[2.2] Mobile clients not connecting anymore
-
Jan 29 09:01:46 pfyo charon: 07[NET] received packet: from ANDROIDIP[61809] to PFSENSEIP[500] (656 bytes)Seeing this there seems a device doing nat in front of the Android device and changing ports which do not make ipsec happy in general.
Without having full details its a bit of a problem to diagnostic. -
@ermal:
Seeing this there seems a device doing nat in front of the Android device and changing ports which do not make ipsec happy in general.
Without having full details its a bit of a problem to diagnostic.Well, most of my Android VPN connections come from a NATted connection (i.e. when I'm at home connected to my wifi), and it has been working fine in 2.1.
What full detail do you need? I'll try to provide them. -
no ideas? anyone else using mobile IPSec on 2.2? thanks
Having the same problem here, mobile devices (iPhone, iPad and Android) can't connect after 2.2 upgrade.
-
i can't ipsec into pfsense 2.2 box from iphone anymore. used to work on 2.1.3
-
I am having the same issues with IPSEC and 2.2. Most of the Pfsense online guides are for versions less than 2.1.5. Does anyone have a step by step guide that they can post for a verified working configuration utilizing PSEC on 2.2 with Shrew Client and Android 4.4 as the clients. Thanks!
Joe
-
Please provide the logs to analyze this.
Also read the RELEASE notes about the new update and changes with things to conisder. -
Moved…
-
Please open a new thread for your issue but probably its related that you need on pfSense side to set the phase2 to 0.0.0.0/0 for the client.
It is on the release notes. -
@ermal:
Please open a new thread for your issue but probably its related that you need on pfSense side to set the phase2 to 0.0.0.0/0 for the client.
It is on the release notes.Is this under the Local Network field? Currently I have it set to "LAN Subnet."
-
I managed to install a fresh new 2.2, configure using this howto, and captured this log. I hope this can help debug.
Let me know if you need further debugging.
thanks for the help. -
I made some searches and tests myself.
First I found a possible issue with missing leftsendcert=always, but doesn't seem to apply to this problem.
Then I found an old thread about android and 2.2, and that seem to matter!I had to do two changes:
-
on the server set IPSec mobile to main mode
-
on the Android client remove the IPSec identifier field (leave blank)
This way the VPN connection is established.
Can anyone else please confirm?Sadly this way I have a regression: Ubuntu client won't connect anymore, it seems it's starting an aggressive mode connection thus fails…
-
-
Hi Maxxer, can you post a screenshot of your Phase 1 and Phase 2 screens? (with applicable info blacked out). Fighting the same issue here, trying to get Android and iPhone clients connected.
-
@vocatus:
Hi Maxxer, can you post a screenshot of your Phase 1 and Phase 2 screens? (with applicable info blacked out). Fighting the same issue here, trying to get Android and iPhone clients connected.
attaching here a working configuration for Android. Tested just with one device running Lollipop. NOT working with Ubuntu (seems it doesn't like main mode, just aggressive).
IKE mode works both in auto, v1 or v2. Just make sure to leave blank group identifier on the phone configuration.
-
here is my config. works on mac os, ios 7.1.1, ios 8.0. cisco ipsec vpn
-
@vocatus:
Hi Maxxer, can you post a screenshot of your Phase 1 and Phase 2 screens? (with applicable info blacked out). Fighting the same issue here, trying to get Android and iPhone clients connected.
attaching here a working configuration for Android. Tested just with one device running Lollipop. NOT working with Ubuntu (seems it doesn't like main mode, just aggressive).
IKE mode works both in auto, v1 or v2. Just make sure to leave blank group identifier on the phone configuration.if we make Key Exchange version = auto
then Negotiation mode - switches from agressive, mode main.In this case mac os ios not work.
-
I had to do two changes:
-
on the server set IPSec mobile to main mode
-
on the Android client remove the IPSec identifier field (leave blank)
Some time ago, I stumbled upon, that leaving the IPSec identifier blank android will initiate with main mode, having something in this field will switch it to aggressive mode. This still applies for android 5.0
-
-
Hi,
I can confirm too that by setting mode to main and removing the ipsec identifier, I'm able to connect to my VPN again using Android with Lollipop.
So, is this a bug with Android and nothing we can do on pfSense, or is this something that we can fix on pfSense?
Now then, will this configuration work for iOS….. :-)
-=david=-
-
Do you see on the logs anything related to identity?
This seems like android is not sending the proper identity as configured hence it works when left blank because it sends its ip.
-
Hi,
I don't think it is only that tbh.
First, I enabled "main" on my IPsec phase 1 entry, then removed from my Android the IPSec Identifier. I was able to connect successfully on Android.
I then disconnected my Android, enabled "aggressive" on my IPsec phase 1 entry, kept the IPSec Identifier missing on Android. I was unable to connect successfully.
Switching back to "main" allowed my Android to reconnect again.
Then:
Keeping "main" on my IPsec phase 1 entry, but this time filling in the IPSec identifier in Android to match the user distinguished name for my peer identifier doesn't result in a successful connection.
Changing to "aggressive", keeping the IPsec identifier in Android doesn't result in a successful connection.
Therefore, it appears to me (at least) that the only way I can get Android to connect is to enable "main" on pfSense and remove the IPsec identifier from Android's configuration.
Hope this helps!
-=david=-
-
Without logs no since i do not have an andorid device!
