Mobile IPsec problem with iOS client
- 
 I've noticed similar issues with my setup since I upgraded to 2.02. I can connect as many times as I want, but after the first connection, I can no longer connect to any of the hosts on my LAN. This also applies to connections made from my Ubuntu laptop. I followed the IPsec mobile tutorial as well. Rebooting pfsense fixes the problem. 
- 
 Hello. I'm confirming exactly the same behavior after upgrade to 2.0.2. On 2.0.1 Mobile IPSec worked as expected. Enabling/disabling the Mobile IPSec tunnel does not help. Restarting racoon helps, but this is not an option, since I have multiple site to site IPsec connections running. 
- 
 UPDATE: Fixed and working: YOU HAVE TO REBOOT YOUR MOBILE AFTER INSTALLATION THE SCREWSOFT CLIENT (I did'nt do that) 
 Now I can access all my network resources, ping anything even disk shares etc…Issues had pre-boot: 
 Yes - I have the same situation here. I use Screwsoft 2.2.0 VPN as mobile client. I can see also following messages in ipsec log:Mar 6 09:53:52 racoon: ERROR: failed to begin ipsec sa negotication. Mar 6 09:53:52 racoon: ERROR: no configuration found for 83.xxx.xxx.xxx.What kind of configuration there should be available if it's missing? Pacet capture from ipsec interface can see traffic: [10.0.222.100 is the mobile Client IP) 
 [code]09:56:04.649945 (authentic,confidential): SPI 0x09b6b32b: IP 10.0.222.100.57435 > 10.0.0.1.53: UDP, length 49
 09:56:04.650311 (authentic,confidential): SPI 0x09b6b32b: IP 10.0.222.100.62619 > 10.0.0.1.53: UDP, length 49
 09:56:04.650748 (authentic,confidential): SPI 0x09b6b32b: IP 10.0.222.100 > 10.0.0.1: ICMP echo request, id 1, seq 367, length 40
 09:56:04.651044 (authentic,confidential): SPI 0x09b6b32b: IP 10.0.222.100.57435 > 10.0.0.10.53: UDP, length 49
 09:56:04.651464 (authentic,confidential): SPI 0x09b6b32b: IP 10.0.222.100.62619 > 10.0.0.10.53: UDP, length 49
 09:56:06.025861 (authentic,confidential): SPI 0x09b6b32b: IP 10.0.222.100 > 10.0.0.1: ICMP echo request, id 1, seq 368, length 40
 This traffic is originated from Mobile client ping and dns query.But LAN side does not see any traffic! I have rules that allow all the traffic from IPSEC to LAN (any any rule) I have done like in this tutorial shown: http://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth Any help on this awailable? Is there some bug or what? 
- 
 I have seen the issue with the built-in iOS VPN client and the NetworkManager client in Ubuntu. Rebooting those machines did not fix the issue. The only thing that fixes it is restarting raccoon. 
- 
 UPDATE: Fixed and working: YOU HAVE TO REBOOT YOUR MOBILE AFTER INSTALLATION THE SCREWSOFT CLIENT (I did'nt do that) 
 Now I can access all my network resources, ping anything even disk shares etc…I'm glad got it working, but your issue is not really related to this thread. Rebooting the client DOES NOT solve this problem. This is an issue on the pfSense side, not the client side. I am having the same issue on multiple devices. I have configured the pfSense IPSEC service with a mobile configuration. I can connect and establish a connection from iOS and from MacOS. Traffic flows just fine through the tunnel to the internal network. However, when I disconnect from the client, either iOS or MacOS, the SPD entries persist in pfSense, preventing reconnection until they expire. After I disconnect the client, if I manually delete the SPD entries I can reconnect just fine. I have created an ugly hack to work around this problem. I have set up script and cron job (using minicron) which basically does a "setkey -D" and checks to see if there is an active connection. If not, it runs "setkey -F -P", which clears the SPD entries allowing reconnection from the client(s). This seems to work, but is not elegant in the least. Anyone have thoughts on why this is happening? Sounds like this wasn't an issue with 2.0.1? Thanks, 
 John
- 
 I am having the same issue on multiple devices. I have configured the pfSense IPSEC service with a mobile configuration. I can connect and establish a connection from iOS and from MacOS. Traffic flows just fine through the tunnel to the internal network. However, when I disconnect from the client, either iOS or MacOS, the SPD entries persist in pfSense, preventing reconnection until they expire. After I disconnect the client, if I manually delete the SPD entries I can reconnect just fine. Sounds like a regression from 2.0.1 to 2.0.2 … Could you try your config with a 2.0.3 snapshot (or 2.1-BETA) ? 
- 
 Sounds like a regression from 2.0.1 to 2.0.2 … Could you try your config with a 2.0.3 snapshot (or 2.1-BETA) ? Hi dhatz, Thanks for the reply. I actually just installed 2.1 BETA (yesterday's build) and it appears to have the same problem. 
- 
 Just an FYI, here's another thread where a-couple of folks are having the same issue (no suggested solutions though): http://forum.pfsense.org/index.php/topic,59008.0.html Thoughts anyone? 
- 
 It appears to be an issue with 2.0.3 where IPSec with PSK + xauth tunnels are not cleaned after the client disconnects (it never gets cleaned, I left pfsense running overnight and it is still an issue). Restarting the racoon service allows the client to reconnect one more time and restarting pfsense does that also. For my organization, IPSec with Mutual PSK + xauth is a must because we migrated from a Cisco Router and all of our employees still have the Cisco Client on Windows or Use the "Cisco IPSec" option on Mac. Could one of somebody post a patch or workaround? For some reason running "setkey -F -P" still doesn't fix the problem, only restarting the service does. Thanks gamejia 
- 
 For those interested in a very ugly workaround, I created a script that runs every 5 minutes (using cron) and cleans up the IPSec SAD and SPD entries if there are no users using IPSec. #!/bin/sh 
 PATH=/usr/bin:/usr/sbin:.
 showUsers=/usr/local/sbin/racoonctl show-users | wc -l
 setKeyD=/usr/local/sbin/setkey -D | wc -l
 setKeyDP=/usr/local/sbin/setkey -DP | wc -lif /bin/[ $showUsers -ge 2 ]; then 
 echo "FixIPSec.sh: There are clients connected, cannot fix IPSec"
 elif /bin/[ $setKeyD -ge 2 ] || [ $setKeyDP -ge 2 ]; then
 echo "FixIPSec.sh: Fixing IPSec $setKeyD $setKeyDP"
 /usr/local/sbin/setkey -F
 /usr/local/sbin/setkey -FP
 else
 echo "FixIPSec.sh: nothing to fix"
 fiPlease keep in mind that this is still a WIP and I plan on cleaning it up more in the future if no fix is available. I plan on comparing the entries returned by "setkey -Da" and "setkey -DPa" to the values returned by racoonctl and only remove the SPD entries that are causing problems. 
- 
 For those interested in a very ugly workaround, I created a script that runs every 5 minutes (using cron) and cleans up the IPSec SAD and SPD entries if there are no users using IPSec. <snip>Please keep in mind that this is still a WIP and I plan on cleaning it up more in the future if no fix is available. I plan on comparing the entries returned by "setkey -Da" and "setkey -DPa" to the values returned by racoonctl and only remove the SPD entries that are causing problems.</snip> Thank you for posting the script. It has been really helpful, and has made the VPN usage in our small network more predictable. Ideally this should be handled at the pfsense end without using this workaround, considering if there are more number of users, then things can get complicated. I was not able to find any bug-report for this; is anyone aware of any bug report filed - else I'll go ahead and do it.