Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IOS mobile IPSec connectivity [screenshots]

    Scheduled Pinned Locked Moved IPsec
    11 Posts 5 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bwoodruff
      last edited by

      Hi folks,

      I've read most of the threads on this forum with the keywords "IPSec" and "iOS" in them and I just can't get this setup to work for me. Running 2.0.2-RELEASE.

      I've taken screenshots of what I think are all of the relavent sections… I'm able to connect from my iOS devices but unable to route anywhere (can't load the web interface for pfSense or google.com).

      Screenshots to follow...

      Firewall rule:

      IPSec enabled:

      p1 part 1:

      p1 part 2:

      p2:

      SAD (after multiple attempts) – note that even if I reboot racoon to clear these out and only have two entries I get the same results:

      SPD:

      1 Reply Last reply Reply Quote 0
      • S
        Sparky
        last edited by

        2 things to try, try enable or Force the NAT Traversal under the Advance Options. The other thing which I don't see in your screenshots, there's a tick box somewhere related to sending available routes to the client or something along those lines. Try untick that. With that ticked I was finding that after bringing up the VPN on my iPad, traffic was just being sent straight out of it's wifi interface and not down the tunnel.

        1 Reply Last reply Reply Quote 0
        • B
          bwoodruff
          last edited by

          Hi Sparky,

          Thanks for the suggestions but unfortunately neither work.

          With NAT-T set to Force, the devices can no longer connect at all. With the sending available routes box checked, traffic routes around the VPN tunnel instead of through it (it goes out over 3G/WiFi).

          1 Reply Last reply Reply Quote 0
          • S
            spi
            last edited by

            Hi bwoodruff

            my own IOS VPN integration is almost exactly as yours and works from iPads…iphones. OSX os's and so on.
            Also work with Cisco VPN client on PC's

            ive added a diff screenshot in the P1 configuration. When not set as i have it now...IOS devices cant connect.

            see the attachment

            ![Skærmbillede 2013-01-29 kl. 17.42.44.png](/public/imported_attachments/1/Skærmbillede 2013-01-29 kl. 17.42.44.png)
            ![Skærmbillede 2013-01-29 kl. 17.42.44.png_thumb](/public/imported_attachments/1/Skærmbillede 2013-01-29 kl. 17.42.44.png_thumb)

            1 Reply Last reply Reply Quote 0
            • B
              bwoodruff
              last edited by

              Thanks for the suggestion. I made that change, but it had no effect. The clients still connect, but no traffic is passed.

              1 Reply Last reply Reply Quote 0
              • J
                jonallport
                last edited by

                This is my (working) config - works with iOS 5.x, 6.0.x & 6.1 so far.

                Some redactions for obvious reasons!

                PS.  There is a DNS resolution bug in iOS 6.0.x, now resolved in 6.1 that may also have caused  problems: no DNS lookups for .local using VPN over cellular.

                P1.PNG
                P1.PNG_thumb
                P2.PNG
                P2.PNG_thumb
                Ext.PNG
                Ext.PNG_thumb
                User.PNG
                User.PNG_thumb
                Firewall.PNG
                Firewall.PNG_thumb

                1 Reply Last reply Reply Quote 0
                • J
                  jonallport
                  last edited by

                  @spi:

                  Also work with Cisco VPN client on PC's

                  Which version?  I've NEVER got it to work!  Currently using 5.0.07.0410

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    The Cisco VPN client is one that is only likely to work once, and never again, until you restart racoon. Also by using the Cisco client to connect to a non-Cisco device, you're technically violating the terms of its license agreement.

                    Make sure that you have:
                    (Phase 1)
                    Policy Generation: Unique
                    Proposal Checking: Strict

                    System > Advanced, Miscellaneous tab.
                    Uncheck "Prefer Old IPsec SA"

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • B
                      bwoodruff
                      last edited by

                      Unfortunately this doesn't work for me. If I set NAT-T to "Force," clients are unable to connect (at all).

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        make sure the client(s) are also set to use NAT-T, and make sure nothing is blocking UDP/4500 between the clients and the firewall

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • B
                          bwoodruff
                          last edited by

                          @jimp:

                          make sure the client(s) are also set to use NAT-T, and make sure nothing is blocking UDP/4500 between the clients and the firewall

                          Clients are iOS 6 devices on 3G, so no in-depth settings there. Firewall is open:
                          https://www.evernote.com/shard/s12/sh/659a1b61-92b4-470e-8d3c-f6c40616ce51/24d11db24ce72f1e9383166dfdcdb1e4/deep/0/Screenshot%202/4/13%204:00%20PM.jpg

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.