Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with iOS mobile IPsec

    Scheduled Pinned Locked Moved IPsec
    8 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dstroot
      last edited by

      If someone could help me get mobile IPSEC working with IOS 8.1.2 it would be very appreciated.  I have a simple home network and have set it up as the attached screen shots show.  System log below in reverse order:

      
      Dec 18 17:42:54	charon: 12[JOB] deleting half open IKE_SA after timeout
      Dec 18 17:42:48	charon: 12[NET] sending packet: from 68.4.178.238[500] to 166.170.50.79[30512] (432 bytes)
      Dec 18 17:42:48	charon: 12[IKE] sending retransmit 3 of response message ID 0, seq 1
      Dec 18 17:42:48	charon: 12[IKE] <con1|1>sending retransmit 3 of response message ID 0, seq 1
      Dec 18 17:42:35	charon: 12[NET] sending packet: from 68.4.178.238[500] to 166.170.50.79[30512] (432 bytes)
      Dec 18 17:42:35	charon: 12[IKE] sending retransmit 2 of response message ID 0, seq 1
      Dec 18 17:42:35	charon: 12[IKE] <con1|1>sending retransmit 2 of response message ID 0, seq 1
      Dec 18 17:42:28	charon: 12[NET] sending packet: from 68.4.178.238[500] to 166.170.50.79[30512] (432 bytes)
      Dec 18 17:42:28	charon: 12[IKE] sending retransmit 1 of response message ID 0, seq 1
      Dec 18 17:42:28	charon: 12[IKE] <con1|1>sending retransmit 1 of response message ID 0, seq 1
      Dec 18 17:42:24	charon: 12[NET] sending packet: from 68.4.178.238[500] to 166.170.50.79[30512] (432 bytes)
      Dec 18 17:42:24	charon: 12[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
      Dec 18 17:42:24	charon: 12[CFG] selected peer config "con1"
      Dec 18 17:42:24	charon: 12[CFG] looking for XAuthInitPSK peer configs matching 68.4.178.238...166.170.50.79[vpnusers@danstroot.com]
      Dec 18 17:42:24	charon: 12[IKE] 166.170.50.79 is initiating a Aggressive Mode IKE_SA
      Dec 18 17:42:24	charon: 12[IKE] <1> 166.170.50.79 is initiating a Aggressive Mode IKE_SA
      Dec 18 17:42:24	charon: 12[IKE] received DPD vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received DPD vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received Cisco Unity vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received Cisco Unity vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received XAuth vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received XAuth vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received NAT-T (RFC 3947) vendor ID
      Dec 18 17:42:24	charon: 12[IKE] received FRAGMENTATION vendor ID
      Dec 18 17:42:24	charon: 12[IKE] <1> received FRAGMENTATION vendor ID
      Dec 18 17:42:24	charon: 12[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]</con1|1></con1|1></con1|1> 
      ```![ipsec0.png](/public/_imported_attachments_/1/ipsec0.png)
      ![ipsec0.png_thumb](/public/_imported_attachments_/1/ipsec0.png_thumb)
      ![ipsec1.png](/public/_imported_attachments_/1/ipsec1.png)
      ![ipsec1.png_thumb](/public/_imported_attachments_/1/ipsec1.png_thumb)
      ![ipsec2.png](/public/_imported_attachments_/1/ipsec2.png)
      ![ipsec2.png_thumb](/public/_imported_attachments_/1/ipsec2.png_thumb)
      ![ipsec3.png](/public/_imported_attachments_/1/ipsec3.png)
      ![ipsec3.png_thumb](/public/_imported_attachments_/1/ipsec3.png_thumb)
      ![ipsec4.png](/public/_imported_attachments_/1/ipsec4.png)
      ![ipsec4.png_thumb](/public/_imported_attachments_/1/ipsec4.png_thumb)
      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Please don't hijack threads, I split this off into its own thread.

        1 Reply Last reply Reply Quote 0
        • H
          Hugovsky
          last edited by

          What is your version of pfsense? You seem to have your config right. Try using main instead of agressive, in negotiation mode.

          1 Reply Last reply Reply Quote 0
          • D
            dstroot
            last edited by

            @cmb - sorry about that. Thanks for moving this to it's own thread.

            @Hugovsky - If I switch to main instead of aggressive my iPhone tells me "the server failed to respond".  If I use aggressive I get "negotiation with the server failed".  I am on pfsense 2.2 latest beta (today).

            1 Reply Last reply Reply Quote 0
            • M
              miken32
              last edited by

              iPhone does not support main mode. It may help to describe what's not working.

              For me, I'm able to connect and get out to the internet via the pfSense, but can't access any resources on the remote LAN.

              1 Reply Last reply Reply Quote 0
              • D
                dstroot
                last edited by

                @miken32 - Occasionally I can connect right after a fresh reboot.  Subsequently it times out and I get the log I posted.

                When I can connect I can get to websites on the internet, but I can't get to anything on the LAN (either via DNS or straight IP address).  However I am not convinced its really working because if I check my IP address (using something like GRC Shields Up!) it still shows my iphone's previous IP address, not that of my pfsense box, so I don't think the traffic is really going over the tunnel.

                1 Reply Last reply Reply Quote 0
                • M
                  miken32
                  last edited by

                  Yes, I stand corrected; internet access is not being tunnelled. So all I can reach is the pfSense LAN IP address through the tunnel. This is the same config I'm using successfully on a 2.1.5 install.

                  1 Reply Last reply Reply Quote 0
                  • H
                    Hugovsky
                    last edited by

                    @miken32: Try using 0.0.0.0/0 in phase 2, in local network, type network. It will route everything including internal dns. To make it work with iOS 7.2.2, here's what I've done:

                    phase1:

                    • Exactly your config but using Mutual rsa+xauth.

                    • My/peer identifier: ASN.1

                    • My cert: create a certificate for the user you want

                    • My cert auth: Create a cert authority in pfsense.

                    everything else just like yours.

                    Don't forget to put certificate in user.

                    If you need more details, just ask.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.