Android JB (3G) to Dynamic IP IPsec Tunnel Issue



  • Hello,

    Has anyone setup a mobile device (running Android JB) to connect via IPsec to PFSense.  I have a dynamic DNS (pfsense.domain.com) running on a host withing the network that PFSense looks after.

    My settings look as follows -
    Mobile Clients
    Enable IPsec mobile Client Support
    User Auth - System
    Group Auth - System
    Virtual Address Pool - 10.0.0.128/29
    DNS Default Domain - domain.com
    DNS - 10.0.0.10 / 8.8.8.8

    Tunnels - Phase 1
    Interface - WAN
    Auth Method-  Mutual PSK +Xauth
    Neg - Aggressive
    My Ident - Distinguished name - pfsense.domain.com
    Peer Ident - User Distinguished name - user@domain.com
    PSK - XXXXX
    Policy Gen - Unique
    Proposal Checking - Strict
    Enc Alg - 3DES
    Has - SHA1
    DH Group - 2
    Lifetime - 28800
    NAT Traversal - Force
    Enable DPD (60/5)

    Tunnels - Phase 2
    Mode - Tunnell
    Local Net - LAN Subnet (10.0.0.0/24)
    Protocol - ESP
    Enc Alg - 3DES
    Hash - SHA1
    PFS - Off
    Lifetime - 28800

    Android Settings
    Name - VPN
    Type - IPSec xAuth PSK
    Server Address - pfsense.domain.com
    IPSec Ident - user@domain.com
    IPSec PSK - XXXXX
    DNS Search Domains - domain.com
    DNS Servers - 10.0.0.10 8.8.8.8
    Forwarding Routes - 10.0.0.0/24 10.10.0.0/24 10.50.0.0/24

    When connecting I enter an Admin username / password I get the following in the IPsec logs -

    May 17 16:48:30 racoon: [Self]: INFO: respond new phase 1 negotiation: <pfsense wan="" ip="">[500]<=><android ip="">[500]
    May 17 16:48:30 racoon: INFO: begin Aggressive mode.
    May 17 16:48:30 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    May 17 16:48:30 racoon: INFO: received Vendor ID: RFC 3947
    May 17 16:48:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    May 17 16:48:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    May 17 16:48:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    May 17 16:48:30 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    May 17 16:48:30 racoon: INFO: received Vendor ID: CISCO-UNITY
    May 17 16:48:30 racoon: INFO: received Vendor ID: DPD
    May 17 16:48:30 racoon: [<android ip="">] INFO: Selected NAT-T version: RFC 3947
    May 17 16:48:30 racoon: INFO: Adding remote and local NAT-D payloads.
    May 17 16:48:30 racoon: [<android ip="">] INFO: Hashing <android ip="">[500] with algo #2 (NAT-T forced)
    May 17 16:48:30 racoon: [Self]: [<pfsense wan="" ip="">] INFO: Hashing <pfsense wan="" ip="">[500] with algo #2 (NAT-T forced)
    May 17 16:48:30 racoon: INFO: Adding xauth VID payload.

    Anyone any ideas what I could be doing wrong?

    Thanks</pfsense></pfsense></android></android></android></android></pfsense>



  • Nobody have any tips/ideas?


Locked