 10.10.115.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Dec 19 09:50:35 	racoon: [Self]: INFO: respond new phase 2 negotiation: XXX.91.YY.41[4500]<=>80.187.106.225[26197]
Dec 19 09:50:34 	racoon: WARNING: Ignored attribute 28683
Dec 19 09:50:34 	racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Dec 19 09:50:32 	racoon: INFO: login succeeded for user "mirco"
Dec 19 09:50:32 	racoon: INFO: Using port 0
Dec 19 09:50:20 	racoon: [Self]: INFO: ISAKMP-SA established XXX.91.YY.41[4500]-80.187.106.225[26197] spi:82161d7a2a95cc61:cf66e0881b9324d2
Dec 19 09:50:20 	racoon: INFO: Sending Xauth request
Dec 19 09:50:20 	racoon: INFO: NAT detected: ME PEER
Dec 19 09:50:20 	racoon: [80.187.106.225] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Dec 19 09:50:20 	racoon: INFO: NAT-D payload #1 doesn't match
Dec 19 09:50:20 	racoon: INFO: NAT-D payload #0 doesn't match
Dec 19 09:50:20 	racoon: [Self]: INFO: NAT-T: ports changed to: 80.187.106.225[26197]<->XXX.91.YY.41[4500]
Dec 19 09:50:19 	racoon: INFO: Adding xauth VID payload.
Dec 19 09:50:19 	racoon: [Self]: [XXX.91.YY.41] INFO: Hashing XXX.91.YY.41[500] with algo #2 (NAT-T forced)
Dec 19 09:50:19 	racoon: [80.187.106.225] INFO: Hashing 80.187.106.225[500] with algo #2 (NAT-T forced)
Dec 19 09:50:19 	racoon: INFO: Adding remote and local NAT-D payloads.
Dec 19 09:50:19 	racoon: [80.187.106.225] INFO: Selected NAT-T version: RFC 3947
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: DPD
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Dec 19 09:50:19 	racoon: INFO: received Vendor ID: RFC 3947
Dec 19 09:50:19 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Dec 19 09:50:19 	racoon: INFO: begin Aggressive mode.
Dec 19 09:50:19 	racoon: [Self]: INFO: respond new phase 1 negotiation: XXX.91.YY.41[500]<=>80.187.106.225[500]
Dec 19 09:49:58 	racoon: INFO: Released port 0
Dec 19 09:49:58 	racoon: [Self]: INFO: ISAKMP-SA deleted XXX.91.YY.41[4500]-192.168.115.253[4500] spi:4eeff2d9004bf1d5:d1a4149da651122f
Dec 19 09:49:58 	racoon: INFO: deleting a generated policy.
Dec 19 09:49:58 	racoon: INFO: purged ISAKMP-SA spi=4eeff2d9004bf1d5:d1a4149da651122f:000034a2.
Dec 19 09:49:58 	racoon: INFO: purging ISAKMP-SA spi=4eeff2d9004bf1d5:d1a4149da651122f:000034a2.

          And the filter log does only recognise my iPad because our Zarafa Server is trying to access it on the old extern 3G-IP

          When trying to test the connection by accessing an internal Webserver by IP all I get is a timeout… And yes I've setup an any<>any rule for the IPsec interface!

          Greetz
          Mircsicz

          Edit: I followed this Doc: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 and as I'm on an ALIX I suffer from the glxsb driver prob from this thread: http://forum.pfsense.org/index.php/topic,56289.0.html so after disabling glxsb it work's as expected...

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.