IOS mobile IPSec connectivity [screenshots]

bwoodruff

Hi folks,

I've read most of the threads on this forum with the keywords "IPSec" and "iOS" in them and I just can't get this setup to work for me. Running 2.0.2-RELEASE.

I've taken screenshots of what I think are all of the relavent sections… I'm able to connect from my iOS devices but unable to route anywhere (can't load the web interface for pfSense or google.com).

Screenshots to follow...

Firewall rule:

IPSec enabled:

p1 part 1:

p1 part 2:

p2:

SAD (after multiple attempts) – note that even if I reboot racoon to clear these out and only have two entries I get the same results:

SPD:

Sparky

2 things to try, try enable or Force the NAT Traversal under the Advance Options. The other thing which I don't see in your screenshots, there's a tick box somewhere related to sending available routes to the client or something along those lines. Try untick that. With that ticked I was finding that after bringing up the VPN on my iPad, traffic was just being sent straight out of it's wifi interface and not down the tunnel.

bwoodruff

Hi Sparky,

Thanks for the suggestions but unfortunately neither work.

With NAT-T set to Force, the devices can no longer connect at all. With the sending available routes box checked, traffic routes around the VPN tunnel instead of through it (it goes out over 3G/WiFi).

spi

Hi bwoodruff

my own IOS VPN integration is almost exactly as yours and works from iPads…iphones. OSX os's and so on.
Also work with Cisco VPN client on PC's

ive added a diff screenshot in the P1 configuration. When not set as i have it now...IOS devices cant connect.

see the attachment

![Skærmbillede 2013-01-29 kl. 17.42.44.png](/public/imported_attachments/1/Skærmbillede 2013-01-29 kl. 17.42.44.png)
![Skærmbillede 2013-01-29 kl. 17.42.44.png_thumb](/public/imported_attachments/1/Skærmbillede 2013-01-29 kl. 17.42.44.png_thumb)

bwoodruff

Thanks for the suggestion. I made that change, but it had no effect. The clients still connect, but no traffic is passed.

jonallport

This is my (working) config - works with iOS 5.x, 6.0.x & 6.1 so far.

Some redactions for obvious reasons!

PS. There is a DNS resolution bug in iOS 6.0.x, now resolved in 6.1 that may also have caused problems: no DNS lookups for .local using VPN over cellular.

P1.PNG_thumb

P2.PNG_thumb

Ext.PNG_thumb

User.PNG_thumb

Firewall.PNG_thumb

jonallport

@spi:

Also work with Cisco VPN client on PC's

Which version? I've NEVER got it to work! Currently using 5.0.07.0410

jimp

The Cisco VPN client is one that is only likely to work once, and never again, until you restart racoon. Also by using the Cisco client to connect to a non-Cisco device, you're technically violating the terms of its license agreement.

Make sure that you have:
(Phase 1)
Policy Generation: Unique
Proposal Checking: Strict

System > Advanced, Miscellaneous tab.
Uncheck "Prefer Old IPsec SA"

bwoodruff

Unfortunately this doesn't work for me. If I set NAT-T to "Force," clients are unable to connect (at all).

jimp

make sure the client(s) are also set to use NAT-T, and make sure nothing is blocking UDP/4500 between the clients and the firewall

bwoodruff

@jimp:

make sure the client(s) are also set to use NAT-T, and make sure nothing is blocking UDP/4500 between the clients and the firewall

Clients are iOS 6 devices on 3G, so no in-depth settings there. Firewall is open:
https://www.evernote.com/shard/s12/sh/659a1b61-92b4-470e-8d3c-f6c40616ce51/24d11db24ce72f1e9383166dfdcdb1e4/deep/0/Screenshot%202/4/13%204:00%20PM.jpg