Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Android JB (3G) to Dynamic IP IPsec Tunnel Issue

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      WTF
      last edited by

      Hello,

      Has anyone setup a mobile device (running Android JB) to connect via IPsec to PFSense.  I have a dynamic DNS (pfsense.domain.com) running on a host withing the network that PFSense looks after.

      My settings look as follows -
      Mobile Clients
      Enable IPsec mobile Client Support
      User Auth - System
      Group Auth - System
      Virtual Address Pool - 10.0.0.128/29
      DNS Default Domain - domain.com
      DNS - 10.0.0.10 / 8.8.8.8

      Tunnels - Phase 1
      Interface - WAN
      Auth Method-  Mutual PSK +Xauth
      Neg - Aggressive
      My Ident - Distinguished name - pfsense.domain.com
      Peer Ident - User Distinguished name - user@domain.com
      PSK - XXXXX
      Policy Gen - Unique
      Proposal Checking - Strict
      Enc Alg - 3DES
      Has - SHA1
      DH Group - 2
      Lifetime - 28800
      NAT Traversal - Force
      Enable DPD (60/5)

      Tunnels - Phase 2
      Mode - Tunnell
      Local Net - LAN Subnet (10.0.0.0/24)
      Protocol - ESP
      Enc Alg - 3DES
      Hash - SHA1
      PFS - Off
      Lifetime - 28800

      Android Settings
      Name - VPN
      Type - IPSec xAuth PSK
      Server Address - pfsense.domain.com
      IPSec Ident - user@domain.com
      IPSec PSK - XXXXX
      DNS Search Domains - domain.com
      DNS Servers - 10.0.0.10 8.8.8.8
      Forwarding Routes - 10.0.0.0/24 10.10.0.0/24 10.50.0.0/24

      When connecting I enter an Admin username / password I get the following in the IPsec logs -

      May 17 16:48:30 racoon: [Self]: INFO: respond new phase 1 negotiation: <pfsense wan="" ip="">[500]<=><android ip="">[500]
      May 17 16:48:30 racoon: INFO: begin Aggressive mode.
      May 17 16:48:30 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      May 17 16:48:30 racoon: INFO: received Vendor ID: RFC 3947
      May 17 16:48:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      May 17 16:48:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      May 17 16:48:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      May 17 16:48:30 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      May 17 16:48:30 racoon: INFO: received Vendor ID: CISCO-UNITY
      May 17 16:48:30 racoon: INFO: received Vendor ID: DPD
      May 17 16:48:30 racoon: [<android ip="">] INFO: Selected NAT-T version: RFC 3947
      May 17 16:48:30 racoon: INFO: Adding remote and local NAT-D payloads.
      May 17 16:48:30 racoon: [<android ip="">] INFO: Hashing <android ip="">[500] with algo #2 (NAT-T forced)
      May 17 16:48:30 racoon: [Self]: [<pfsense wan="" ip="">] INFO: Hashing <pfsense wan="" ip="">[500] with algo #2 (NAT-T forced)
      May 17 16:48:30 racoon: INFO: Adding xauth VID payload.

      Anyone any ideas what I could be doing wrong?

      Thanks</pfsense></pfsense></android></android></android></android></pfsense>

      1 Reply Last reply Reply Quote 0
      • W Offline
        WTF
        last edited by

        Nobody have any tips/ideas?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.