Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with IPSEC setup mobile client IOS

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gazoo
      last edited by

      Setup an IPSEC server loosely based on this old doc: https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

      This is an iPhone 5 running latest iOS 8.x
      pfsense: 2.2.2 nanobsd

      additional info:
      Server running Phase 1 AES 128, SHA 1, DH Key group 2, aggressive

      Looks like something is failing. Can someone make suggestions?
      I get a server not responding message from iphone

      Aug 18 12:23:49 charon: 09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Aug 18 12:23:49 charon: 09[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Aug 18 12:23:49 charon: 09[IKE] <18> received XAuth vendor ID
      Aug 18 12:23:49 charon: 09[IKE] <18> received XAuth vendor ID
      Aug 18 12:23:49 charon: 09[IKE] <18> received Cisco Unity vendor ID
      Aug 18 12:23:49 charon: 09[IKE] <18> received Cisco Unity vendor ID
      Aug 18 12:23:49 charon: 09[IKE] <18> received DPD vendor ID
      Aug 18 12:23:49 charon: 09[IKE] <18> received DPD vendor ID
      Aug 18 12:23:49 charon: 09[IKE] <18> y.y.y.y is initiating a Aggressive Mode IKE_SA
      Aug 18 12:23:49 charon: 09[IKE] <18> y.y.y.y is initiating a Aggressive Mode IKE_SA
      Aug 18 12:23:49 charon: 09[IKE] <18> Aggressive Mode PSK disabled for security reasons
      Aug 18 12:23:49 charon: 09[IKE] <18> Aggressive Mode PSK disabled for security reasons
      Aug 18 12:23:49 charon: 09[ENC] <18> generating INFORMATIONAL_V1 request 397799797 [ N(AUTH_FAILED) ]
      Aug 18 12:23:49 charon: 09[NET] <18> sending packet: from x.x.x.x[500] to y.y.y.y[43504] (56 bytes)
      Aug 18 12:23:52 charon: 09[NET] <19> received packet: from y.y.y.y[43504] to x.x.x.x[500] (774 bytes)
      Aug 18 12:23:52 charon: 09[ENC] <19> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
      Aug 18 12:23:52 charon: 09[IKE] <19> received FRAGMENTATION vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received FRAGMENTATION vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received NAT-T (RFC 3947) vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received NAT-T (RFC 3947) vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received XAuth vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received XAuth vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received Cisco Unity vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received Cisco Unity vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received DPD vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> received DPD vendor ID
      Aug 18 12:23:52 charon: 09[IKE] <19> y.y.y.y is initiating a Aggressive Mode IKE_SA
      Aug 18 12:23:52 charon: 09[IKE] <19> y.y.y.y is initiating a Aggressive Mode IKE_SA
      Aug 18 12:23:52 charon: 09[IKE] <19> Aggressive Mode PSK disabled for security reasons
      Aug 18 12:23:52 charon: 09[IKE] <19> Aggressive Mode PSK disabled for security reasons
      Aug 18 12:23:52 charon: 09[ENC] <19> generating INFORMATIONAL_V1 request 3832594222 [ N(AUTH_FAILED) ]
      Aug 18 12:23:52 charon: 09[NET] <19> sending packet: from x.x.x.x[500] to y.y.y.y[43504] (56 bytes)

      1 Reply Last reply Reply Quote 0
      • dennypageD
        dennypage
        last edited by

        @gazoo:

        Server running Phase 1 AES 128, SHA 1, DH Key group 2, aggressive

        I haven't looked at the article you reference, but one thing I would note is that aggressive mode with PSK isn't considered secure, and if you look at the error messages you can see that the connection fails because this combination has been disabled for this reason.

        My recommendation would be: Main, AES 256, SHA1, DH group 5 (1536 bit)

        1 Reply Last reply Reply Quote 0
        • G
          gazoo
          last edited by

          that's the iphone doing aggressive, i've got the server set for main. I think this just won't work - something's changed after 2.2. I heard that in 2.1 this worked.

          1 Reply Last reply Reply Quote 0
          • dennypageD
            dennypage
            last edited by

            It definitely works in 2.2.2:

            https://forum.pfsense.org/index.php?topic=92197.msg518104#msg518104

            I have since moved to certificates, but PSK was well tested with 2.2.2. I know of no reason that that configuration would not still work with 2.2.4 as well. [N.B. with 2.2.4 you need to change the Peer Identifier to Any]

            The only thing that I know of that worked in 2.2.2, and does not work in 2.2.4, is the mixed IKEv1 and IKEv2 configuration. As you are using IKEv1 only, this shouldn't matter.

            1 Reply Last reply Reply Quote 0
            • M
              miken32
              last edited by

              @gazoo:

              that's the iphone doing aggressive, i've got the server set for main.

              Your server needs to match your client.

              P1: IKEv1 aggressive, mutual PSK + XAuth, local ID IP address, peer ID user DN, AES256 SHA1 DH group 2.
              P2: Tunnel mode, local network 0.0.0.0/0, AES256 SHA1 no PFS

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.