Help with iOS mobile IPsec



  • If someone could help me get mobile IPSEC working with IOS 8.1.2 it would be very appreciated.  I have a simple home network and have set it up as the attached screen shots show.  System log below in reverse order:

    
    Dec 18 17:42:54	charon: 12[JOB] deleting half open IKE_SA after timeout
    Dec 18 17:42:48	charon: 12[NET] sending packet: from 68.4.178.238[500] to 166.170.50.79[30512] (432 bytes)
    Dec 18 17:42:48	charon: 12[IKE] sending retransmit 3 of response message ID 0, seq 1
    Dec 18 17:42:48	charon: 12[IKE] <con1|1>sending retransmit 3 of response message ID 0, seq 1
    Dec 18 17:42:35	charon: 12[NET] sending packet: from 68.4.178.238[500] to 166.170.50.79[30512] (432 bytes)
    Dec 18 17:42:35	charon: 12[IKE] sending retransmit 2 of response message ID 0, seq 1
    Dec 18 17:42:35	charon: 12[IKE] <con1|1>sending retransmit 2 of response message ID 0, seq 1
    Dec 18 17:42:28	charon: 12[NET] sending packet: from 68.4.178.238[500] to 166.170.50.79[30512] (432 bytes)
    Dec 18 17:42:28	charon: 12[IKE] sending retransmit 1 of response message ID 0, seq 1
    Dec 18 17:42:28	charon: 12[IKE] <con1|1>sending retransmit 1 of response message ID 0, seq 1
    Dec 18 17:42:24	charon: 12[NET] sending packet: from 68.4.178.238[500] to 166.170.50.79[30512] (432 bytes)
    Dec 18 17:42:24	charon: 12[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
    Dec 18 17:42:24	charon: 12[CFG] selected peer config "con1"
    Dec 18 17:42:24	charon: 12[CFG] looking for XAuthInitPSK peer configs matching 68.4.178.238...166.170.50.79[vpnusers@danstroot.com]
    Dec 18 17:42:24	charon: 12[IKE] 166.170.50.79 is initiating a Aggressive Mode IKE_SA
    Dec 18 17:42:24	charon: 12[IKE] <1> 166.170.50.79 is initiating a Aggressive Mode IKE_SA
    Dec 18 17:42:24	charon: 12[IKE] received DPD vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received DPD vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received Cisco Unity vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received Cisco Unity vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received XAuth vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received XAuth vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received NAT-T (RFC 3947) vendor ID
    Dec 18 17:42:24	charon: 12[IKE] received FRAGMENTATION vendor ID
    Dec 18 17:42:24	charon: 12[IKE] <1> received FRAGMENTATION vendor ID
    Dec 18 17:42:24	charon: 12[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]</con1|1></con1|1></con1|1> 
    ```![ipsec0.png](/public/_imported_attachments_/1/ipsec0.png)
    ![ipsec0.png_thumb](/public/_imported_attachments_/1/ipsec0.png_thumb)
    ![ipsec1.png](/public/_imported_attachments_/1/ipsec1.png)
    ![ipsec1.png_thumb](/public/_imported_attachments_/1/ipsec1.png_thumb)
    ![ipsec2.png](/public/_imported_attachments_/1/ipsec2.png)
    ![ipsec2.png_thumb](/public/_imported_attachments_/1/ipsec2.png_thumb)
    ![ipsec3.png](/public/_imported_attachments_/1/ipsec3.png)
    ![ipsec3.png_thumb](/public/_imported_attachments_/1/ipsec3.png_thumb)
    ![ipsec4.png](/public/_imported_attachments_/1/ipsec4.png)
    ![ipsec4.png_thumb](/public/_imported_attachments_/1/ipsec4.png_thumb)


  • Please don't hijack threads, I split this off into its own thread.



  • What is your version of pfsense? You seem to have your config right. Try using main instead of agressive, in negotiation mode.



  • @cmb - sorry about that. Thanks for moving this to it's own thread.

    @Hugovsky - If I switch to main instead of aggressive my iPhone tells me "the server failed to respond".  If I use aggressive I get "negotiation with the server failed".  I am on pfsense 2.2 latest beta (today).



  • iPhone does not support main mode. It may help to describe what's not working.

    For me, I'm able to connect and get out to the internet via the pfSense, but can't access any resources on the remote LAN.



  • @miken32 - Occasionally I can connect right after a fresh reboot.  Subsequently it times out and I get the log I posted.

    When I can connect I can get to websites on the internet, but I can't get to anything on the LAN (either via DNS or straight IP address).  However I am not convinced its really working because if I check my IP address (using something like GRC Shields Up!) it still shows my iphone's previous IP address, not that of my pfsense box, so I don't think the traffic is really going over the tunnel.



  • Yes, I stand corrected; internet access is not being tunnelled. So all I can reach is the pfSense LAN IP address through the tunnel. This is the same config I'm using successfully on a 2.1.5 install.



  • @miken32: Try using 0.0.0.0/0 in phase 2, in local network, type network. It will route everything including internal dns. To make it work with iOS 7.2.2, here's what I've done:

    phase1:

    • Exactly your config but using Mutual rsa+xauth.

    • My/peer identifier: ASN.1

    • My cert: create a certificate for the user you want

    • My cert auth: Create a cert authority in pfsense.

    everything else just like yours.

    Don't forget to put certificate in user.

    If you need more details, just ask.


Log in to reply