IPsec with Android Problems



  • Has anyone gotten IPsec to work with the lastest release of PFSense and Android 4.4?

    I followed the tutorial in the Wiki, but I can never connect.

    It looks like it starts to work, but then

    
    Apr 17 13:38:29 	racoon: ERROR: phase1 negotiation failed due to time up. 3e92ef9c45b7d058:c4e9a0229b25ce71
    Apr 17 13:37:54 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[500] (1).
    Apr 17 13:37:51 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[500] (1).
    Apr 17 13:37:48 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[500] (1).
    Apr 17 13:37:45 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[500] (1).
    Apr 17 13:37:42 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[500] (1).
    
    

    (newest at top)

    Anyone have any idea what I could do here?



  • I've tried many, many times and can't get IPsec to work with my Android phone.  (Nexus 5 running KitKat 4.4)

    I'm able to connect to the VPN, but traffic never flows through and nothing else works.  However, the same configuration works with my iPad or iPhone perfectly.


  • Rebel Alliance Developer Netgate

    I don't have anything running 4.4 yet to test. Due for a new phone in a week, I should have one then. Or I may get brave and install CM11 on my current phone since it's due to be replaced in a few days anyhow



  • Ok, if/when you get a chance to check,
    this is the tutorial I'm following, and I'm using AOKP 4.4 on a Nexus 5 so VPN should be stock.

    https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0


  • Rebel Alliance Developer Netgate

    My new Moto X came in today, running Android 4.4.2, connected right up as always to mobile IPsec, could ping OK, no problems here using the settings from the wiki.



  • 
    May 5 13:19:59 	racoon: ERROR: phase1 negotiation failed due to time up. ad238a0d2161838c:144b26fc7492d836
    May 5 13:19:24 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by <remote ip="">[500] (1).
    May 5 13:19:21 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by <remote ip="">[500] (1).
    May 5 13:19:18 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by <remote ip="">[500] (1).
    May 5 13:19:15 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by <remote ip="">[500] (1).
    May 5 13:19:12 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by <remote ip="">[500] (1).
    May 5 13:19:09 	racoon: INFO: Adding xauth VID payload.
    May 5 13:19:09 	racoon: [Self]: [<local ip="">] INFO: Hashing <local ip="">[500] with algo #2 (NAT-T forced)
    May 5 13:19:09 	racoon: [<remote ip="">] INFO: Hashing <remote ip="">[500] with algo #2 (NAT-T forced)
    May 5 13:19:09 	racoon: INFO: Adding remote and local NAT-D payloads.
    May 5 13:19:09 	racoon: [<remote ip="">] INFO: Selected NAT-T version: RFC 3947
    May 5 13:19:09 	racoon: INFO: received Vendor ID: DPD
    May 5 13:19:09 	racoon: INFO: received Vendor ID: CISCO-UNITY
    May 5 13:19:09 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    May 5 13:19:09 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    May 5 13:19:09 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    May 5 13:19:09 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    May 5 13:19:09 	racoon: INFO: received Vendor ID: RFC 3947
    May 5 13:19:09 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    May 5 13:19:09 	racoon: INFO: begin Aggressive mode.
    May 5 13:19:09 	racoon: [Self]: INFO: respond new phase 1 negotiation: <local ip="">[500]<=><remote ip="">[500]</remote></local></remote></remote></remote></local></local></remote></remote></remote></remote></remote> 
    

    That's what I'm getting.

    My settings on Android 4.4 are
    Name: Test VPN
    Type: IPSec Xauth PSK
    Server Address: <firewall wan="" ip="">IPSec identifier: vpnuser@example.com  <–- changed to a different address
    IPSec pre-shared key: <my psk="">DNS Search domains: <blank>DNS Servers: <blank>Forwarding Routes <blank>And then the above is what happens in my logs on pfsense when I try to connect.</blank></blank></blank></my>/vpnuser@example.com</firewall>


  • Rebel Alliance Developer Netgate

    Well it's a bit odd now. I had connected on Friday with my Moto X (Android 4.4.2, Kernel version 3.4.42) but then I put CM11 on my Droid Razr and it would not connect (Android 4.4.2, Kernel 3.0.8).

    Today, I can't connect with the Moto X or the Razr. I don't get the same error as you, though. It successfully builds the VPN but then won't pass traffic and then DPD kills the P1 saying it appears to be dead. Might need some extra nudging one way or another yet.  Reset racoon, rebooted the phones, etc. Same behavior all around now.



  • Anything I could try?

    I have never been able to get a successful ipsec connection, but openVPN is working.