Mobile IPSec (Android 4.2.1 => pfSense 2.0.2) with multiple Phase 2 not working



  • Hi There!

    Today at work I tried to implement a VPN solution using pfSense 2.0.2. First of all, please apologize I have not the config dump here right now, but will provide if needed later.

    Setup is:
    WAN: public IP
    LAN subnet: 10.10.10.0/24
    One other subnet: 10.20.20.0/24 routed through 10.10.10.89 (route added to pfsense, working fine!)
    IPSec and LAN firewall rules are currently open any to any bidirectional.

    I created a mobile IPSec Mutual PSK + XAuth aggressive Phase 1. Added one Phase 2 for 10.10.10.0/24. Traffic is NATed to LAN interface address to get inside (Reason: I do not need to add routes from our infrastructue to get back to the VPN Client subnet). Connection from mobile devices works perfectly, tested with an iPad and an Android 4.2.1 Nexus 4 using their bundled VPN settings (no extra VPN clients …). Only 10.10.10.0/24 route is being pushed to the devices flowing through tun0, "route -nr" on devices confirmed! Yes, this is a split tunnel scenario. No discussion please - it's mandatory ;)

    Since we have one more subnet, I added a second Phase 2 for 10.20.20.0/24 (copied the initial Phase 2 and just changed the network). Reconnecting from iPad shows both routes are being pushed and working - only traffic going to these subnets are being routed into the VPN, NATed perfectly on the LAN interface, and is being routed to the destination internally perfectly.

    Android however is connecting, Phase 1 works, both Phase 2 go green, routes are set on the device - VPN stays connected. As soon as I start sending traffic to one of the two subnets, I get an error in the racoon debug saying Phase 2 not found matching 0.0.0.0/0 and complete VPN is dropped.

    Currently bothering me: Is this something I can get working by adjusting settings on pfSense or is it an Android problem not being able to announce the correct Phase 2 proposals when using multiple ones?  ???

    Thanks
    Tom



  • Did you ever find a solution to your problem?  I have a similar problem.  My Mobile Device IPSec settings work great for OSx and iOS.  My Android device succeeds on the Phase 1 connection, but as soon as I try to connect to anything Phase 2 fails and the tunnel drops.  I have multiple Phase 2s.  My current hypothesis is that Android can't handle more than one Phase 2.  I'm trying to get my hands on a test pfSense to test this hypothesis.  Would love to hear if anyone has a solution.


Locked